Community contributor Graeme Robinson added two modules targeting insecurely configured API's, both of which lead to remote code execution. The first module exploits a lack of access control in Apache NiFi, which allows for the creation of an
ExecuteProcess processor to execute arbitrary commands in the context of a user running the instance. The second module targets Kong Admin API by creating a route and assigning a pre-function serverless plugin to said route. These vulns are only exploitable when the API has been explicitly made accessible in the configuration. Please take the time to correctly configure your applications by restricting access to such critical APIs.
This week, community contributors Pedro Ribeiro and Radek Domanski added another great module from
Pwn2Own Miami 2020 contest, which exploits Rockwell FactoryTalk View SE 2020, the industrial application monitoring software from Rockwell Automation. This module chains five different vulnerabilities to achieve unauthenticated code execution. FactoryTalk View SE remotely exposes several REST endpoints on Microsoft IIS, which can be leveraged to drop a file in the IIS server directory. These vulnerabilities are identified as CVE-2020-12027, CVE-2020-12028, and CVE-2020-12029.
Contributor Anastasios Stasinopoulos added a module targeting the OpenMediaVault network attached storage (NAS) solution. This module exploits an authenticated PHP code injection vulnerability found in versions prior to 4.1.36 and all 5.x versions prior to 5.5.12. This vuln is the result of a lack of sanitization in the
sortfield POST parameter on the
rpc.php page. A successful exploitation leads to arbitrary command execution on the underlying operating system as root. This vulnerability is identified as CVE-2020-26124
Registration opens on Monday, November 30th, so don't miss out! The CTF usually runs out of space pretty quickly. Please read the full details in our blog before signing up.
Here are some importants dates to keep in mind (all times in U.S. Central Standard Time):
cmd_downloadfunctions to properly support expanding local paths (e.g
shell_to_meterpreterthat prevented to upgrade a meterpreter session to another meterpreter session with
ssh_loginmodule when attempting to gather proof with low privilege Windows user by falling back to using the
vercommand if the required permissions to run
phpstudy_backdoor_rcemodule to treat
TARGETURIas a single endpoint and not as a directory that
index.phpis appended to.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).