Post Syndicated from Simon Janusz original https://blog.rapid7.com/2022/04/08/metasploit-wrap-up-151/

Windows Local Privilege Escalation for standard users

In this week’s release, we have an exciting new module that has been added by our very own Grant Willcox which exploits (CVE-2022-26904)[https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904], and allows for normal users to execute code as NT AUTHORITY/SYSTEM on Windows machines from Windows 7 up to and including Windows 11. Currently, the vulnerability is still not patched and there have not been any updates from MSRC regarding this vulnerability, however it may be patched in the next Patch Tuesday.

This exploit requires more than one local user to be present on the machine and the PromptOnSecureDesktop setting to be set to 1, which is the default setting.

MacOS exploitation

Our very own space-r7 has updated the recent GateKeeper module to add support for the recent CVE-2022-22616, which can be used to target all MacOS Catalina versions, and MacOS Monterey versions prior to 12.3.

This module can be used to remove the com.apple.quarantine extended attribute on a downloaded/extracted file and allows for code to be executed on the machine.

Enumerating Chocolatey applications

This week’s release also features a new module from a first-time contributor rad10, which will enumerate all applications that have been installed using Chocolatey.

This could be used when gathering information about a compromised target and potentially vulnerable software present on the machine.

New module content (5)

• User Profile Arbitrary Junction Creation Local Privilege Elevation by Grant Willcox and KLINIX5, which exploits CVE-2022-26904 – This adds an exploit for CVE-2022-26904, which is an LPE vulnerability affecting Windows 7 through Windows 11. Leveraging this vulnerability can allow a local attacker running as a standard user, who has knowledge of another standard user’s credentials, to execute code as NT AUTHORITY\SYSTEM. The PromptOnSecureDesktop setting must also be set to 1 on the affected machine for this exploit to work, which is the default setting.
• ALLMediaServer 1.6 SEH Buffer Overflow by Hejap Zairy Al-Sharif, which exploits CVE-2022-28381 – A new module has been added in which exploits CVE-2022-28381, a remotely exploitable SEH buffer overflow vulnerability in AllMediaServer version 1.6 and prior. Successful exploitation results in remote code execution as the user running AllMediaServer.
• Windows Gather Installed Application Within Chocolatey Enumeration by Nick Cottrell – This adds a post module that enumerates applications installed with Chocolatey on Windows systems.
• #16082 from usiegl00 – This updates the shadow_mitm_dispatcher module by adding a new RubySMB Dispatcher, whichallows a better integration with RubySMB and enables the use of all the features provided by its client. Both SMBv2 and SMBv3 are now supported.
• #16401 from space-r7 – This change adds support for CVE-2022-22616 to the existing Gatekeeper bypass exploit module which reportedly covers macOS Catalina all the way to MacOS Monterey versions below 12.3. Since this now targets two CVEs, we’ve introduced a new CVE option to select which CVE to exploit. This default is the most recent CVE.

Enhancements and features (4)

• #15972 from sempervictus – This updates the Log4shell scanner with the LEAK_PARAMS option, providing a way to leak more target information such as environment variables.
• #16320 from dwelch-r7 – This updates Windows Meterpreter payloads to support a new MeterpreterDebugBuild datastore option. When set to true the generated payload will have additional logging support which is visible via Window’s DbgView program.
• #16373 from adfoster-r7 – Adds initial support for Ruby 3.1
• #16403 from sempervictus – This adds more checks to the post/windows/gather/checkvm module to better detect if the current target is a Qemu / KVM virtual machine.

Bugs fixed (3)

• #16398 from jmartin-r7 – A number of recent payload adds did not conform to the patterns used for suggesting spec configurations. Tests for these payloads have now been manually added to ensure they will be appropriately tested as part of rspec checks.
• #16408 from rtpt-alexanderneumann – This fixes an edge case with the multi/postgres/postgres_copy_from_program_cmd_exec module, which crashed when the randomly generated table name started with a number
• #16419 from adfoster-r7 – A bug has been fixed whereby when using the search command and searching by disclosure_date, the help menu would instead appear. This has been remedied by improving the date handling logic for the search command.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.36…6.1.37
• Full diff 6.1.36…6.1.37

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2022/01/14/metasploit-weekly-wrap-up/

Log4Shell goodness

Log4Shell made an unfortunate end to 2021 for many organizations, but it also makes for some great additions to Metasploit Framework. Contributors sempervictus, schierlm, righel, timwr and our very own Spencer McIntyre have collaborated to bring us a Log4Shell module that uses header stuffing to exploit vulnerable HTTP servers, resulting in Remote Code Execution.

SonicWall SSL VPN module for Rapid7-discovered vulnerability

Rapid7 disclosed the technical details of five vulnerabilities discovered by jbaines-r7 affecting SonicWall’s SMA-100 series of SSL VPN devices. The disclosure included landing a Metasploit module that gives remote and authenticated attackers root access to the device using CVE-2021-20039.

Pi-Hole command execution and common exploit library

An exciting new addition has worked its way into Metasploit Framework this week. Contributor h00die has created an authenticated RCE module that takes advantage of improper escaping of characters in Pi-Hole’s Top Domains API’s validDomainWildcard field. H00die has also created a library that aims to make developing future Pi-Hole modules easier.

New module content (5)

• Pi-Hole Top Domains API Authenticated Exec by SchneiderSec and h00die, which exploits CVE-2021-32706 – This adds an auxiliary module that executes commands against Pi-Hole versions <= 5.5. This also introduces a Pi-Hole library for common functionality required in exploits against the service.

