9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
This week’s Metasploit Framework release brings us seven new modules.
Rapid7’s Jacob Baines was busy this week with two exploit modules that target IP cameras. The first module exploits an authenticated file upload on Axis IP cameras. Due to lack of proper sanitization, an attacker can upload and install an eap
application which, when executed, will grant the attacker root
privileges on the device. This vulnerability, discovered by Baines in 2017, has yet to be patched.
The second module exploits an unauthenticated command injection vulnerability in a number of Hikvision IP cameras. A PUT
request to the /SDK/webLanguage
endpoint passes the contents of its request body’s <language>
tag to snprintf()
, which then passes its resultant data to a call to system()
, resulting in code execution with root
privileges. This vulnerability has been reported as exploited in the wild.
Community contributor RootUp submitted a module that exploits a privilege escalation vulnerability in Polkit’s pkexec
utility, an SUID binary that is present on most major Linux distributions. Additionally, this vulnerability has likely existed in pkexec
since 2009.
Any user can escalate their privileges to root
by exploiting an out-of-bounds read and write that exists in pkexec
’s executable path-finding logic. The logic always assumes that an argument is passed to pkexec
, resulting in a read of the data that follows arguments in memory. Environment variables follow program arguments, so pkexec
reads the first environment variable, resolves its full path, and replaces the environment variable with the full path. Leveraging the GCONV_PATH
environment variable coerces pkexec
into loading arbitrary libraries, leading to escalation of privileges.
WordPress Modern Events Calendar SQLi Scanner by Hacker5preme (Ron Jost), h00die, and red0xff, which exploits CVE-2021-24946 - This exploits an unauthenticated SQL injection vulnerability in the Modern Events Calendar plugin for Wordpress.
Wordpress Secure Copy Content Protection and Content Locking sccp_id Unauthenticated SQLi by Hacker5preme (Ron Jost), Krzysztof Zając (kazet), and h00die, which exploits CVE-2021-24931 - A new module has been added to exploit CVE-2021-24931, an unauthenticated SQLi vulnerability in the sccp_id
parameter of the ays_sccp_results_export_file
AJAX action in Secure Copy Content Protection and Content Locking WordPress plugin versions before 2.8.2. Successful exploitation allows attackers to dump usernames and password hashes from the wp_users
table which can then be cracked offline to gain valid login credentials for the affected WordPress installation.
Axis IP Camera Application Upload by jbaines-r7 - The "Apps’’ feature in Axis IP cameras allow allows third party developers to upload and execute ‘eap’ applications on the device, however no validation is performed to ensure the application comes from a trusted source. This module takes advantage of this vulnerability to allow authenticated attackers to upload and execute malicious applications and gain RCE. Once the application has been installed and the shell has been obtained, the module will then automatically delete the malicious application. No CVE is assigned to this issue as a patch has not been released as of the time of writing.
Hikvision IP Camera Unauthenticated Command Injection by Watchful_IP, bashis, and jbaines-r7, which exploits CVE-2021-36260 - This module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user.
Local Privilege Escalation in polkits pkexec by Andris Raugulis, Dhiraj Mishra, Qualys Security, and bwatters-r7, which exploits CVE-2021-4034 - This adds an LPE exploit for CVE-2021-4034 which leverages an out-of-bounds read and write in polkit’s pkexec utility. It also adds support to Metasploit for generating Linux SO library payloads for the AARCH64 architecture.
Firefox MCallGetProperty Write Side Effects Use After Free Exploit by 360 ESG Vulnerability Research Institute, maxpl0it, and timwr, which exploits CVE-2020-26950 - This adds a module for CVE-2020-26950, a use after free browser exploit targeting Firefox and Thunderbird.
#16202 from zeroSteiner - This adds an exploit for CVE-2022-21882 which is a patch bypass for CVE-2021-1732. It updates and combines both techniques into a single mega-exploit module that will use the updated technique as necessary. No configuration is necessary outside of the SESSION and payload datastore options.
kiwi_cmd 'base64 /in:off /out:off'
.info -d
command when the provided GitHub credentials were invalid.msfconsole
tab-completes directory paths.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C