All posts by Shelby Pace

Metasploit Weekly Wrap-Up

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/08/05/metasploit-weekly-wrap-up-170/

Log4Shell in MobileIron Core

Metasploit Weekly Wrap-Up

Thanks to jbaines-r7 we have yet another Log4Shell exploit. Similar to the other Log4Shell exploit modules, the exploit works by sending a JNDI string that once received by the server will be deserialized, resulting in unauthenticated remote code execution as the tomcat user. Vulnerable versions of MobileIron Core have been reported as exploited in the wild.

VMware Workspace ONE Access LPE

Our very own Spencer McIntyre discovered and added a local privilege escalation module for CVE-2022-31660 in VMware Workspace ONE Access. By default, the horizon user has write permissions to the /opt/vmware/certproxy/bin/cert-proxy.sh script, and the sudo configuration does not require supplying a password when invoking the script. Due to this, an attacker can write arbitrary code to the /opt/vmware/certproxy/bin/cert-proxy.sh script and escalate their privileges to that of the root user by executing the certproxyService.sh with sudo. Because the horizon user runs the externally-facing web application in VMware Workspace ONE Access, CVE-2022-22954 can be leveraged for initial access to the target.

XML-RPC Unauthenticated RCE in Zoho Password Manager

Grant Willcox of the Metasploit team added a module that exploits a deserialization flaw in Zoho Password Manager Pro. Sending a single POST request containing XML-RPC data to the /xmlrpc endpoint will result in unauthenticated code execution as NT AUTHORITY\SYSTEM.

New module content (5)

  • Cisco PVC2300 POE Video Camera configuration download by Craig Heffner and Erik Wynter – This adds a module targeting Cisco PVC2300 IP Cameras that will download the configuration file using hard-coded credentials.
  • BACnet Scanner by Paz – This adds a new scanner module that discovers BACnet devices on the network and extracts model name, software version, firmware revision, and device description. Once the data is processed, it is displayed on screen and saved to a local xml file.
  • MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell) by RageLtMan, Spencer McIntyre, jbaines-r7, and rwincey, which exploits CVE-2021-44228 – This adds an exploit for MobileIron which is affected by the Log4Shell vulnerability. The result is an unauthenticated remote code execution in the context of the web application user.
  • VMware Workspace ONE Access CVE-2022-31660 by Spencer McIntyre, which exploits CVE-2022-31660 – This module exploits CVE-2022-31660, an LPE disclosed by VMware in VMSA-2022-0021. The underlying flaw is that the /opt/vmware/certproxy/bin/cert-proxy.sh script is writable by the horizon user who can also indirectly execute it by invoking the certproxyService.sh script via sudo which is permitted without a password, enabling escalation to root.
  • Zoho Password Manager Pro XML-RPC Java Deserialization by Grant Willcox, Vinicius, and Y4er, which exploits CVE-2022-35405 – This PR adds in an exploit module for CVE-2022-35405 aka Zoho Password Manager Pro XML-RPC Unauthenticated RCE as SYSTEM.

Enhancements and features (3)

  • #16833 from gwillcox-r7 – This PR adds an option to the host command to make it easier to delete host tags.
  • #16840 from bcoles – This replaces some Meterpreter-only method calls with method calls that check the session type, which allows non-Meterpreter sessions to use read_profile_list
    and load_missing_hives. Also, this changes read_profile_list to be able to read profile information for all accounts.
  • #16858 from adfoster-r7 – This updates ZeroLogon to have better error handling in the check method. This will cause the error from an invalid NetBIOS name to be reported with a meaningful message.

Bugs fixed (8)

  • #16820 from gwillcox-r7 – This PR fixes an issue in the ldap_query module where if the datastore option "action" wasn’t set the module would fail.
  • #16822 from adfoster-r7 – This fixes a bug in Rex::Ui::Text::Input::Buffer::BufferSock that was causing data to be occasionally lost due to the rsock monitor routine stopping abruptly.
  • #16825 from rbowes-r7 – The IMAP credential capture module did not appropriately handle literal strings as specified by RFC3501. The code has been updated to handle these strings efficiently.
  • #16832 from gwillcox-r7 – This fix removes an unnecessary echo statement from the ms10_092_schelevator module.
  • #16839 from bcoles – Fixes shell_registry_enumvals/getvaldata error checking.
  • #16844 from bcoles – This PR updates the post/multi/gather module to support non-meterpreter sessions like shell and powershell.
  • #16846 from jmartin-r7 – Updates auxiliary/scanner/ssh/ssh_login to gracefully handle Errno::EPIPE exceptions.
  • #16848 from jmartin-r7 – Fix a crash when updating session information in Meterpreter.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/04/29/metasploit-wrap-up-153/

Redis Sandbox Escape

Metasploit Wrap-Up

Our very own Jake Baines wrote a module that performs a sandbox escape on Redis versions between 5.0.0 and 6.1.0 and achieves remote code execution as the redis user. Redis installations can be password protected, so this module supports exploiting the vulnerability with and without authentication.

