Metasploit Wrap-Up

2020-11-27T16:22:44
ID RAPID7BLOG:FB0D7CA65C46FB007D1788C03326EFCF
Type rapid7blog
Reporter Christophe De La Fuente
Modified 2020-11-27T16:22:44

Description

Exploiting weak configurations

Metasploit Wrap-Up

Community contributor Graeme Robinson added two modules targeting insecurely configured API's, both of which lead to remote code execution. The first module exploits a lack of access control in Apache NiFi, which allows for the creation of an ExecuteProcess processor to execute arbitrary commands in the context of a user running the instance. The second module targets Kong Admin API by creating a route and assigning a pre-function serverless plugin to said route. These vulns are only exploitable when the API has been explicitly made accessible in the configuration. Please take the time to correctly configure your applications by restricting access to such critical APIs.

Pwn2Own Miami 2020 new module

This week, community contributors Pedro Ribeiro and Radek Domanski added another great module from Pwn2Own Miami 2020 contest, which exploits Rockwell FactoryTalk View SE 2020, the industrial application monitoring software from Rockwell Automation. This module chains five different vulnerabilities to achieve unauthenticated code execution. FactoryTalk View SE remotely exposes several REST endpoints on Microsoft IIS, which can be leveraged to drop a file in the IIS server directory. These vulnerabilities are identified as CVE-2020-12027, CVE-2020-12028, and CVE-2020-12029.

Get root on your NAS

Contributor Anastasios Stasinopoulos added a module targeting the OpenMediaVault network attached storage (NAS) solution. This module exploits an authenticated PHP code injection vulnerability found in versions prior to 4.1.36 and all 5.x versions prior to 5.5.12. This vuln is the result of a lack of sanitization in the sortfield POST parameter on the rpc.php page. A successful exploitation leads to arbitrary command execution on the underlying operating system as root. This vulnerability is identified as CVE-2020-26124

Register for the 2020 December Metasploit Community CTF 2020

Registration opens on Monday, November 30th, so don't miss out! The CTF usually runs out of space pretty quickly. Please read the full details in our blog before signing up.

Here are some importants dates to keep in mind (all times in U.S. Central Standard Time):

  • Initial team registration opens for the first 750 teams on Monday, November 30, 2020 at 11:00 AM CST (UTC-6).
  • CTF game play begins on Friday, December 4, 2020 at 9:00 AM CST (UTC-6). When the CTF officially begins, we will open registration for an additional 250 teams.
  • The CTF ends on Monday, December 7, 2020, at 3:00 PM CST (UTC-6).

New modules (5)

Enhancements and features

  • PR #14419 from h00die updates the external development scripts used to acquire the latest static resources for certain external framework components. This also updates two Wordpress wordlists.
  • PR #14417 from bcoles improves the way Metasploit tips are displayed by wrapping them at 60 columns.
  • PR #13954 from Auxilus updates Meterpreter's cmd_upload and cmd_download functions to properly support expanding local paths (e.g ~).

Bugs fixed

  • PR #14325 from smcintyre-r7 updates the four Python shell payloads to be compatible with Python version 3.4+ while retaining compatibility with 2.6+
  • PR #14405 from timwr fixes an issue in shell_to_meterpreter that prevented to upgrade a meterpreter session to another meterpreter session with session -u.
  • PR #14412 from cgranleese-r7 improves the ssh_login module when attempting to gather proof with low privilege Windows user by falling back to using the ver command if the required permissions to run systeminfo are missing.
  • PR #14427 from Natto97 fixes phpstudy_backdoor_rce module to treat TARGETURI as a single endpoint and not as a directory that index.php is appended to.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).