Metasploit Weekly Wrap-Up

FortiNAC EITW Content Added

Whilst we did have a few cool new modules added this week, one particularly interesting one was a Fortinet FortiNAC vulnerability, CVE-2022-39952, that was added in by team member Jack Heysel. This module exploits an unauthenticated RCE in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, and 8.3.7 to gain root level access to affected devices. This bug has seen active exploitation in the wild from several threat feeds such as ShadowServer at <https://twitter.com/Shadowserver/status/1628140029322362880&gt;, so definitely patch if you haven’t done so already.

Tomcat Gives Me All The Shells

One other exploit we did want to call out this week was a local privilege escalation on Apache Tomcat prior to 7.0.54-8. Tomcat is widely deployed in a lot of environments, and this PR, exploiting CVE-2016-5425, allows you to escalate from an authenticated user to full root control over a web server by exploiting a file permissions issue. These vulnerabilities can be quite beneficial to attackers looking to gain further access to a network as often they will compromise a web server and then use that web server to start pivoting deeper into the network. Gaining root access to a web server can further assist them with these efforts. It’s also rather unusual to see a web server specifically being used to assist with local privilege escalation as most exploits tend to focus on using them to gain initial access, so we appreciate the efforts from h00die to add this into Metasploit.

New module content (3)

Fortinet FortiNAC keyUpload.jsp arbitrary file write

Authors: Gwendal Guégniaud, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #17750 contributed by jheysel-r7
AttackerKB reference: CVE-2022-39952

Description: A new exploit has been added for CVE-2022-39952, a vulnerability in FortiNAC’s keyUpload.jsp page which allows for arbitrary file write as an unauthenticated user. Successful exploitation results in unauthenticated RCE in the context of the root user, giving full control over the target device.

Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation

Authors: Dawid Golunski and h00die
Type: Exploit
Pull request: #17509 contributed by h00die
AttackerKB reference: CVE-2016-5425

Description: This PR adds an exploit that targets a vulnerability in RedHat based systems where improper file permissions are applied to /usr/lib/tmpfiles.d/tomcat.conf for Apache Tomcat versions before 7.0.54-8, allowing attackers to inject commands into the systemd-tmpfiles service to write a cron job that will execute their payload. Successful exploitation should result in privilege escalation to the root user.

Bitbucket Environment Variable RCE

Authors: Ry0taK, Shelby Pace, and y4er
Type: Exploit
Pull request: #17775 contributed by space-r7
AttackerKB reference: CVE-2022-43781

Description: This adds an exploit module for CVE-2022-43781, an authenticated command injection vulnerability in various versions of Bitbucket. Arbitrary command execution is done by injecting specific environment variables into a user name and coercing the Bitbucket application into generating a diff. This module requires at least admin credentials. Successful exploitation results in RCE as the atlbitbucket user.

Enhancements and features (1)

• #17757 from adfoster-r7 - Updates the formatting logic for info command to improve the readability of the module description. Previously the module description was squashed into a single line, but now each paragraph and bullet list etc will be rendered on their own new lines.

Bugs fixed (1)

• #17774 from adfoster-r7 - A bug has been fixed when displaying the Metasploit banner due to use of an undefined function; this has been updated to use the proper function.

Documentation added (1)

• #17780 from gwillcox-r7 - This updates the list of mentors for GSoC 2023.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.6…6.3.8
• Full diff 6.3.6…6.3.8

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).