All posts by Simon Janusz

Metasploit Weekly Wrap-Up

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2022/01/14/metasploit-weekly-wrap-up/

Log4Shell goodness

Metasploit Weekly Wrap-Up

Log4Shell made an unfortunate end to 2021 for many organizations, but it also makes for some great additions to Metasploit Framework. Contributors sempervictus, schierlm, righel, timwr and our very own Spencer McIntyre have collaborated to bring us a Log4Shell module that uses header stuffing to exploit vulnerable HTTP servers, resulting in Remote Code Execution.

SonicWall SSL VPN module for Rapid7-discovered vulnerability

Rapid7 disclosed the technical details of five vulnerabilities discovered by jbaines-r7 affecting SonicWall’s SMA-100 series of SSL VPN devices. The disclosure included landing a Metasploit module that gives remote and authenticated attackers root access to the device using CVE-2021-20039.

Pi-Hole command execution and common exploit library

An exciting new addition has worked its way into Metasploit Framework this week. Contributor h00die has created an authenticated RCE module that takes advantage of improper escaping of characters in Pi-Hole’s Top Domains API’s validDomainWildcard field. H00die has also created a library that aims to make developing future Pi-Hole modules easier.

New module content (5)

  • Pi-Hole Top Domains API Authenticated Exec by SchneiderSec and h00die, which exploits CVE-2021-32706 – This adds an auxiliary module that executes commands against Pi-Hole versions <= 5.5. This also introduces a Pi-Hole library for common functionality required in exploits against the service.

  • SonicWall SMA 100 Series Authenticated Command Injection by jbaines-r7, which exploits CVE-2021-20039 – This adds a module that exploits an authenticated command injection vulnerability in multiple versions of the SonicWALL SMA 100 series web interface. In the SSL certificate deletion functionality, the sanitization logic permits the \n character which acts as a terminator when passed to a call to system(). An authenticated attacker can execute arbitrary commands as the root user.

  • Log4Shell HTTP Header Injection by sinn3r, juan vazquez, Michael Schierl, RageLtMan, and Spencer McIntyre, which exploits CVE-2021-44228 – This adds an exploit for HTTP servers that are affected by the Log4J/Log4Shell vulnerability via header stuffing.

  • Microsoft Windows SMB Direct Session Takeover by usiegl00 – This adds a new exploit module that implements the Shadow Attack, SMB Direct Session takeover. Before running this module, a MiTM attack needs to be performed to let it intercept SMB authentication requests between a client and a server. by using any kind of ARP spoofer/poisoner tools in addition to Metasploit. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload.

  • #12217 from SkypLabs – This adds the f5 load balancer cookie to notes, and cleans up the module (rubocop/documentation/refs)

Enhancements and features

  • #15656 from HynekPetrak – This enables the vmware_vcenter_vmdir_auth_bypass module to create an admin user even if the target is not vulnerable to CVE-2020-3952, assuming we have obtained valid credentials to the vCenter LDAP directory.
  • #16021 from zeroSteiner – This adds additional tests for Meterpreter’s mkdir/rmdir functionality to ensure uniform implementations across all Meterpreters
  • #16024 from sjanusz-r7 – This adds in a new command to Meterpreter that allows the end user to kill all channels at once
  • #16040 from jmartin-r7 – Removes Ruby 2.5 support as it is officially end of life

Bugs fixed

  • #16016 from bwatters-r7 – This fixes an issue in the auxiliary/scanner/dcerpc/hidden module where the RHOSTS datastore option was not available, resulting in hosts not being scanned.
  • #16027 from zeroSteiner – This fixes an issue with tab completion for the generate command. Completion now works with both the -f and -o flags.
  • #16043 from shoxxdj – Fixes crash in the auxiliary/scanner/http/wordpress_scanner.rb module when attempting to scan themes

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Simon Janusz original https://blog.rapid7.com/2021/10/08/metasploit-wrap-up-133/

Telemetry is for gathering data, not executing commands as root, right?…

Metasploit Wrap-Up

This week’s highlight is a new exploit module by our own wvu for VMware vCenter Server CVE-2021-22005, a file upload vuln that arises from a flaw in vCenter’s analytics/telemetry service, which is enabled by default. Attackers with network access to port 443 can upload a specially crafted file, after which commands can be executed as the root user without prior authentication. As usual, this latest vCenter Server vulnerability was exploited in the wild quickly after details were released. See Rapid7’s full technical analysis in AttackerKB.

Good ol’ Netfilter

This week’s release also includes a privilege escalation module for a Linux kernel vulnerability in Netfilter that lets you get a root shell through an out-of-bounds write. The vulnerability was discovered by Andy Nguyen and has been present in the Linux kernel for the past 15 years. The module currently supports 18 versions of the Ubuntu kernel ranging between 5.8.0-23 to 5.8.0-53 thanks to bcoles, and there are plans to add further support for kernel versions 4.x in the future, once an ROP chain for said version is created.

New module content (3)

Enhancements and features

  • #15735 from jaydesl – Fixes a Rails 6 deprecation warning when a user ran db_disconnect in msfconsole
  • #15740 from h00die – Several improvements have been made to the Ghostcat module to align it with recent standards changes that the team has made and to ensure its documentation is more descriptive.
  • #15750 from jmartin-r7 – Improves Ruby 3.0.2 support on Windows

Bugs fixed

  • #15729 from ErikWynter – This fixes a bug in the PrintNightmare check method where if an RPC function returns a value that can’t be mapped to a Win32 error code, the module would crash.
  • #15730 from adfoster-r7 – The check method for the Gitea Git hooks RCE module has been updated to correctly handle older versions of Gitea and report their exploitability as unknown vs reporting the target as not running Gitea.
  • #15737 from adfoster-r7 – A bug has been fixed whereby action wasn’t correctly being set when using the action name as a command. action should now hold the right value when using the action name as a command.
  • #15745 from bwatters-r7 – A bug has been fixed in tools/dev/msftidy.rb whereby if the Notes section was placed before the References section, then msftidy would end up not checking the References section and would therefore state the module didn’t have a CVE reference, even when it did.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).