8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.3 High
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
This week, community contributor Hakyac added a new Olympic discipline to Metasploit exploit sport category, which is based on the work of community security researchers @jonasLyk and Kevin Beaumont). The rules are simple: You need to abuse a flaw in Windows 10 and 11 configuration to pass through the defense and access Security Account Manager (SAM) files. Any local unprivileged player is able to read this sensitive security information, such as hashes of user/admin passwords. The best strategy to win a gold medal is to start abusing Windows Volume Shadow Copy Service (VSS) to access these files and copy them locally. Finally, you just need to dump the NTLM hashes, use them in a pass-the-hash attack and score with a remote code execution.
Note that Microsoft issued an out-of-band advisory and tracked this vulnerability as CVE-2021-36934. You can find more information about the rules in this blog post. Happy Hive hunting!
Our own Grant Willcox added a new exploit module that won the Swimming 100m Heap Overflow discipline. It took advantage of a flaw in genie.cgi?backup.cgi
page of Netgear R7000 routers to enable a telnet server and easily got code execution as the root
user. Note that, whereas firmware versions 1.0.11.116
and prior are vulnerable, this module can only be used with versions 1.0.11.116
at the moment. The check
method can still be used to detect if older devices are vulnerable. This module is based on research done by @colorlight2019. A new gold medal for the Metasploit team, great job!
3.0
and <= 5.2.4
. In vulnerable versions of the software, a user with sudo
privileges can escalate to root
by passing shell commands to either the removecustomcname
, removecustomdns
, or removestaticdhcp
function. The functions have minimal sanitization, and they pass the input to the sed
command. By default, the www-data
user is permitted to run sudo
without supplying a password as configured in the sudoers.d/pihole
file.5.16.5
, an administrative user can upload a php payload via the calendar import feature by setting the content type of the file to text/csv
. Code execution with the privileges of the user running the server is achieved by sending a request for the uploaded file.4.22
, an authenticated user can upload arbitrary PHP code because the security check only blocks the upload of files with a .php
extension, meaning that uploading a file with a .pHp
extension is allowed. Once uploaded, requesting the file will result in code execution as the www-data
user.copy_file
method caused by it searching for a word in the output to determine success.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.3 High
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C