Last updated at Sat, 20 Jan 2024 22:41:51 GMT
Intensity not on the Fujita scale
SOC folks may have been feeling increased pressure as word spread of CVE-2020-5902 being exploited in the wild. Vulnerabilities in networking equipment always pose a unique set of constraints for IT operations when it comes to mitigations and patches given their role in connecting users to servers, services or applications. Yet from an attacker’s perspective this vulnerability provides an excellent pivot to attack all applications behind the BIG-IP product. Our own wvu contributed the F5 BIG-IP TMUI Directory Traversal and File Upload RCE exploit module for the vulnerability discovered by security researcher Mikhail Klyuchnikov. The exploit/linux/http/f5_bigip_tmui_rce module achieves unauthenticated remote code execution (RCE) as the root user through a directory traversal vulnerability in the Traffic Management User Interface (TMUI). Known vulnerable versions are:
- 11.6.1 - 11.6.5
- 12.1.0 - 12.1.5
- 13.1.0 - 13.1.3
- 14.1.0 - 14.1.2
- 15.0.0
- 15.1.0.
Hacking your enrollment in advanced English class
EgiX discovered multiple vulnerabilities (CVE-2020-13381, CVE-2020-13382, and CVE-2020-13383) in openSIS, open source Student Information System/School Management Software, and contributed the openSIS Unauthenticated PHP Code Execution exploit module. The unix/webapp/opensis_chain_exec module consists of an exploit chain first abusing incorrect access control to access a script as an unauthenticated user. Then, using a local file inclusion to finally perform a SQL injection via a session variable to achieve arbitrary PHP code execution as a result of an unsafe use of the eval function. Known vulnerable versions include 7.3 and 7.4; however, older versions may be affected as well.
Discover the gateless gate
The FortiMail Login Bypass Scanner scanner module contributed by Patrick Schmid attempts to detect a vulnerability (CVE-2020-9294) in FortiMail, a secure email gateway. Mike Connor discovered the improper authentication vulnerability in FortiMail 5.4.10, 6.0.7, 6.2.2, and earlier and FortiVoiceEntreprise 6.0.1 and earlier. The vulnerability may allow an unauthenticated user system access as a legitimate user through a password change request. The scanner module was tested against the following versions of FortiMail:
- 5.4.9, 5.4.10, 5.4.11
- 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9
- 6.2.1, 6.2.2, 6.2.3
- 6.4.0
New modules (4)
- F5 BIG-IP TMUI Directory Traversal and File Upload RCE by wvu and Mikhail Klyuchnikov, which exploits CVE-2020-5902
- openSIS Unauthenticated PHP Code Execution by EgiX, which exploits CVE-2020-13383
- FortiMail Unauthenticated Login Bypass Scanner by Juerg Schweingruber, Mike Connor, and Patrick Schmid, which exploits CVE-2020-9294
- Directory Traversal in Spring Cloud Config Server by Dhiraj Mishra, Fei Lu, and bfpiaoran, which exploits CVE-2020-5410
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