• SonicWall SMA 100 Series Authenticated Command Injection by jbaines-r7, which exploits CVE-2021-20039 – This adds a module that exploits an authenticated command injection vulnerability in multiple versions of the SonicWALL SMA 100 series web interface. In the SSL certificate deletion functionality, the sanitization logic permits the \n character which acts as a terminator when passed to a call to system(). An authenticated attacker can execute arbitrary commands as the root user.

• Log4Shell HTTP Header Injection by sinn3r, juan vazquez, Michael Schierl, RageLtMan, and Spencer McIntyre, which exploits CVE-2021-44228 – This adds an exploit for HTTP servers that are affected by the Log4J/Log4Shell vulnerability via header stuffing.

• Microsoft Windows SMB Direct Session Takeover by usiegl00 – This adds a new exploit module that implements the Shadow Attack, SMB Direct Session takeover. Before running this module, a MiTM attack needs to be performed to let it intercept SMB authentication requests between a client and a server. by using any kind of ARP spoofer/poisoner tools in addition to Metasploit. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload.

• #12217 from SkypLabs – This adds the f5 load balancer cookie to notes, and cleans up the module (rubocop/documentation/refs)

Enhancements and features

• #15656 from HynekPetrak – This enables the vmware_vcenter_vmdir_auth_bypass module to create an admin user even if the target is not vulnerable to CVE-2020-3952, assuming we have obtained valid credentials to the vCenter LDAP directory.
• #16021 from zeroSteiner – This adds additional tests for Meterpreter’s mkdir/rmdir functionality to ensure uniform implementations across all Meterpreters
• #16024 from sjanusz-r7 – This adds in a new command to Meterpreter that allows the end user to kill all channels at once
• #16040 from jmartin-r7 – Removes Ruby 2.5 support as it is officially end of life

Bugs fixed

• #16016 from bwatters-r7 – This fixes an issue in the auxiliary/scanner/dcerpc/hidden module where the RHOSTS datastore option was not available, resulting in hosts not being scanned.
• #16027 from zeroSteiner – This fixes an issue with tab completion for the generate command. Completion now works with both the -f and -o flags.
• #16043 from shoxxdj – Fixes crash in the auxiliary/scanner/http/wordpress_scanner.rb module when attempting to scan themes

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.23…6.1.25
• Full diff 6.1.23…6.1.25

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2021/10/08/metasploit-wrap-up-133/

Telemetry is for gathering data, not executing commands as root, right?…

This week’s highlight is a new exploit module by our own wvu for VMware vCenter Server CVE-2021-22005, a file upload vuln that arises from a flaw in vCenter’s analytics/telemetry service, which is enabled by default. Attackers with network access to port 443 can upload a specially crafted file, after which commands can be executed as the root user without prior authentication. As usual, this latest vCenter Server vulnerability was exploited in the wild quickly after details were released. See Rapid7’s full technical analysis in AttackerKB.

Good ol’ Netfilter

This week’s release also includes a privilege escalation module for a Linux kernel vulnerability in Netfilter that lets you get a root shell through an out-of-bounds write. The vulnerability was discovered by Andy Nguyen and has been present in the Linux kernel for the past 15 years. The module currently supports 18 versions of the Ubuntu kernel ranging between 5.8.0-23 to 5.8.0-53 thanks to bcoles, and there are plans to add further support for kernel versions 4.x in the future, once an ROP chain for said version is created.

New module content (3)

• VMware vCenter Server Analytics (CEIP) Service File Upload by wvu, Derek Abdine, George Noseevich, Sergey Gerasimov, and VMware, which exploits CVE-2021-22005 – This adds an exploit for CVE-2021-22005 which is an unauthenticated RCE within the VMWare vCenter appliance.
• Netfilter x_tables Heap OOB Write Privilege Escalation by Andy Nguyen (theflow0), Szymon Janusz and bcoles, which exploits CVE-2021-22555 – This PR adds a module for CVE-2021-22555, a 15-year-old heap out-of-bounds write vulnerability in Linux Netfilter.
• Diagnostic State by Jay Turla – Adds a new post/hardware/automotive/diagnostic_state module which will keep the vehicle in a diagnostic state.

Enhancements and features

• #15735 from jaydesl – Fixes a Rails 6 deprecation warning when a user ran db_disconnect in msfconsole
• #15740 from h00die – Several improvements have been made to the Ghostcat module to align it with recent standards changes that the team has made and to ensure its documentation is more descriptive.
• #15750 from jmartin-r7 – Improves Ruby 3.0.2 support on Windows

Bugs fixed

• #15729 from ErikWynter – This fixes a bug in the PrintNightmare check method where if an RPC function returns a value that can’t be mapped to a Win32 error code, the module would crash.
• #15730 from adfoster-r7 – The check method for the Gitea Git hooks RCE module has been updated to correctly handle older versions of Gitea and report their exploitability as unknown vs reporting the target as not running Gitea.
• #15737 from adfoster-r7 – A bug has been fixed whereby action wasn’t correctly being set when using the action name as a command. action should now hold the right value when using the action name as a command.
• #15745 from bwatters-r7 – A bug has been fixed in tools/dev/msftidy.rb whereby if the Notes section was placed before the References section, then msftidy would end up not checking the References section and would therefore state the module didn’t have a CVE reference, even when it did.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.1.8…6.1.9
• Full diff 6.1.8…6.1.9

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).