Security fix for the libnotify plugin (CVE-2020-7350)
If you use the
libnotify plugin to keep track of when file imports complete, the interaction between it and
db_import allows a maliciously crafted XML file to execute arbitrary commands on your system. In proper Metasploit fashion, pastaoficial PR'd a file format exploit to go along with the fix, and our own smcintyre-r7 did some git magic to make the changes properly visible and over the line. Scans and anything else besides
db_import do not trigger the vulnerability, and
libnotify plugin must be used to open up the command injection path.
Twitch Plays Python
Thanks our streaming contributor mmetince and one of his viewers hasantayyar, our Python staged and stageless payloads are now 100% whitespace free. Keeping compatibility with old fossils of Python like 2.4 and 3.1, which have little in the way of forwards or backwards compatibility, is quite a feat. To top it off, this approach even saves space compared to our previous compatibility approach!
New modules (6)
- Unraid 6.8.0 Auth Bypass PHP Code Execution by Nicolas CHATELAIN, which exploits CVE-2020-5849
- Metasploit Libnotify Plugin Arbitrary Command Execution by pasta, which exploits CVE-2020-7350
- Grafana 2.0 through 5.2.2 authentication bypass for LDAP and OAuth by Rene Riedling and Sebastian Solnica, which exploits CVE-2018-15727
- VMware vCenter Server vmdir Authentication Bypass by wvu, JJ Lehmann, and Ofri Ziv, which exploits CVE-2020-3952
- VMware vCenter Server vmdir Information Disclosure by wvu, which exploits CVE-2020-3952
- Multi Manage the screen of the target meterpreter session by timwr
Enhancements and features
- PR #13311 from kernelsmith - This updates
msftidyto handle expected ZDI references.
- PR #13282 from cn-kali-team - This PR adds Unicode support to the search command to allow users to find entries containing Unicode characters, thereby fixing the issue reported in #13150.
- PR #13268 from adfoster-r7 - This PR adds in two additional productivity tips to the tip command that help users be more efficient.
- PR #13267 from adfoster-r7 - This PR depreciates the old
tipcommand in favor of
tips, which now returns a list of all productivity tips.
- PR #13263 from mmetince - This updates the library which generates the Python payload stager to remove whitespace.
- PR #13252 from timwr - This PR adds a new payload type,
reverse_tcp_uuidfor OSX x64 systems which adds support for displaying UUID information. This PR also updates the existing
reverse_tcpstager to print out UUID information if requested.
- PR #13298 from zeroSteiner - Fixes the
to_handlercommand for payloads and evasion modules to now correctly set
- PR #13277 from bwatters-r7 - This PR bumps the payloads gem to bring in a fix from timwr for a race condition that existed in the filesystem library in the Java meterpreter.
- PR #13266 from pastaoficial via zeroSteiner - Rapid7 Metasploit Framework version 5.0.85 and prior suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted user-supplied data via a computer's hostname or service name. An attacker can create a specially-crafted hostname or service name to be imported by Metasploit from a variety of sources and trigger a command injection on the operator's terminal. Note, only the Metasploit Framework and products that expose the plugin system is susceptible to this issue -- notably, this does not include Rapid7 Metasploit Pro. Also note, this vulnerability cannot be triggered through a normal scan operation -- the attacker would have to supply a file that is processed with the db_import command.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).