Last updated at Fri, 01 Mar 2024 20:05:46 GMT
Connect the dots from authentication bypass to remote code execution
This week, our very own sfewer-r7 added a new exploit module that leverages an authentication bypass vulnerability in ConnectWise ScreenConnect to achieve remote code execution. This vulnerability, CVE-2024-1709, affects all versions of ConnectWise ScreenConnect up to and including 23.9.7.The module creates a new administrator user account on the server, which is used it to upload a malicious extension (.ashx
file) and get code execution as the NT AUTHORITY\SYSTEM
user on Windows or root
user on Linux, depending on the target platform.
New module content (1)
ConnectWise ScreenConnect Unauthenticated Remote Code Execution
Authors: WatchTowr and sfewer-r7
Type: Exploit
Pull request: #18870 contributed by sfewer-r7
Path: multi/http/connectwise_screenconnect_rce_cve_2024_1709
Description: This PR adds an unauthenticated RCE exploit for ConnectWise ScreenConnect (CVE-2024-1709).
Enhancements and features (8)
- #18830 from sjanusz-r7 - Aligns the behavior of the MSSQL, PostgreSQL, and MySQL sessions. This functionality is currently behind a feature flag enabled with the
features
command. - #18833 from zeroSteiner - This catches an exception when updating a non-existing session. Prior to this PR, trying to run 'sessions -k' after running 'workspace -D' would result in a stack trace being printed to the console. This resolves issue #18561.
- #18849 from adfoster-r7 - Adjusts the logic used for the visual indentation of tables.
- #18872 from zgoldman-r7 - Updates the MSSQL modules to support querying database rows that contain boolean bit values.
- #18878 from adfoster-r7 - This updates a number of rspec gems which help improve test suite error messages when string encodings are different.
- #18879 from zeroSteiner - Updates the
auxiliary/admin/kerberos/inspect_ticket
module with improved error messages and support for printing Kerberos PAC credential information. - #18892 from zeroSteiner - Allows users to leverage the latest ADCS ESC13 technique. These changes are related to the identification of misconfigured certificate templates and workflow documentation.
ldap_esc_vulnerable_cert_finder
andldap_query
were also updated to improve usability. - #18893 from sjanusz-r7 - Updates the
help
command to visually align command names to the same width to improve readability.
Bugs fixed (2)
- #18873 from cgranleese-r7 - Fixes a regression that caused a
CreateSession
option to be available for payloads that did not make sense. - #18880 from jmartin-tech - Fixes a bug with the
auxiliary/capture/ldap
module's handling of NTLM hashes.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro