Last updated at Sat, 20 Jan 2024 22:18:43 GMT

Rocket Software UniRPC Exploits

Ron Bowes submitted two exploit modules for vulnerabilities he discovered in the UniRPC server for Rocket Software’s UniData product. The first exploit module, exploit/linux/misc/unidata_udadmin_auth_bypass exploits an authentication bypass to ultimately gain remote code execution as the root user. The vulnerable RPC service has a hardcoded username, :local: and a predictable password of the form <username>:<uid>:<gid>. Using the root username and its corresponding uid and gid, an attacker can authenticate to the RPC service and execute a shell via the service’s OsCommand command.

The second module, exploit/linux/misc/unidata_udadmin_password_stack_overflow exploits an unauthenticated stack-based buffer overflow through the vulnerable service’s password field. Due to a lack of bounds checking on the buffer that the password is placed into, the saved return pointer can be overwritten, resulting in code execution as the root user.

New SCTP Payloads

Along with SCTP session support, sempervictus added four new payloads that work over the aforementioned stream-based transport protocol. Included in this set are two Unix command payloads that work over socat, a Python command payload, and lastly, a reverse SCTP shell payload for Linux.

Persistent Certificates

This week, adfoster-r7 improved on Metasploit’s support for PKCS12 certificates issued by Active Directory Certificate Services (AD CS). The improvements cause the existing admin/dcerpc/icpr_cert module to store certificates in the same manner as other credentials are stored when a database is attached. Now certificates will be visible from the creds command, and new ones can be added using creds add user:alice pkcs12:/path/to/certificate.pfx. This will help users manage these certificates and reuse them for Kerberos authentication with the admin/kerberos/get_ticket module and the CERT_FILE option as well as LDAP modules such as gather/ldap_query with the LDAP::CertFile option.

New module content (6)

Rocket Software Unidata udadmin_server Authentication Bypass

Author: Ron Bowes
Type: Exploit
Pull request: #17832 contributed by rbowes-r7
AttackerKB reference: CVE-2023-28503

Description: This adds two exploit modules that target UniData versions 8.2.4 (and earlier) on Linux. Due to a flaw in the udadmin service implementation, it is possible to get remote command execution as the root user. One module leverages a stack buffer overflow in a "password" field (CVE-2023-28502) and the other is an authentication bypass (CVE-2023-28503).

Rocket Software Unidata udadmin_server Stack Buffer Overflow in Password

Author: Ron Bowes
Type: Exploit
Pull request: #17832 contributed by rbowes-r7
AttackerKB reference: CVE-2023-28502

Description: This adds two exploit modules that target UniData versions 8.2.4 (and earlier) on Linux. Due to a flaw in the udadmin service implementation, it is possible to get remote command execution as the root user. One module leverages a stack buffer overflow in a "password" field (CVE-2023-28502) and the other is an authentication bypass (CVE-2023-28503).

SCTP Sessions

Author: sempervictus
Type: Payload
Pull request: #17502 contributed by sempervictus

Description: This PR adds support for SCTP sessions which Metasploit Framework can utilize for session transports similarly to TCP as it is a stream-wise transport.

Enhancements and features (5)

  • #17353 from adfoster-r7 - Adds support for persisting PKCS12 credentials in Metasploit, i.e. .pfx/.p12 files. The auxiliary/admin/dcerpc/icpr_cert and auxiliary/admin/dcerpc/cve_2022_26923_certifried modules will now persist requested certificates for future exploitation. The creds command can also directly persist certificates - for example: creds add user:alice pkcs12:/path/to/certificate.pfx.
  • #17502 from sempervictus - This PR adds SCTP sessions which Metasploit Framework can utilize for session transports similarly to TCP as it is a stream-wise transport.
  • #17804 from cgranleese-r7 - Fixes the metadata for multiple modules which had invalid reference names, incorrect rankings, missing notes, etc. Additionally, this adds automation for verifying module metadata is correct.
  • #17821 from bcoles - This enables the import of Nuclei scan results using the db_import command. Both JSON and JSONL formats are supported.
  • #17862 from bcoles - Updates msfvenom to require apktools version 2.7.0 or greater when attempting to modify Android apk files, as it includes security improvements and bug fixes.

Bugs fixed (4)

  • #17851 from Ryuuuuu - Updates the exploits/linux/http/apache_couchdb_cmd_exec to no longer report the target host as being vulnerable when the CouchDB version could not be extracted..
  • #17864 from Ryuuuuu - A bug has been fixed in auxiliary/admin/http/trendmicro_dlp_traversal and auxiliary/admin/http/tomcat_utf8_traversal whereby print_good was used when a file was missing instead of print_error.
  • #17867 from Ryuuuuu - A bug has been fixed in the modules/auxiliary/scanner/http/surgenews_user_creds.rb module whereby the code did not properly check if there were no users in the nwauth.add file prior to proceeding to operate on it.
  • #17872 from adfoster-r7 - Fixes a crash when modules relied on a hash identifying method that wasn't always available. This method is now available as expected and modules will no longer crash.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).