9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
This week, our very own Jake Baines added an exploit module that leverages CVE-2022-30525, an unauthenticated remote command injection vulnerability in Zyxel firewalls with zero touch provisioning (ZTP) support. Jake is also the author of the original research and advisory that was published last week. This module allows an attacker to achieve arbitrary code execution as the nobody
user on affected devices. It takes advantage of an unsanitized user input that feeds the python os.system
method behind the scenes. Well done Jake!
Community contributor npm-cesium137-io added an auxiliary module that forges valid SAML credentials for vCenter server. These credentials are very useful since they can be used to gain access to the SSO domain as a vSphere administrator. Note that this module cannot run offline and must be executed while the target vCenter is reachable over the network to properly acquire the administrator session token. Also, the vCenter SSO Identity Provider (IdP) trusted certificate chain needs to be provided. This can be extracted manually from the vmdir
database file at /storage/db/vmware-vmdir/data.mdb
using binwalk
or using this post module, which is still in review at the time of writing.
The Metasploit project was accepted again for the Google Summer of Code program. This year the team welcomes back pingport80 as a returning contributor and 3V3RYONE. These students will be working on Post API improvements and expanded HTTP-Trace support respectively. We look forward to mentoring and working with them in the coming months, so stay tuned for further updates as they get started!
nobody
user.#16430 from adfoster-r7 - This adds support for logging AS-REP Roastable accounts, as well as storing the generated Kerberos token within the creds database. Additionally improves error handling.
#16442 from sjanusz-r7 - This adds a new vars_form_data
field to the Rex HTTP Client for uploading files/form values to a remote HTTP server with ease:
vars_form_data = [
{ ‘name’ => ‘nsp’, ‘data’ => @csrf_token },
{ ‘name’ => ‘upload’, ‘data’ => 1 },
{ ‘name’ => ‘MAX_FILE_SIZE’, ‘data’ => 1000000 },
{ ‘name’ => ‘uploadedfile’, ‘data’ => payload_zip, ‘mime_type’ => ‘application/zip’, ‘encoding’ => ‘binary’, ‘filename’ => zip_filename }
]
res = send_request_cgi(
‘method’ => ‘POST’,
‘uri’ => uri,
‘vars_form_data’ => vars_form_data
)
#16555 from zeroSteiner - This moves a duplicated retry_until_truthy
function into a centralized location for better reuse. This function is useful for retrying operations that may fail the first time, such as checking if Kubernetes containers are ready yet etc.
auxiliary/capture/server/mssql
warning as well as outputting a valid John The Ripper format for offline password crackingauxiliary/scanner/lotus/lotus_domino_hashes
#dump_hashes
parsing logic.PayloadSpaceViolation
exception might be raised when the --smallest
flag was used with msfvenom
, due to msfvenom
setting the space available to 0 instead of a positive number. The code should now appropriately account for this case.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C