Last updated at Tue, 16 Jan 2024 02:16:24 GMT
Initial exploit PR for BlueKeep
At our (final!) DerbyCon Town Hall today, the Metasploit team announced the release of an initial exploit module PR for CVE-2019-0708, aka BlueKeep. We received PoC exploit code from Metasploit contributor zerosum0x0 earlier this summer; since then, a group of longtime committers and community members have been working with the Framework development team to test, extend, and integrate the PoC code into Metasploit. There are a number of important notes on exploitation and detection that users should be aware of. See the full write-up on the initial exploit module PR for details.
Huge thanks to everyone who lent their hands and their brainpower to the collective development effort. In particular, thanks to @zerosum0x0, @ryHanson, @TheColonial, @rickoates, @zeroSteiner, and @TomSellers. We wish you all many shells.
We're looking forward to working with the community to improve the exploit's reliability, expand the target list, and add support for automatic targeting, for a start. Interested in joining the list of contributors and testers? Get started here!
Five fantastic Cisco exploits
Contributor pedrib added four new exploit modules targeting Cisco products. Two of the exploits are related to the UCS Director virtual appliance. Module linux/http/cisco_ucs_rce
combines authentication bypass to administrator (CVE-2019-1937) and command injection using a password change form (CVE-2019-1936) to achieve remote code execution as root. Module linux/ssh/cisco_ucs_scpuser
takes advantage of a common default password weakness. The appliance is shipped with user scpuser
that has the password scpuser
. This vulnerability (CVE-2019-1935) allows an attacker to gain access to the virtual appliance through ssh
. Both modules have been tested on the Cisco UCS Director virtual machines 6.6.0 and 6.7.0.
The other two modules target the Cisco Data Center Network Manager (DCNM) web interface. Module multi/http/cisco_dcnm_upload_2019
enables an authenticated user to achieve RCE by exploiting the FileUploadServlet
to place a WAR file into the Apache Tomcat webapps directory. This module also targets an authentication bypass vulnerability and an information disclosure vulnerability (CVE-2019-1622) to obtain the WAR file upload path. Module auxiliary/admin/cisco/cisco_dcnm_download
exploits a servlet to download arbitrary files as root (CVE-2019-1621). These modules were tested on the DCNM Linux virtual appliance 10.4(2)
, 11.0(1)
and 11.1(1)
. Only version 11.0(1)
requires authentication to exploit.
Contributor QKaiser added module linux/http/cve_2019_1663_cisco_rmi_rce.rb
, which exploits a weakness in the web interface of Cisco's RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router. The web interface does not properly validate user input. An unauthenticated attacker can send malicious HTTP requests to achieve arbitrary code execution as a high-privileged user.
Overheard in the Metasploit office this week
Common developer optimism...
"It turns out 15 minutes was not enough to finish it."
After reading some great press about us...
"It really is a love song to Metasploit, for sure."
On the high level of quality from Metasploit contributors...
"Those are two dope-ass modules"
New modules (8)
- Cisco UCS Director Unauthenticated Remote Code Execution by Pedro Ribeiro, which exploits CVE-2019-1936
- Cisco UCS Director default scpuser password by Pedro Ribeiro, which exploits CVE-2019-1935
- Cisco Data Center Network Manager Unauthenticated Remote Code Execution by Pedro Ribeiro, which exploits CVE-2019-1622
- Cisco Data Center Network Manager Unauthenticated File Download by Pedro Ribeiro, which exploits CVE-2019-1621
- Cisco RV110W/RV130(W)/RV215W Routers Management Interface Remote Command Execution by Haoliang Lu, Quentin Kaiser, T. Shiomitsu, and Yu Zhang, which exploits CVE-2019-1663
- ktsuss suid Privilege Escalation by John Lightsey and bcoles, which exploits CVE-2011-2921
- ptrace Sudo Token Privilege Escalation by bcoles and chaignc
- AwindInc SNMP Service Command Injection by Quentin Kaiser, which exploits CVE-2017-16709
Enhancements and features
PR 12271 from RageLtMan improves the reliability of Linux x86
and x64
reverse TCP stagers by preventing premature reads of the final Meterpreter payload.
PR 12223 from acammack-r7 introduces a new procedure that transparently redirects users to new modules when deprecated ones are deleted.
Bugs fixed
PR 12273 from space-r7 corrects the handler type for linux/x64/pingback_bind_tcp
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).