Metasploit Wrap-Up: Mar. 22, 2019

Last updated at Fri, 09 Feb 2024 14:24:21 GMT

Welcome to this first Spring Edition of metasploit wrapup for 2019. We’ve brought in some great modules for you as we sit here in Texas and await the arrival of bluebonnets, allergies, and attack junebugs!

New modules (4)

• Jenkins ACL Bypass and Metaprogramming RCE by wvu and Orange Tsai, which exploits CVE-2019-1003002

Jenkins is a hugely popular developer toolkit for developing and testing automation, and it allows you to do many cool things like kick off tests and builds. It turns out that on versions 2.137 and earlier, it also allows you to bypass the access controls and reprogram Groovy documents to download and run JAR files, like you know, Metasploit’s Java Meterpreter. Please check your versions and update if you need to do so!

• BMC Patrol Agent Privilege Escalation Cmd Execution by b0yd, which exploits CVE-2018-20735

An interesting authentication method in BMC patrol agent allows remote execution of commands as system or even domain administrator after only authenticating locally as a regular user. If you are running BMC Patrol agent, explore the option of engaging ‘Restrictive Mode’ to help prevent this privilege escalation.

• Webmin Upload Authenticated RCE by AkkuS and Ziconius, which exploits CVE-2019-9624

In another remote privilege escalation, the webmin service runs as root on the host computer, yet allows lower-privileged users to run commands as the root user on the host computer.

• IBM BigFix Relay Server Sites and Package Enum by Chris Bellows, HD Moore, Jacob Robles, and Ryan Hanson, which exploits CVE-2019-4061

Despite only being the start of summer, it appears we are already preparing for the harvest! Some IBM BigFix servers can be used for data exfiltration if they are not set to require authentication when used as an external relay. If you run one of these, check out HD’s blog in the PR and make hackers sad. If you find one on a pen test, we’ve got you covered!

Enhancements and features

• Add is_uac_enabled? Functionality to Windows 2019 by bcoles
  This adds Windows Server 2019 support to the is_uac_enabled? method in the Msf::Post::Windows::Priv library.

• add unifi USG to ssh details by h00die
  Ubiquiti ssh has a slightly different header than standard ssh servers, and now metasploit can recognize it using the SSH LoginScanner.

• Add irb and pry commands to command shells by wvu-r7
  This adds the irb and pry commands to the metashell in command shells.

• Add OpenSUSE detection to Linux system lib by bcoles
  This adds OpenSUSE operating system detection to Metasploit's post-exploitation library.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 5.0.11...5.0.13
• Full diff 5.0.11...5.0.13

We recently-announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).