Operations and management software make popular targets due to their users typically having elevated privileges across a network. Our own wvu contributed the VMware vRealize Operations (vROps) Manager SSRF RCE exploit module for the vulnerabilities discovered by security researcher Egor Dimitrenko. The exploit/linux/http/vmware_vrops_mgr_ssrf_rce
module achieves remote code execution (RCE) as the admin
Unix user by chaining the two vulnerabilities. First, CVE-2021-21975 pre-authentication server-side request forgery (SSRF) vulnerability is exploited in the /casa/nodes/thumbprints
endpoint to obtain the admin credentials. Then, the credentials are used to authenticate to the vRealize Operations Manager API and exploit CVE-2021-21983 via the /casa/private/config/slice/ha/certificate
endpoint. This allows the module to write and execute an arbitrary file, a JSP payload in this case. The module should work against the following vulnerable versions:
Many dynamic websites and business applications have associated databases, therefore databases are commonplace on networks. Odds are you frequently encounter more than one database on an engagement. The release this week includes two new database related modules!
The first, an Apache Druid RCE exploit module for a vulnerability in versions 0.20.0 and older. The vulnerability CVE-2021-25646 was discovered by Litch1, and je5442804 contributed the module. The second, a gather module named Redis Extractor contributed by Geoff Rainville (noncenz) enables easy looting of any key-value stores you discover.
0.20.1
. An authenticated user can send a single request that both enables the execution of user-provided JavaScript code and executes the code on the server with the privileges of the user running the Apache Druid process. By default, Apache Druid does not require authentication.admin
user on vulnerable VMware vRealize Operations Manager installs.auxiliary/scanner/ssh/ssh_login_pubkey
module.sessions -c
where some would use a subshell while others would not.auxiliary/scanner/redis/file_upload
module to correctly handle Redis instances that require authenticated accessAs always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).