Metasploit Weekly Wrap-Up 04/19/24

Welcome Ryan and the new CrushFTP module

It’s not every week we add an awesome new exploit module to the Framework while adding the original discoverer of the vulnerability to the Rapid7 team as well. We’re very excited to welcome Ryan Emmons to the Emergent Threat Response team, which works alongside Metasploit here at Rapid7. Ryan discovered an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in CrushFTP (CVE-2023-43177) versions prior to 10.5.1 which results in unauthenticated remote code execution. Metasploit’s very own Christophe De La Fuente did a fantastic job of turning this complex exploit into a smooth running Metasploit module. This release includes another unauthenticated remote code execution vulnerability in the oh so popular PostgreSQL management tool, pgAdmin. Written by Spencer McIntyre, the module exploits CVE-2024-2044 which is a path-traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized.

New module content (3)

MongoDB Ops Manager Diagnostic Archive Sensitive Information Retriever

Author: h00die
Type: Auxiliary
Pull request: #18936 contributed by h00die
Path: gather/mongodb_ops_manager_diagnostic_archive_info
AttackerKB reference: CVE-2023-0342

Description: This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-0342) in MongoDB Ops Manager v5.0 prior to 5.0.21 and v6.0 prior to 6.0.12 to retrieve the SAML SSL Pem Key File Password, which is stored in plaintext in the application’s Diagnostics Archive.

CrushFTP Unauthenticated RCE

Authors: Christophe De La Fuente and Ryan Emmons
Type: Exploit
Pull request: #18918 contributed by cdelafuente-r7
Path: multi/http/crushftp_rce_cve_2023_43177
AttackerKB reference: CVE-2023-43177

Description: This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1.

pgAdmin Session Deserialization RCE

Authors: Abdel Adim Oisfi, Davide Silvetti, and Spencer McIntyre
Type: Exploit
Pull request: #19026 contributed by zeroSteiner
Path: multi/http/pgadmin_session_deserialization
AttackerKB reference: CVE-2024-2044

Description: This adds an exploit for pgAdmin <= 8.3 which is a path traversal vulnerability in the session management that allows a Python pickle object to be loaded and deserialized. This also adds a new Python deserialization gadget chain to execute the code in a new thread so the target application doesn’t block the HTTP request.

Enhancements and features (0)

None

Bugs fixed (0)

None

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.3…6.4.4
• Full diff 6.4.3…6.4.4

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Download Gartner® 2024 Strategic Roadmap for Managing Threat Exposure ▶︎