Last updated at Thu, 25 Jan 2024 00:46:24 GMT
Yes, it’s a huge enterprise vulnerability week (again)
For our 100th release since the release of 5.0 18 months ago, our own zeroSteiner got us a nifty module for the SAP "RECON" vulnerability affecting NetWeaver version 7.30 to 7.50. It turns out those versions will allow anyone to create a new administrative user with the right SOAP requests. Many thanks to zeroSteiner and our own wvu-r7 for braving the wastelands of SOAP requests and SAP! Full admin access to SAP is nothing to sneeze at, so please patch now if this affects you!
Both kinds of sprint injection
Our other module this week was for an authenticated vulnerability for ZenTao Pro, a project management system. Versions 8.8.2 and earlier will run arbitrary commands as SYSTEM
for administrative users. Thanks to Erik Wynter for porting the PoC to Metasploit and our own space-r7 landing! Also, a special shout out to Metasploit alum and Rapid7 security nerd Tod Beardsley for getting CVE-2020-7361 assigned for this vuln.
New modules (2)
- ZenTao Pro 8.8.2 Remote Code Execution by Daniel Monzón, Erik Wynter, and Melvin Boers, which exploits CVE-2020-7361
- SAP Unauthenticated WebService User Creation by Dmitry Chastuhin, Pablo Artuso, and Spencer McIntyre, which exploits CVE-2020-6287
Enhancements and features
- PR #13885 - Added LDAPS (SSL/TLS) support to the LDAP mixin and updated the VMware vCenter Server vmdir (CVE-2020-3952) modules to use it.
- PR #13873 - Enhanced module
check
behavior by preemptively warning about a missingcheck
method before options are validated, such as when verifying that required options are set. - PR #13868 - Added hash dumping to the auxiliary/gather/vmware_vcenter_vmdir_ldap (CVE-2020-3952) module.
- PR #13854 - Improved the robustness of the exploit/linux/http/f5_bigip_tmui_rce (CVE-2020-5902) module and set Meterpreter as the default payload type.
- PR #13853 - This improves the
bpf_sign_extension_priv_esc
exploit module by updating the code style, giving the option to compile the exploit on the target, leveraging theAutoCheck
mixin, and making the module information more descriptive. - PR #13830 - This adds a new target setting for the CVE-2019-0708 (BlueKeep) exploit for vulnerable Windows 7 SP1 / Server 2008 systems that are virtualized within a QEMU environment.
Bugs fixed
- PR #13886 - Fix post/multi/manage/sudo module support for passwords containing shell substitution and meta characters.
- PR #13884 - Removed the unused and dangerous
download_cmd
method fromMsf::Post::Linux::Priv
. - PR #13883 - Fixed a syntax error in Hardware Bridge.
- PR #13861 - Applied various fixes to the
exploit/freebsd/local/intel_sysret_priv_esc
module. - PR #13859 - Removes
fail_with
call fromcheck
method inexim4_deliver_message_priv_esc
module as this was crashing the local exploit suggester module.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).