Metasploit Weekly Wrap-Up 07/05/2024

I still like to MOVEit MOVEit

This week, our very own sfewer-r7 added a new exploit module that leverages an authentication bypass vulnerability in the MOVEit Transfer SFTP service (CVE-2024-5806). It is possible to authenticate to the SFTP service as any user as long as a valid username is known and the "Remote Access Rules" allows the attacker IP address. On successful attack, it is possible to access any file on the SFTP server that the user has permission to access. The module lets you list directories and display (or download) files.

The following version of MOVEit Transfer are affected:

• MOVEit Transfer 2023.0.x (fixed in 2023.0.11)
• MOVEit Transfer 2023.1.x (fixed in 2023.1.6)
• MOVEit Transfer 2024.0.x (fixed in 2024.0.2)

New module content (3)

Progress MOVEit SFTP Authentication Bypass for Arbitrary File Read

Author: sfewer-r7
Type: Auxiliary
Pull request: #19295 contributed by sfewer-r7
Path: gather/progress_moveit_sftp_fileread_cve_2024_5806
AttackerKB reference: CVE-2024-5806

Description: This module exploits an authentication bypass vulnerability in the MOVEit Transfer SFTP service. The vulnerable versions are MOVEit Transfer 2023.0.x until 2023.0.11; MOVEit Transfer 2023.1.x until 2023.1.6; MOVEit Transfer 2024.0.x until 2024.0.2; allowing to list remote directories and reading files without authentication.

Zyxel parse_config.py Command Injection

Authors: SSD Secure Disclosure technical team and jheysel-r7
Type: Exploit
Pull request: #19204 contributed by jheysel-r7
Path: linux/http/zyxel_parse_config_rce
AttackerKB reference: CVE-2023-33012

Description: This adds an exploit module that leverages multiple vulnerabilities in order to obtain pre-auth command injection on multiple VPN Series Zyxel devices.

Azure CLI Credentials Gatherer

Authors: James Otten and h00die
Type: Post
Pull request: #10113 contributed by james-otten
Path: multi/gather/azure_cli_creds

Description: This post module allows to exfiltrate azure tokens and configurations from old azure-cli versions using unencrypted formats.

Enhancements and features (2)

• #19287 from adeherdt-r7 - Updates the auxiliary/scanner/redis/redis_login module to support Redis 6.x.
• #19297 from adeherdt-r7 - Improves the Redis login brute force functionality to better detect when auth is not required for the target.

Bugs fixed (3)

• #19252 from zgoldman-r7 - Improves error logging for unhandled exceptions for login scanners.
• #19285 from dledda-r7 - This fixes an issue with the Meterpreter’s sysinfo command that was failing when the current working directory was deleted.
• #19289 from h00die - Updates the post/linux/gather/apache_nifi_credentials module to now support extracting nifi.properties values that contain hyphens.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.15…6.4.16
• Full diff 6.4.15…6.4.16

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.

Subscribe Now