Rapid 7 - Metasploit Wrap-Up
Self-Service Remote Code Execution
This week, our own @wvu-r7 added an exploit module that achieves unauthenticated remote code execution in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution for Active Directory. This new module leverages a REST API authentication bypass vulnerability identified as CVE-2021-40539, where an error in the REST API URL normalization routine makes it possible to bypass security filters and upload arbitrary files on the target. wvu’s new module simply uploads a Java payload to the target and executes it, granting code execution as SYSTEM if ManageEngine ADSelfService Plus was started as a service.
Storm Alert
Warning, this is not a drill! A critical unauthenticated command injection vulnerability is approaching the Nimbus service component of Apache Storm and has been given the name CVE-2021-38294. A new exploit module authored by our very own zeroSteiner has landed and will exploit this vulnerability to get you OS command execution as the user that started the Nimbus service. Please, evacuate the area immediately!
Metasploit Community CTF 2021
We're happy to announce this year’s CTF will start on Friday, December 3, 2021! Similar to last year, the game has been designed to be accessible to beginners who want to learn and connect with the community. Keep in mind that while a team can have unlimited members, only 1,000 team spots are available, and once they’re gone you will have to join someone else’s team. You can find the full details in our blog post.
New module content (2)
- Apache Storm Nimbus getTopologyHistory Unauthenticated Command Execution by Alvaro Muñoz and Spencer McIntyre, which exploits CVE-2021-38294 - This adds an exploit for CVE-2021-38294 which is an unauthenticated remote command execution vulnerability within the
getTopologyHistory()
RPC method that is provided by the Nimbus service which is a component of the Apache Storm project. In order to be exploitable, at least one topology must have been submitted to the Storm cluster. It may be active or inactive but one must be present. - ManageEngine ADSelfService Plus CVE-2021-40539 by wvu, Antoine Cervoise, Wilfried Bécard, and mr_me, which exploits CVE-2021-40539 - This adds an exploit for CVE-2021-40539 which is an unauthenticated RCE within the ManageEngine ADSelfService application.
Enhancements and features
- #15887 from smashery - The path expansion code has been expanded to support path-based tab completion. Users should now tab-complete things such as
cat ~/some_filenam<tab>
. - #15889 from dwelch-r7 - An update has been made to library code so that terminal resize events are only sent if the Meterpreter client supports it. Additionally, extra feedback is now provided to users on whether or not terminal resizing is handled automatically or if they should adjust it manually.
- #15898 from jmartin-r7 - Ruby 3.x removes support for
URI.encode
andURI.escape
. This PR replaces uses of these functions in modules with calls toURI::DEFAULT_PARSER.escape
so that Ruby 3 can run these modules instead of raising errors about missing functions. - #15899 from dwelch-r7 - This improves the user experience when
shell
is invoked from a Meterpreter session. Now, when thefully_interactive_shells
feature is enabled, a message is displayed to inform the operator that a fully interactive TTY is supported. Note that you can start it by invokingshell -it
.
Bugs fixed
- #15864 from timwr - A bug has been fixed whereby the
sessions -u
command would not return a x64 Meterpreter session on a x64 Windows host, and would instead return a x86 session. This issue has now been addressed so thatsessions -u
will determine the architecture of the target host prior to upgrading and will generate a new Meterpreter session of the appropriate architecture.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
from Rapid7 Blog https://blog.rapid7.com/2021/11/26/metasploit-wrap-up-140/
Comments
Post a Comment