9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
In this week’s release, we have an exciting new module that has been added by our very own Grant Willcox which exploits (CVE-2022-26904)[<https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904>], and allows for normal users to execute code as NT AUTHORITY/SYSTEM
on Windows machines from Windows 7 up to and including Windows 11. Currently, the vulnerability is still not patched and there have not been any updates from MSRC regarding this vulnerability, however it may be patched in the next Patch Tuesday.
This exploit requires more than one local user to be present on the machine and the PromptOnSecureDesktop
setting to be set to 1, which is the default setting.
Our very own space-r7 has updated the recent GateKeeper
module to add support for the recent CVE-2022-22616, which can be used to target all MacOS Catalina versions, and MacOS Monterey versions prior to 12.3.
This module can be used to remove the com.apple.quarantine
extended attribute on a downloaded/extracted file and allows for code to be executed on the machine.
This week’s release also features a new module from a first-time contributor rad10, which will enumerate all applications that have been installed using Chocolatey.
This could be used when gathering information about a compromised target and potentially vulnerable software present on the machine.
NT AUTHORITY\SYSTEM
. The PromptOnSecureDesktop
setting must also be set to 1
on the affected machine for this exploit to work, which is the default setting.shadow_mitm_dispatcher
module by adding a new RubySMB Dispatcher, whichallows a better integration with RubySMB and enables the use of all the features provided by its client. Both SMBv2 and SMBv3 are now supported.LEAK_PARAMS
option, providing a way to leak more target information such as environment variables.MeterpreterDebugBuild
datastore option. When set to true the generated payload will have additional logging support which is visible via Window’s DbgView program.post/windows/gather/checkvm
module to better detect if the current target is a Qemu / KVM virtual machine.rspec
checks.multi/postgres/postgres_copy_from_program_cmd_exec
module, which crashed when the randomly generated table name started with a numbersearch
command and searching by disclosure_date
, the help menu would instead appear. This has been remedied by improving the date handling logic for the search
command.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C