Our very own wvu-r7 has added exploits/linux/http/mobileiron_mdm_hessian_rce
, which exploits an ACL bypass in MobileIron MDM products to execute a Java deserialization attack using a Groovy gadget against a Hessian based endpoint. (CVE-2020-15505). MDM helps organizations manage and control all employees’ devices, requiring it to be publicly reachable to synchronize devices, making this an appealing target. This exploit has been included on the U.S. National Security Agency’s list of vulnerabilities known to be exploited by Chinese state-sponsored threat actors. More information about this exploit can be found here.
exploits/multi/fileformat/archive_tar_arb_file_write
has been added by gwillcox-r7, which adds support for CVE-2020-28949. CVE-2020-28949 is a vulnerability which affects the Archive_Tar plugin of the PEAR PHP development framework and is caused by Archive_Tar’s lack of validation of file stream wrappers contained within filenames, which for allows the writing of an arbitrary file containing user controlled content to an arbitrary location on disk.
Community contributor Pedro Ribeiro has added exploits/multi/http/microfocus_ucmdb_unauth_deser
, which exploits two vulnerabilities CVE-2020-11853 and CVE-2020-11854, that when chained allow an attacker to achieve unauthenticated remote code execution in Micro Focus UCMDB. CVE-2020-11854 is the use of a hardcoded password for the "diagnostics" user, which allows attackers to log into UCMDB. CVE-2020-11853 takes advantage of the fact that after authentication, almost all of the UCMDB client’s communication is done using Java serialized objects, allowing an authenticated attacker to inject a malicious Java serialized object into a POST body to one of the vulnerable endpoints to achieve remote code execution as root or SYSTEM.
report_creds
to the kiwi.rb
and priv/password.rb
Meterpreter libraries. This function ensures that credentials dumped via Kiwi or via the hashdump
command are now appropriately captured in the creds
database, allowing users to replay them later on, or attempt to crack them and obtain the plain text password.auxiliary/scanner/ssh/ssh_enumusers.rb
to ensure that error messages that occur when a user doesn’t exist on the target system, or whom can’t connect remotely, are not displayed unless the VERBOSE flag is set.local_exploit_suggester
to correctly store rhost information in the database, as previously this would crash.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).