While this module targets Redis software, the vulnerability (CVE-2022-0543) only presents itself on Debian-based Linux distributions due to the Lua package interface remaining enabled. The existence of the Lua package interface means that arbitrary libraries can be loaded and used to evade the protections of the sandbox. This vulnerability has been reported as being exploited in the wild.

Antivirus Enumeration

Thanks to sempervictus we now have a post module for enumerating installed antivirus products on Windows systems. Using either a Meterpreter or shell session, the module detects these installations through WMI queries and saves the information to the database. Some of the data returned includes versioning information, possibly clueing a user in on a potential next target for privilege escalation.

New module content (2)

  • Redis Lua Sandbox Escape by Reginaldo Silva and jbaines-r7, which exploits CVE-2022-0543 – This exploit achieves remote code execution as the redis user via a sandbox escape in several Redis versions distributed through Debian-based Linux distributions.
  • Windows Installed AntiVirus Enumeration by rageltman – This adds a module that enumerates all installed AV products on Windows.

Enhancements and features (1)

Bugs fixed (2)

  • #16450 from ORelio – This updates exploit/multi/vnc/vnc_keyboard_exec to include a delay that increases reliability when getting a shell and typing out long commands.
  • #16509 from adfoster-r7 – This ensures proper escaping of HTML in code blocks that are produced by the info -d command.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/03/04/metasploit-wrap-up-150/

Metasploit Weekly Wrap-Up

This week’s Metasploit Framework release brings us seven new modules.

IP Camera Exploitation

Rapid7’s Jacob Baines was busy this week with two exploit modules that target IP cameras. The first module exploits an authenticated file upload on Axis IP cameras. Due to lack of proper sanitization, an attacker can upload and install an eap application which, when executed, will grant the attacker root privileges on the device. This vulnerability, discovered by Baines in 2017, has yet to be patched.

The second module exploits an unauthenticated command injection vulnerability in a number of Hikvision IP cameras. A PUT request to the /SDK/webLanguage endpoint passes the contents of its request body’s <language> tag to snprintf(), which then passes its resultant data to a call to system(), resulting in code execution with root privileges. This vulnerability has been reported as exploited in the wild.

Privilege Escalation in pkexec

Community contributor RootUp submitted a module that exploits a privilege escalation vulnerability in Polkit’s pkexec utility, an SUID binary that is present on most major Linux distributions. Additionally, this vulnerability has likely existed in pkexec since 2009.

Any user can escalate their privileges to root by exploiting an out-of-bounds read and write that exists in pkexec’s executable path-finding logic. The logic always assumes that an argument is passed to pkexec, resulting in a read of the data that follows arguments in memory. Environment variables follow program arguments, so pkexec reads the first environment variable, resolves its full path, and replaces the environment variable with the full path. Leveraging the GCONV_PATH environment variable coerces pkexec into loading arbitrary libraries, leading to escalation of privileges.

New module content (7)

  • WordPress Modern Events Calendar SQLi Scanner by Hacker5preme (Ron Jost), h00die, and red0xff, which exploits CVE-2021-24946 – This exploits an unauthenticated SQL injection vulnerability in the Modern Events Calendar plugin for WordPress.

  • WordPress Secure Copy Content Protection and Content Locking sccp_id Unauthenticated SQLi by Hacker5preme (Ron Jost), Krzysztof Zając (kazet), and h00die, which exploits CVE-2021-24931 – A new module has been added to exploit CVE-2021-24931, an unauthenticated SQLi vulnerability in the sccp_id parameter of the ays_sccp_results_export_file AJAX action in Secure Copy Content Protection and Content Locking WordPress plugin versions before 2.8.2. Successful exploitation allows attackers to dump usernames and password hashes from the wp_users table which can then be cracked offline to gain valid login credentials for the affected WordPress installation.

  • Axis IP Camera Application Upload by jbaines-r7 – The "Apps” feature in Axis IP cameras allow allows third party developers to upload and execute ‘eap’ applications on the device, however no validation is performed to ensure the application comes from a trusted source. This module takes advantage of this vulnerability to allow authenticated attackers to upload and execute malicious applications and gain RCE. Once the application has been installed and the shell has been obtained, the module will then automatically delete the malicious application. No CVE is assigned to this issue as a patch has not been released as of the time of writing.

  • Hikvision IP Camera Unauthenticated Command Injection by Watchful_IP, bashis, and jbaines-r7, which exploits CVE-2021-36260 – This module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user.

  • Local Privilege Escalation in polkits pkexec by Andris Raugulis, Dhiraj Mishra, Qualys Security, and bwatters-r7, which exploits CVE-2021-4034 – This adds an LPE exploit for CVE-2021-4034 which leverages an out-of-bounds read and write in polkit’s pkexec utility. It also adds support to Metasploit for generating Linux SO library payloads for the AARCH64 architecture.

