Last updated at Tue, 16 Jan 2024 02:04:13 GMT
Perfect Persistence via Package Manager
What do most Linux machines come pre-installed with? Package managers. Community member aringo is taking advantage of this with two new modules for setting up persistence via yum and apt. Once you get privileged access you can now easily set up a method to get back in using a tool that has a high likelihood of being present.
Double Dose of DoubleTap
If you read last week’s wrap-up, you might be having a case of deja vu. Our own wchen-r7 has added a second module exploiting the Ruby on Rails “DoubleTap” vulnerability. This version takes advantage of the method Rails uses to generate secrets to get code execution. Be sure to check it out!
Spring Open Some Files
A new module has been added by RootUp that exploits a directory traversal vulnerability in Spring Cloud Config. The module crafts a special request to display the contents of files on the host machine. jhart-r7 noted that there are ~3300 instance of Spring Cloud listening in the world. Hopefully they’re patched up!
New modules (7)
- APT Package Manager Persistence by Aaron Ringo
- Yum Package Manager Persistence by Aaron Ringo
- Pimcore Unserialize RCE by Daniele Scanu and Fabio Cogno, which exploits CVE-2019-10867
- Ruby On Rails DoubleTap Development Mode secret_key_base Vulnerability by sinn3r, mpgn, and ooooooo_q, which exploits CVE-2019-5420
- AIS logistics ESEL-Server Unauth SQL Injection RCE by Manuel Feifel, which exploits CVE-2019-10123
- GTP Echo Scanner by Daniel Mende and Spencer McIntyre
- Spring Cloud Config Server Directory Traversal by Dhiraj Mishra and Vern, which exploits CVE-2019-3799
Enhancements and features
- #11761 updates the
apport_abrt_chroot_priv_escmodule to be more in-line with current Linux LPE modules through code style changes and using new libs.
Bugs fixed
- #11786 fixes issues manipulating the Metasploit database via RPC commands.
- #11784 adds additional nil checks for Nokogiri to avoid NoMethodError.
- #11778 fixes a bug in cmd_psh_payload where a false value supplied to the options hash would be treated the same as a nil value.
- #11777 fixes an issues with the
auxiliary/dos/http/apache_range_dosCHECKaction.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).
