Everything old is new again
As you probably already know, hardware manufacturers are not always great at security. Today we'll be picking on Netgear, who produce a WiFi router called the WNR2200. This cute little device, brand new out of the box on store shelves today, runs Linux 2.6.15 with Samba 3.0.24. For those of you keeping score at home, those versions were released in 2007. Way back in 2007, Samba had a pre-auth heap buffer overflow vulnerability in the LsarLookupSids RPC call, for which Metasploit has had an exploit since shortly after the bug's disclosure.
Unfortunately for people who like shells, the exploit only worked on x86 targets, so popping these new routers with old exploits wasn't feasible. Until now. Thankfully, JanMitchell came to the rescue, porting it to MIPS for all your ridiculously-old-software-on-a-brand-new-router hacking needs.
Steal all the things
A few weeks ago, we talked about stealing AWS metadata. This update adds a post module (
post/multi/gather/awks_keys) that will extract credential and other valuable AWS information from a compromised machine with aws console/cli installed and configured with credentials. These credentials can be used to access all of an AWS user's resources he/she has access to.
There won't be a release next week because of the Thanksgiving holiday here in the US. Automated nightly installers for the open source framework will still be automatically built nightly as you might expect.
Exploit modules (8 new)
- Trend Micro Smart Protection Server Exec Remote Code Injection by Quentin Kaiser
- Linux BPF Local Privilege Escalation by h00die, and jannh exploits CVE-2016-4557
- Overlayfs Privilege Escalation by h00die, and rebel exploits CVE-2015-8660
- WordPress Ninja Forms Unauthenticated File Upload by James Golovich, and Rob Carr exploits CVE-2016-1209
- Office OLE Multiple DLL Side Loading Vulnerabilities by Yorick Koster exploits CVE-2016-3235
- WinaXe 7.7 FTP Client Remote Buffer Overflow by Chris Higgins, and hyp3rlix
- Disk Pulse Enterprise Login Buffer Overflow by Chris Higgins, and Tulpa Security
Auxiliary and post modules (6 new)
- Joomla Account Creation and Privilege Escalation by Fabio Pires, Filipe Reis, and Vitor Oliveira exploits CVE-2016-8870
- Telpho10 Backup Credentials Dumper by Jan Rude
- Kerberos Domain User Enumeration by Matt Byrne
- UDP Amplification Scanner by Jon Hart
- UNIX Gather AWS Keys by Jon Hart
As always, you can update to the latest Metasploit Framework with a simple
msfupdate and the full diff since the last blog post is available on GitHub: 4.12.38...4.12.42