Metasploit Wrap-Up: 7/2/21

Last updated at Thu, 25 Jan 2024 01:20:55 GMT

Containers that fail to Contain

Our own Christophe De La Fuente added a module for CVE-2019-5736 based on the work of Adam Iwaniuk that breaks out of a Docker container by overwriting the runc binary of an image which is run in the user context whenever someone outside the container runs docker exec to make a request of the container.

Execute an Image Please, Wordpress

Community contributor Alexandre Zanni sent us a PR that uses native PHP functions to upload a file as an image attachment to Wordpress installations running the wpDiscuz plugin, then executes it by requesting the path of the uploaded file.

New module content (2)

• Docker Container Escape Via runC Overwrite by Adam Iwaniuk, Borys Popławski, Christophe De La Fuente, Nick Frichette, and Spencer McIntyre, which exploits CVE-2019-5736 - This adds an exploit for CVE-2019-5736 which is a flaw in Docker that can be leveraged by an attacker to overwrite the runc binary in the host and escape from a container.
• WordPress wpDiscuz Unauthenticated File Upload Vulnerability by Chloe Chamberland and Hoa Nguyen - SunCSR, which exploits CVE-2020-24186 - This adds an exploit module that targets versions >= v7.0.0 and <= v7.0.4 of the Wordpress plugin, wpDiscuz. An unauthenticated user has the ability to upload arbitrary files as image attachments through the wpDiscuz plugin due to the PHP functions used to process the attachments. Once uploaded, unauthenticated code execution is achieved by requesting the path of the file uploaded.

Enhancements and features

• #15363 from HynekPetrak - Enhances the auxiliary/scanner/ipmi/ipmi_dumphashes module to have SESSION_RETRY_DELAY and SESSION_MAX_ATTEMPTS options

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.50...6.0.51
• Full diff 6.0.50...6.0.51

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).