Rapid 7 - Metasploit Weekly Wrap-Up
Rocket Software UniRPC Exploits
Ron Bowes submitted two exploit modules for vulnerabilities he discovered in the UniRPC server for Rocket Software’s UniData product. The first exploit module, exploit/linux/misc/unidata_udadmin_auth_bypass
exploits an authentication bypass to ultimately gain remote code execution as the root
user. The vulnerable RPC service has a hardcoded username, :local:
and a predictable password of the form <username>:<uid>:<gid>
. Using the root
username and its corresponding uid and gid, an attacker can authenticate to the RPC service and execute a shell via the service’s OsCommand
command.
The second module, exploit/linux/misc/unidata_udadmin_password_stack_overflow
exploits an unauthenticated stack-based buffer overflow through the vulnerable service’s password field. Due to a lack of bounds checking on the buffer that the password is placed into, the saved return pointer can be overwritten, resulting in code execution as the root
user.
New SCTP Payloads
Along with SCTP session support, sempervictus added four new payloads that work over the aforementioned stream-based transport protocol. Included in this set are two Unix command payloads that work over socat
, a Python command payload, and lastly, a reverse SCTP shell payload for Linux.
Persistent Certificates
This week, adfoster-r7 improved on Metasploit’s support for PKCS12 certificates issued by Active Directory Certificate Services (AD CS). The improvements cause the existing admin/dcerpc/icpr_cert
module to store certificates in the same manner as other credentials are stored when a database is attached. Now certificates will be visible from the creds
command, and new ones can be added using creds add user:alice pkcs12:/path/to/certificate.pfx
. This will help users manage these certificates and reuse them for Kerberos authentication with the admin/kerberos/get_ticket
module and the CERT_FILE
option as well as LDAP modules such as gather/ldap_query
with the LDAP::CertFile
option.
New module content (6)
Rocket Software Unidata udadmin_server Authentication Bypass
Author: Ron Bowes
Type: Exploit
Pull request: #17832 contributed by rbowes-r7
AttackerKB reference: CVE-2023-28503
Description: This adds two exploit modules that target UniData versions 8.2.4 (and earlier) on Linux. Due to a flaw in the udadmin service implementation, it is possible to get remote command execution as the root user. One module leverages a stack buffer overflow in a "password" field (CVE-2023-28502) and the other is an authentication bypass (CVE-2023-28503).
Rocket Software Unidata udadmin_server Stack Buffer Overflow in Password
Author: Ron Bowes
Type: Exploit
Pull request: #17832 contributed by rbowes-r7
AttackerKB reference: CVE-2023-28502
Description: This adds two exploit modules that target UniData versions 8.2.4 (and earlier) on Linux. Due to a flaw in the udadmin service implementation, it is possible to get remote command execution as the root user. One module leverages a stack buffer overflow in a "password" field (CVE-2023-28502) and the other is an authentication bypass (CVE-2023-28503).
SCTP Sessions
Author: sempervictus
Type: Payload
Pull request: #17502 contributed by sempervictus
Description: This PR adds support for SCTP sessions which Metasploit Framework can utilize for session transports similarly to TCP as it is a stream-wise transport.
Enhancements and features (5)
- #17353 from adfoster-r7 - Adds support for persisting PKCS12 credentials in Metasploit, i.e.
.pfx
/.p12
files. Theauxiliary/admin/dcerpc/icpr_cert
andauxiliary/admin/dcerpc/cve_2022_26923_certifried
modules will now persist requested certificates for future exploitation. Thecreds
command can also directly persist certificates - for example:creds add user:alice pkcs12:/path/to/certificate.pfx
. - #17502 from sempervictus - This PR adds SCTP sessions which Metasploit Framework can utilize for session transports similarly to TCP as it is a stream-wise transport.
- #17804 from cgranleese-r7 - Fixes the metadata for multiple modules which had invalid reference names, incorrect rankings, missing notes, etc. Additionally, this adds automation for verifying module metadata is correct.
- #17821 from bcoles - This enables the import of Nuclei scan results using the
db_import
command. Both JSON and JSONL formats are supported. - #17862 from bcoles - Updates msfvenom to require apktools version 2.7.0 or greater when attempting to modify Android apk files, as it includes security improvements and bug fixes.
Bugs fixed (4)
- #17851 from Ryuuuuu - Updates the exploits/linux/http/apache_couchdb_cmd_exec to no longer report the target host as being vulnerable when the CouchDB version could not be extracted..
- #17864 from Ryuuuuu - A bug has been fixed in
auxiliary/admin/http/trendmicro_dlp_traversal
andauxiliary/admin/http/tomcat_utf8_traversal
wherebyprint_good
was used when a file was missing instead ofprint_error
. - #17867 from Ryuuuuu - A bug has been fixed in the
modules/auxiliary/scanner/http/surgenews_user_creds.rb
module whereby the code did not properly check if there were no users in thenwauth.add
file prior to proceeding to operate on it. - #17872 from adfoster-r7 - Fixes a crash when modules relied on a hash identifying method that wasn't always available. This method is now available as expected and modules will no longer crash.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
from Rapid7 Cybersecurity Blog https://blog.rapid7.com/2023/04/14/metasploit-weekly-wrap-up-6/
Comments
Post a Comment