Last updated at Tue, 23 Jan 2024 21:11:07 GMT

Chaining for the win #1: Pentaho Business Server

This week, our very own jheysel-r7 added an exploit module that leverages two vulnerabilities in Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x. The module chains an authentication bypass (CVE-2022-43939) and Server Side Template Injection - SSTI - (CVE-2022-43769) to achieve unauthenticated code execution as the user running the application. Patches are available and It is highly recommended to apply them as soon as possible. The exploit is straightforward to execute and very reliable.

Chaining for the win #2: Zyxel

Community contributor h00die-gr3y added another exploit module that also chains two vulnerabilities, this time targeting Zyxel devices. It exploits an unauthenticated local file disclosure - LFI - (CVE-2023-28770) vulnerability and a weak password derivation algorithm to obtain unauthenticated remote code execution as the supervisor user. These vulnerabilities affect the zhttpd and zcmd binaries, respectively, which are present on more than 40 Zyxel routers and CPE devices. The module leverages a LFI to read the entire configuration of the router, from which it derives the supervisor password by exploiting a weak password derivation algorithm. Finally, if the device is reachable via SSH, the module establishes a connection using the leaked supervisor credentials to execute commands.

GSoC Project: Enable HTTP-Trace for scanner modules

One more successful GSoC project to enhance Metasploit has landed this week. Contributor 3V3RYONE, extended the HTTP-Trace capability to login scanner modules, which was only available to exploit modules before. That's a very useful feature to debug a module by allowing users to display the full HTTP requests and responses of scanner modules within msfconsole. More information about previous Metasploit GSoC projects can be found here.

Here is an example output of a login scanner module running with the HTTPTrace feature enabled:

msf6 > use auxiliary/scanner/http/buffalo_login 
msf6 auxiliary(scanner/http/buffalo_login) > set RHOSTS www.example.com
RHOSTS => www.example.com
msf6 auxiliary(scanner/http/buffalo_login) > set USERPASS_FILE data/wordlists/http_default_userpass.txt
USERPASS_FILE => data/wordlists/http_default_userpass.txt
msf6 auxiliary(scanner/http/buffalo_login) > set HttpTrace true
HttpTrace => true
msf6 auxiliary(scanner/http/buffalo_login) > run

####################
# Request:
####################
POST /dynamic.pl HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 51

bufaction=verifyLogin&user=connect&password=connect
####################
# Response:
####################
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Referrer-Policy: no-referrer
Content-Length: 1571
Date: Mon, 26 Sep 2022 06:21:16 GMT
Connection: close

[...]

New module content (3)

Zyxel chained RCE using LFI and weak password derivation algorithm

Authors: Bogi Napoleon Wennerstrøm, SEC Consult Vulnerability Lab, Thomas Rinsma, and h00die-gr3y
Type: Exploit
Pull request: #17881 contributed by h00die-gr3y
AttackerKB reference: CVE-2023-28770

Description: This adds a new exploit module that leverages multiple vulnerabilities in the zhttpd and zcmd binaries, which are present on more than 40 Zyxel routers and CPE devices, to achieve remote code execution as user supervisor. This chains a local file disclosure vulnerability that allows an unauthenticated attacker to read the configuration file and a weak password derivation algorithm vulnerability. The module uses the leaked credentials to establish a SSH connection and execute commands.

Pentaho Business Server Auth Bypass and Server Side Template Injection RCE

Authors: Harry Withington, dwbzn, and jheysel-r7
Type: Exploit
Pull request: #17964 contributed by jheysel-r7
AttackerKB reference: CVE-2022-43939

Description: A new module has been added which exploits Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x. To do this it first exploits CVE-2022-43939 to bypass authentication before using CVE-2022-43769, a Server Side Template Injection (SSTI) vulnerability, to achieve unauthenticated code execution as the user running the Pentaho Business Analytics Server.

ManageEngine ADAudit Plus Authenticated File Write RCE

Authors: Erik Wynter and Moon
Type: Exploit
Pull request: #17133 contributed by ErikWynter
AttackerKB reference: CVE-2021-42847

Description: A new exploit module has been added which gains authenticated RCE on ManageEngine AdAudit builds 7005 and prior by creating a custom alert profile and leveraging the custom alert script component. On builds 7004 and later, CVE-2021-42847 is utilized to gain RCE as the user running AdAudit, which will typically be a local administrator, via an arbitrary file write to create the necessary script for the alert profile.

Enhancements and features (3)

  • #17060 from 3V3RYONE - Updates the HTTP scanner modules with the functionality to log both HTTP requests and responses. This functionality can be enabled with set HTTPTrace true. This functionality is useful for debugging modules. In scenarios where the traffic is encrypted, for instance with WinRM, the logged values will be unencrypted.
  • #17807 from gwillcox-r7 - Adds documentation for Metasploit's folder structure, so that those unfamiliar with Metasploit can quickly get up to speed and understand where files might be located or where to place new files when developing content for Metasploit.
  • #17972 from h00die - Updates the example modules to align with the latest Metasploit framework module conventions.

Bugs fixed (2)

  • #17968 from zeroSteiner - A bug has been fixed where Certificate Templates were not being identified as vulnerable when there was an ACE that granted enrollment rights but did not correspond to any object types. The logic has now been updated so that only ACEs associated with an object that is neither the CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT right nor the CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT right will be ignored.
  • #17980 from sempervictus - This fixes the file system path check used by PowerShell sessions.

Documentation added (1)

  • #17984 from adfoster-r7 - Fixes a Kerberos datastore name typo in the WinRM wiki docs.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).