Metasploit Weekly Wrap-Up: Sep. 15, 2023

Last updated at Mon, 22 Jan 2024 21:41:09 GMT

Flask Cookies

This week includes two modules related to Flask cookie signatures. One is specific to Apache Superset where session cookies can be resigned, allowing an attacker to elevate their privileges and dump the database connection strings. While adding this functionality, community member h00die also added a module for generically working with the default session cookies used by Flask. This generic module auxiliary/gather/python_flask_cookie_signer allows for bruteforcing common signing keys from a wordlist as well as decoding cookies and resigning cookies if the key is known (or recovered).

New module content (12)

Apache Superset Signed Cookie Priv Esc

Authors: Naveen Sunkavally, Spencer McIntyre, h00die, and paradoxis
Type: Auxiliary
Pull request: #18180 contributed by h00die
Path: auxiliary/gather/apache_superset_cookie_sig_priv_esc
AttackerKB reference: CVE-2023-27524

Description: This adds two modules for targeting vulnerabilities related to the signing of Flask's session cookies. One of them exploits a vulnerability in Apache Superset which is identified as CVE-2023-27524.

Prometheus API Information Gather

Author: h00die
Type: Auxiliary
Pull request: #18290 contributed by h00die
Path: auxiliary/gather/prometheus_api_gather

Description: This PR creates two modules: one to interrogate Prometheus API endpoints for information and one to query Prometheus Node Exporters for information. This is supported by a new Prometheus library and specs.

Prometheus Node Exporter And Windows Exporter Information Gather

Author: h00die
Type: Auxiliary
Pull request: #18290 contributed by h00die
Path: auxiliary/gather/prometheus_node_exporter_gather

Description: This PR creates 2 modules: one to interrogate Prometheus API endpoints for information, the other to query Prometheus Node Exporters for information. This is supported by a new Prometheus library and specs.

Python Flask Cookie Signer

Authors: Spencer McIntyre, h00die, and paradoxis
Type: Auxiliary
Pull request: #18180 contributed by h00die
Path: auxiliary/gather/python_flask_cookie_signer

Description: This adds two modules for targeting vulnerabilities related to the signing of Flask's session cookies. One of them exploits a vulnerability in Apache Superset which is identified as CVE-2023-27524.

Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)

Authors: James Horseman, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #18330 contributed by jheysel-r7
Path: exploits/linux/http/ivanti_sentry_misc_log_service
AttackerKB reference: CVE-2023-38035

Description: This PR adds an exploit module that targets Ivanti Sentry (formerly Mobileiron Sentry). Ivanti Sentry is vulnerable to an authentication by-pass which exposes API functionality,allowing for code execution in the context of the root user.

Kibana Timelion Prototype Pollution RCE

Authors: Gaetan Ferry, Michał Bentkowski, and h00die
Type: Exploit
Pull request: #18316 contributed by h00die
Path: exploits/linux/http/kibana_timelion_prototype_pollution_rce
AttackerKB reference: CVE-2019-7609

Description: Adds a module that exploits a prototype pollution vulnerability in the Kibana Timelion visualiser resulting in Remote Code Execution.

OpenTSDB 2.4.1 unauthenticated command injection

Authors: Daniel Abeles, Erik Wynter, and Gal Goldstein
Type: Exploit
Pull request: #18350 contributed by ErikWynter
Path: exploits/linux/http/opentsdb_key_cmd_injection
AttackerKB reference: CVE-2023-25826

Description: Adds a new module that exploits an unauthenticated command injection vulnerability in OpenTSDB through 2.4.1 resulting in root access.

VMware vRealize Log Insight Unauthenticated RCE

Authors: Ege BALCI and Horizon3.ai Attack Team
Type: Exploit
Pull request: #18273 contributed by EgeBalci
Path: exploits/linux/http/vmware_vrli_rce
CVE reference: ZDI-23-115

Description: This adds an exploit for VMware vRealize Log Insight versions prior to 8.10.2. It chains multiple vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31711) together to achieve unauthenticated RCE.

Sonicwall

Authors: Ron Bowes and fulmetalpackets
Type: Exploit
Pull request: #18302 contributed by rbowes-r7
Path: exploits/multi/http/sonicwall_shell_injection_cve_2023_34124
AttackerKB reference: CVE-2023-34127

Description: This adds an exploit module that leverages a remote code execution in SonicWall GMS. Version 9.3.9320 (and likely earlier) is affected by this vulnerability identified as CVE-2023-34124.

WinRAR CVE-2023-38831 Exploit

Author: Alexander "xaitax" Hagenah
Type: Exploit
Pull request: #18341 contributed by xaitax
Path: exploits/windows/fileformat/winrar_cve_2023_38831
AttackerKB reference: CVE-2023-38831

Description: This PR adds a module covering CVE-2023-38831, a fileformat vulnerability affecting Winrar 6.22.

LG Simple Editor Remote Code Execution

Authors: Ege Balcı and rgod
Type: Exploit
Pull request: #18329 contributed by EgeBalci
Path: exploits/windows/http/lg_simple_editor_rce
CVE reference: ZDI-23-1204

Description: This module exploits broken access control and directory traversal vulnerabilities for achieving unauthenticated remote code execution on the LG Simple Editor versions <= v3.21. Module achieves code execution in the context of NT AUTHORITY\SYSTEM via uploading and executing a JSP payload.

Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability

Authors: Esteban.kazimirow, Ricardo Narvaja, and jheysel-r7
Type: Exploit
Pull request: #18250 contributed by jheysel-r7
Path: exploits/windows/local/cve_2023_28252_clfs_driver
AttackerKB reference: CVE-2023-28252

Description: Adds a new privilege escalation module that exploits a vulnerable clfs.sys driver on Windows to spawn a new NT AUTHORITY/SYSTEM Meterpreter session. The vulnerable driver comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 2022 (Build 20348) operating systems.

Enhancements and features (8)

• #17474 from prabhatjoshi321 - This PR adds support to the Capcom.sys driver LPE for Windows 11 21H1.
• #18262 from cgranleese-r7 - Adds the ability to select favorite modules with the use command after running show favorites, similar to the search command.
• #18270 from pbarry25 - Improves tab completion for the set and unset commands.
• #18327 from h00die - Fixes an issue where specifying a TLS version in the ssl_version module would result in a NoMethodError.
• #18349 from adfoster-r7 - Adds Meterpreter compatibility matrix generation to Github's acceptance test runs. Now, it's possible to visually see which Meterpreters support particular functionality.
• #18354 from zeroSteiner - This PR moves the MSF tip to be displayed while Metasploit is loading. This is similar to what a lot of video games do (e.g. Skyrim).
• #18356 from adfoster-r7 - This PR updates the Docker Golang version from 1.19.3 to 1.21.1 to receive the latest security updates. Thanks to Daniel Weller for reporting.
• #18357 from adfoster-r7 - Adds additional error reporting to the Meterpreter integration tests.

Bugs fixed (2)

• #17970 from YiDa858 - Fixes an error in nessus_db_import and nessus_scan_export commands that prevented them from completing successfully.
• #18362 from adfoster-r7 - Fixes an edgecase which could cause a new msfrpc console instance to hang forever.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.33...6.3.34
• Full diff 6.3.33...6.3.34

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).