Blown up by your own Fusion bomb
If you use Mac, keep an eye on your favorite virtualization software—it might blow up unexpectedly! Community contributor h00die added a new module that exploits an improper use of setuid binaries within VMware Fusion version 10.1.3 through 11.5.3 on OS X to get local privilege escalation. This module also bypass the patch added in version 11.5.3 by exploiting a TOCTOU race
condition. Note that, at the time of writing, version 11.5.3 is the latest version available. Watch out!
Dotnet Nukem Forever
A new module targeting the famous web application framework DNN (formerly DotNetNuke) has been added this week by holdonasec. Versions 5.0.0 through 9.3.0-RC got hit by a cookie deserialization vulnerability that leads to remote code execution. The
DNNPersonalization cookie stores user profile information that includes a
type attribute used by the server to define the type of object to be deserialized. In its default configuration, DNN handles 404 errors with its built-in error page, which makes the server process the cookie and trigger the vulnerability.
Lost in the Solr system
Community contributor ide0x90 added a new module that exploits a remote code execution in Apache Solr versions 5.0.0 through 8.3.0 via a custom Velocity template. This exploit first enables the use of Velocity template by setting the
params.resource.loader.enabled parameter to
true. Then it sends a specially crafted request containing a weaponized Velocity template to get remote code execution.
New modules (6)
- DLINK DWL-2600 Authenticated Remote Command Injection by Nick Starke and RAKI BEN HAMOUDA, which exploits CVE-2019-20499
- Apache Solr Remote Code Execution via Velocity Template by AleWong, Imran E. Dawoodjee, jas502n, and s00py, which exploits CVE-2019-17558
- IBM TM1 / Planning Analytics Unauthenticated Remote Code Execution by Gareth Batchelor and Pedro Ribeiro, which exploits CVE-2019-4716
- VMware Fusion USB Arbitrator Setuid Privilege Escalation by Dhanesh Kizhakkinan, Rich Mirch, grimm, h00die, and jeffball, which exploits CVE-2020-3950
- DotNetNuke Cookie Deserialization Remote Code Excecution by Jon Park and Jon Seigel, which exploits CVE-2018-18326
- "Cablehaunt" Cable Modem WebSocket DoS by Alexander Dalsgaard Krog (Lyrebirds), Jens Hegner Stærmose (Lyrebirds), Kasper Kohsel Terndrup (Lyrebirds), Nicholas Starke, and Simon Vandel Sillesen (Independent), which exploits CVE-2019-19494
Enhancements and features
- PR #13164 by tekwizz123 adds documentation for the
http_hstsauxiliary scanner module.
- PR #13159 by exigentmidnight adds documentation for the
apache_mod_cgi_bash_env.rbauxiliary scanner module.
- PR #13155 by adamgalway-r7 updates the Metasploit Profiling tools with two new methods
Metasploit::Framework::Profiler.record_memory, to allow for specific code sections to be profiled.
- PR #13148 by adamgalway-r7 reduces unknown commands handling from 1 second to 0.5 seconds.
- PR #13141 by bcoles adds a reverse shell payload for tclsh, a "simple shell containing Tcl interpreter."
- PR #13176 by h00die fixes an issue in
issue_finder.pyto no longer lists .pyc files or files beginning with _.
- PR #13172 by timwr updates
metasploit_payloads-mettlegem version to 0.5.21 to add OSX Catalina support.
- PR #13105 by Auxilus fixes an issue that improves
makeiplisttools loading time.
- PR #13093 by mmetince adds an alias of
ftp_connectto connect within
Exploit::Remote::Ftpto avoid name collisions when
Msf::Exploit::Remote::Ftpare included in the same module.
- PR #13085 by Green-m renames module
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).