Last updated at Fri, 09 Feb 2024 14:39:39 GMT
Give me your hash
This week, community contributor HynekPetrak added a new module for dumping passwords and hashes stored as attributes in LDAP servers. It uses an LDAP connection to retrieve data from an LDAP server and then harvests user credentials in specific attributes. This module can be used against any kind of LDAP server with either anonymous or authenticated bind. Particularly, it can be used to exploit a flaw in VMware vCenter Server v6.7, identified as CVE-2020-3952, which, under certain conditions, does not correctly implement access controls. A successful exploitation could lead to administrative account credentials leak, which can be used to compromise vCenter Server or other services.
Cisco Conference Station Module Series
Three Python external modules (#13984, #13985 and #13982) were added by community contributor debifrank. These exploits target Cisco Unified IP Conference Station 7937G, which is vulnerable to Denial of Service flaws and a Privilege Escalation via the web administration portal. These vulnerabilities are identified as CVE-2020-16139, CVE-2020-16138 and CVE-2020-16137. The first DoS exploit (CVE-2020-16139) enables an attacker to restart the device by sending a specially crafted request to the web administration portal. The second one (CVE-2020-16138) abuses the SSH service to hang the device until a manual restart is done. Finally, the third module exploit (CVE-2020-16137) overwrites the SSH credentials to give access to the SSH administrative console. More detail here. Note that this product is end of life and no update will be provided. It's time to upgrade to a new system if you own one of these.
New modules (4)
- Cisco 7937G SSH Privilege Escalation by Cody Martin, which exploits CVE-2020-16137
- Cisco 7937G Denial-of-Service Attack by Cody Martin, which exploits CVE-2020-16138
- Cisco 7937G Denial-of-Service Reboot Attack by Cody Martin, which exploits CVE-2020-16139
- LDAP Information Disclosure by Hynek Petrak, which exploits CVE-2020-3952
Enhancements and features
- PR #14045 from adfoster-r7 reloads the current module when toggling a feature to ensure the
RHOST_HTTP_URL
appears as an option. - PR #14039 from bcoles improves the
freebsd/local/rtld_execl_priv_esc
module by usingAutoCheck
mixin and prefering CC over GCC. - PR #13913 from red0xff adds specs for testing the SQL Injection library.
Bugs fixed
- PR #14048 from zeroSteiner fixes error handling for auxiliary scanners by allowing modules to skip hosts and continue when a fail_with exception is raised.
- PR #14043 from zeroSteiner fixes a bug that would cause a stack trace and a failure to scan other services other than Jupyter when given a range.
- PR #14034 from bcoles fixes a path traversal vulnerability in
auxiliary/admin/http/telpho10_credential_dump
(CVE-2020-7377). - PR #14014 from 0x44434241 improves the
squid_pivot_scanning
module to correctly handle redirect HTTP response codes, as well as adding more detailed verbose logging. - PR #13979 from Michael-ZecOps fixes an issue with the 64-bit segment injector logic used by 64-bit PE templates. The injector now properly handles the arguments and stack alignment.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).