MicroFocus’s Operations Bridge Manager is a security information and event management (SIEM) tool designed to collect and parse security logs from multiple disparate sources. OBM has a large attack surface—something Pedro Ribeiro was able to take advantage of with his new RCE module. This module leverages a Java deserialization bug to allow payload execution as either root or SYSTEM, depending on the victim OS.
We’ve one other OBM module currently in the process of being landed, but for anyone who needs their fix of MicroFocus hacks right away, we’d recommend pedrib’s super detailed writeup of his findings.
While PR #14607 doesn’t add a totally new exploit for Microsoft Exchange Server, that’s only because zeroSteiner was able to update an earlier module to support a bypass for the patch that was supposed to fix the vuln it exploited.
CVE-2020-16875 originally allowed remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server so long as they were authenticated as a user who had an active mailbox and who was assigned the Data Loss Prevention
role. This was believed to have been patched in the Exchange Server 2016 Cumulative Update 18 (September 15 2020) and Exchange Server 2019 Cumulative Update 7 (September 15 2020). However, this patch was later bypassed and assigned CVE-2020-17132. Microsoft’s second patch was also later bypassed—a tough shake for organizations’ patch cycles. Both the original vulnerability and the patch bypass) were discovered by Steven Seeley, and the Metasploit code is based on his work.
zeroSteiner’s changes allow the exchange_ecp_dlp_policy
module to exploit the two patched versions of Exchange Server and the unpatched server.
Last but not least, cgranleese-r7 has spearheaded our efforts to improve usability of Metasploit’s external modules by providing more informative error messages for users when they lack the required languages in their environment (#14480). This will help avoid instances of users missing out on useful modules due to their not knowing some languages outside of ruby can be needed for the full metasploit experience.
> msf6 > use auxiliary/scanner/msmail/host_id
[-] Failed to load module: LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
msf6 >
AutoCheck
behavior now leverage the AutoCheck
mixin instead.auxiliary/analyze/crack_*
modules. Examples include notifying the user that the database needs to be active, and having JohnTheRipper Jumbo patch installedlinux/x64/shell_bind_tcp_random_port
payload while maintaining the functionality.exploit/osx/browser/safari_proxy_object_type_confusion
exploit module for Mac OSX 10.13.1 and 10.13.2.lib/msf/core/module/reference.rb
as well as associated tools and documentation to update old WPVDB links with the new WPVDB domain and to also ensure that the new URL format is properly checked in the respective tools.lib/msf/core/exploit/remote/http_client.rb
and lib/msf/core/opt_http_rhost_url.rb
libraries where the VHOST
datastore variable would be set incorrectly if a user used an /etc/hosts
entry for resolving a hostname to an IP address.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).