Metasploit Wrap-Up

Metasploit Wrapup

Windows print spooler vulnerability…again

Here we have bwatters-r7 coming in with an exploit for CVE-2020-1337, a patch bypass for a Windows print spooler elevation of privilege vulnerability that was exploited in the wild last year. The original vulnerability, CVE-2020-1048, garnered quite a bit of interest from the security community, in large part because the Windows print spooler is a legacy component that was abused as part of the Stuxnet attack. Alex Ionescu and Yarden Shafir, the researchers who discovered CVE-2020-1048, have a great write-up here if you’re looking for a deep dive.

The first patch that Microsoft released for CVE-2020-1048 uses a check to verify that the process creating a printer port targeting a location has privileges to write to that location. Unfortunately, that patch only checks the permissions when the port is created. The bypass utilized here simply creates the port pointing to a location the user can write
to. Then, after the printer port is created, it creates a symlink from
the location pointed to by the printer port to a second location. The check will pass because the link is only created after the check, but the link will be in place when the print takes place, so the file write will pass through and end up in the trusted location.

A very prompt fix

Chiggins gave us a fix for the msfconsole prompt with PR #14635. For those not in the know, you can set your prompt in the console with the set Prompt command. Thanks to Chiggins setting your prompt to the timestamp works again! So feel free to give it a go with set Prompt %T.

New Modules (1)

• Microsoft Spooler Local Privilege Elevation Vulnerability by 404death, Peleg Hadar, Tomer Bar, bwatters-r7, and sailay1996, which exploits CVE-2020-1337 This adds a local exploit module that leverages an arbitrary file write vulnerability in the Spooler service on Windows. This is a bypass of the patch for CVE-2020-1048 and is identified as CVE-2020-1337. By successfully executing this exploit, it is possible to gain code execution as NT AUTHORITY\SYSTEM.

Enhancements and features

• #14583 from dwelch-r7 This PR adds in the ability for framework to detect when a given nmap scan requires sudo privileges and re-runs nmap with sudo prompting the user in the typical way
• #14621 from geyslan This PR reduces the size of the linux/x64/shell_bind_tcp_random_port payload and maintains the functionality.
• #14630 from h00die Adds the hardcoded creds found in Zyxel devices to the unix creds files - as captured within CVE-2020-29583

Bugs Fixed

• #14597 from arno01 Updates the modules/auxiliary/gather/external_ip.rb module to provide a valid default vhost setting
• #14609 from dwelch-r7 A bug was fixed in the lib/msf/core/exploit/remote/http_client.rb and lib/msf/core/opt_http_rhost_url.rb libraries whereby if a user used a /etc/hosts entry for resolving a hostname to an IP address, the VHOST datastore variable would be set incorrectly. This has now been resolved by improving the logic of these two libraries and updating the spec checks accordingly.
• #14632 from zomfg-zombie This fixes a compatibility issue with the OpenSMTPD MAIL FROM RCE exploit where it was failing to function when the target host’s shell uses a strictly POSIX compatible read utility as is the case in Ubuntu.
• #14635 from Chiggins A bug was fixed in the lib/rex/ui/text/shell.rb library whereby users who used the %T character within their command prompts would not get the full timestamp information. A fix has been applied to address this regression so that users can now get the full timestamp information within their prompts.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.26…6.0.27
• Full diff 6.0.26…6.0.27

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).