Rapid 7 - Metasploit Weekly Wrap-Up 01/31/25

ESC4 Detection

Metasploit Weekly Wrap-Up 01/31/25

This week, Metasploit’s jheysel-r7 updated the existing ldap_esc_vulnerable_cert_finder module to include detecting template objects that can be written to by the authenticated user. This means the module can now identify instances of ESC4 from the perspective of the account that the Metasploit operator provided the credentials for. Metasploit has been capable of exploiting ESC4 for some time, but required users to know which certificate templates they had write access to. This closes an important gap in Metasploit’s AD CS coverage and should help users identify additional attack vectors. See the Metasploit AD CS documentaiton for steps on how ESC4 can be exploited using Metasploit.

New module content (1)

Craft CMS Twig Template Injection RCE via FTP Templates Path

Authors: AssetNote, Valentin Lobstein, and jheysel-r7
Type: Exploit
Pull request: #19772 contributed by jheysel-r7
Path: linux/http/craftcms_ftp_template
AttackerKB reference: CVE-2024-56145

Description: Adding new exploit module for Craft CMS, when the attacker can use malicious FTP server to gain remote code execution. This vulnerability requires PHP option register_argc_argv to be enabled.

Enhanced Modules (1)

Modules which have either been enhanced, or renamed:

  • #19816 from jheysel-r7 - This adds support to the existing ldap_esc_vulnerable_cert_finder for identifying certificate templates that are vulnerable to ESC4 from the perspective of the authenticated user.

Bugs fixed (6)

  • #19826 from zeroSteiner - Fixes two issues with the ldap_query module. The first was that the BASE_DN wasn't being used when set. The second was that the QUERY_ATTRIBUTES was a required datastore option. Now if the QUERY_ATTRIBUTES is left unset the module will return all the attributes. This is particularly useful if the operator doesn't know the exact attributes defined on an object because they're looking for something.
  • #19833 from cdelafuente-r7 - This fixes an issue with the petitpotam module where in the default configuration, an incorrect service UUID was being used.
  • #19834 from sfewer-r7 - Updates the connect_ws method within the Exploit::Remote::HttpClient library to generate a RFC 6455 compliant value for the generated Sec-WebSocket-Key header.
  • #19835 from cdelafuente-r7 - This fixes an issue in the lookup logic when providing a Kerberos ticket as a file. The comparison of the SPN hostname was done as a case sensitive comparison, which prevented the ticket to be used if the user sets the *::rhostname option with a different case than the one stored in the ticket.
  • #19836 from 0xAryan - Fixes a broken blog link in the exploit/multi/http/nibbleblog_file_upload module.
  • #19843 from cdelafuente-r7 - This fixes an issue with both the ldap_login and smb_login modules. The problem is that now, some login scanner modules are not only used to discover and report valid credentials, but also to get a session (e.g. SMB session, LDAP session). This means, if Kerberos is used as the authentication method, the user can omit the password and reuse tickets from the cache. Also, if the authentication method is Schannel (LDAP), the username can also be omitted since the certificate will contain everything needed to authenticate. Prior to this fix these modules would error if they were run without the username and password fields set. The fix introduces two new boolean attributes in the CredentialCollection class ignore_private and ignore_public which indicate whether the module should be allowed to be run without a username or password.

Documentation added (1)

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro



from Rapid7 Cybersecurity Blog https://blog.rapid7.com/2025/01/31/metasploit-weekly-wrap-up-01-31-25/

Comments

Post a Comment

Popular posts from this blog

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"

Image
Eric Howes , KnowBe4 Principal Lab Researcher, found out about another insidious bad guy trick: " If you work in IT there has undoubtedly come a dark moment when you wondered to yourself just who among your employee users would be gullible enough to click through a phishing email and potentially bring down your organization. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame
Read more

Krebs - NY Charges First American Financial for Massive Data Leak

Image
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. First American Financial Corp. Santa Ana, Calif.-based  First American [ NYSE:FAF ] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019 . As first reported here last year , First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The d...
Read more

Krebs - U.S. Army Soldier Arrested in AT&T, Verizon Extortions

Image
Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m , a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon . As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea. One of several selfies on the Facebook page of Cameron Wagenius. Cameron John Wagenius , 20, was arrested near the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records. The sparse, two-page indictment (PDF) doesn’t reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius’ mother — Minnesota native Alicia Roen — filled in the gaps. Roen said that prior to her son’s arrest he’d acknowledged being associated with Connor Riley Moucka ...
Read more