Metasploit Wrapup
Here we have bwatters-r7 coming in with an exploit for CVE-2020-1337, a patch bypass for a Windows print spooler elevation of privilege vulnerability that was exploited in the wild last year. The original vulnerability, CVE-2020-1048, garnered quite a bit of interest from the security community, in large part because the Windows print spooler is a legacy component that was abused as part of the Stuxnet attack. Alex Ionescu and Yarden Shafir, the researchers who discovered CVE-2020-1048, have a great write-up here if you’re looking for a deep dive.
The first patch that Microsoft released for CVE-2020-1048 uses a check to verify that the process creating a printer port targeting a location has privileges to write to that location. Unfortunately, that patch only checks the permissions when the port is created. The bypass utilized here simply creates the port pointing to a location the user can write
to. Then, after the printer port is created, it creates a symlink from
the location pointed to by the printer port to a second location. The check will pass because the link is only created after the check, but the link will be in place when the print takes place, so the file write will pass through and end up in the trusted location.
Chiggins gave us a fix for the msfconsole prompt with PR #14635. For those not in the know, you can set your prompt in the console with the set Prompt
command. Thanks to Chiggins setting your prompt to the timestamp works again! So feel free to give it a go with set Prompt %T
.
NT AUTHORITY\SYSTEM
.modules/auxiliary/gather/external_ip.rb
module to provide a valid default vhost settinglib/msf/core/exploit/remote/http_client.rb
and lib/msf/core/opt_http_rhost_url.rb
libraries whereby if a user used a /etc/hosts
entry for resolving a hostname to an IP address, the VHOST
datastore variable would be set incorrectly. This has now been resolved by improving the logic of these two libraries and updating the spec checks accordingly.read
utility as is the case in Ubuntu.lib/rex/ui/text/shell.rb
library whereby users who used the %T
character within their command prompts would not get the full timestamp information. A fix has been applied to address this regression so that users can now get the full timestamp information within their prompts.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).