  • Firefox MCallGetProperty Write Side Effects Use After Free Exploit by 360 ESG Vulnerability Research Institute, maxpl0it, and timwr, which exploits CVE-2020-26950 – This adds a module for CVE-2020-26950, a use after free browser exploit targeting Firefox and Thunderbird.

  • #16202 from zeroSteiner – This adds an exploit for CVE-2022-21882 which is a patch bypass for CVE-2021-1732. It updates and combines both techniques into a single mega-exploit module that will use the updated technique as necessary. No configuration is necessary outside of the SESSION and payload datastore options.

Bugs fixed

  • #16228 from zeroSteiner – This fixes a bug where the framework failed to check if a payload would fit in the space defined by an exploit if the payload was not encoded.
  • #16235 from bcoles – This change fixes an issue with APK injection when in some configurations an invalid apktool version string would cause injection to fail.
  • #16251 from zeroSteiner – This fixes an error when executing commands using the Python Meterpreter where not all results were returned to msfconsole.
  • #16254 from heyder – This fixes an issue in the Shodan search module where recent changes to randomize the user agent were causing the results returned to the module to be in an unexpected format.
  • #16255 from zeroSteiner – This fixes a parsing issue with kiwi_cmd arguments which contained spaces, such as kiwi_cmd 'base64 /in:off /out:off'.
  • #16257 from bcoles – This change adds a warning when a user tries to inject the Android payload into an APK using an older version of apktool.
  • #16264 from bwatters-r7 – This fixes a crash when attempting to create create local module documentation with the info -d command when the provided GitHub credentials were invalid.
  • #16266 from smashery – This fixes bugs in how msfconsole tab-completes directory paths.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2021/06/25/metasploit-wrap-up-118/

Cisco ‘Sploits

Metasploit Wrap-Up

This week’s Metasploit Framework release brings two modules that target Cisco products.The first module, written by our very own jheysel-r7, targets an unauthenticated file upload vulnerability in Cisco HyperFlex HX Data Platform. Vulnerable versions of the Cisco HyperFlex software permit uploading of files through the /upload endpoint due to a missing authentication requirement. The exploit module uploads a jsp web shell and obtains code execution as the Tomcat user.

Community contributor Hakyac wrote the second module that targets Cisco Data Center Network Manager (DCNM). The module, auxiliary/admin/networking/cisco_dcnm_auth_bypass, leverages a static encryption key in the REST API of DCNM to generate a valid session token that is then used to create an administrative account with high privileges and access to sensitive data.

rConfig Authenticated File Upload RCE

Community contributor Hakyac wrote another exploit module that targets network management software. exploit/linux/http/rconfig_vendors_auth_file_upload_rce uses an authenticated file upload vulnerability to achieve remote code execution against vulnerable rConfig installations, specifically versions 3.9.6 and below. The vendor logo functionality in lib/crud/vendors.crud.php allows an authenticated user to upload images; however, there are no checks on the contents of the uploaded file. Because of this, an authenticated attacker can upload a php shell and trigger its execution via a request to the file’s name in the /images/vendor path.

New module content (3)

  • Cisco DCNM auth bypass by mr_me and Yann Castel, which exploits CVE-2019-15975 – This adds a module that leverages CVE-2019-15975 which is an authentication bypass in Cisco’s DCNM platform. The module will leverage the vulnerability to add a new administrative user account with known credentials that can be used to access the system.
  • Cisco HyperFlex HX Data Platform unauthenticated file upload to RCE (CVE-2021-1499) by wvu, Mikhail Klyuchnikov, Nikita Abramov, and jheysel-r7, which exploits
    CVE-2021-1499 – This adds an exploit module targeting a file upload vulnerability within the Cisco Hyperflex application that can be used to obtain unauthenticated remote code execution.
  • rConfig Vendors Auth File Upload RCE by Murat Şeker, Vishwaraj Bhattrai, and Yann Castel – This adds an exploit module for rConfig versions <= 3.9.6. An arbitrary file upload vulnerability exists in lib/crud/vendors.crud.php through the vendorLogo parameter. The functionality for uploading vendor logos does not validate the contents of uploaded files, so an authenticated user has the capability of uploading arbitrary php code. Once uploaded, code execution on the server can be achieved by requesting the uploaded php file in the images/vendor path.

Enhancements and features

  • #15358 from zeroSteiner – This updates the exploit/multi/ssh/sshexec module to now account for cases where the target system does not have the python binary. Using the new binary_exists() class method in lib/msf/base/sessions/command_shell.rb, the module now checks for and uses the valid Python binary found on the target system despite not having a fully-established session.

Bugs fixed

  • #15350 from pingport80 – Fixes a regression issue in the windows/manage/shellcode_inject module which crashed due to a missing mixin
  • #15352 from adfoster-r7 – Fixes an issue where running msfdb init on an already initialised database would generate a new password instead of just starting the database

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).