This week’s wrapup features six new modules, including a double-dose of Synology and everyone’s favorite, Pi-Hole.
Little NAS, featuring RCE
Synology stations are small(ish) NAS devices, but as Steve Kaun, Nigusu Kassahun, and h00die have shown, they are not invulnerable. In the first module, a command injection exists in a scanning function that allows for an authenticated RCE, and in the second, a coding feature leaks whether a user exists on the system, allowing for brute-force user enumeration.
Cram it in your Pi-Hole, Again
Still hilarious, though significantly less original, Pi-Hole makes an encore appearance in the form of a DHCP reservation with accompanying RCE and a whitelist addition with shell.
myLittleAdmin Administration sharing tool
A ViewState .NET deserialization bug allows others to manage your MS SQL server. Brought to you by wvu-r7 and his .NET deserialization muse smcintyre-r7, this is yet another use of smcintyre-r7’s .NET deserialization library because sharing is a kindness, and magic makes it all complete!
It is never DNS, especially after a DoS attack
Shuto Imai and Tobias Klein added a DoS module targeting the BIND service by forcing execution down a path with an
assert statement that causes the server process to exit.
New modules (6)
- Synology DiskStation Manager smart.cgi Remote Command Execution by Nigusu Kassahun and h00die, which exploits CVE-2017-15889
- Pi-Hole DHCP MAC OS Command Execution by h00die and nateksec, which exploits CVE-2020-8816
- Pi-Hole Whitelist OS Command Execution by Denis Andzakovic and h00die
- Plesk/myLittleAdmin ViewState .NET Deserialization by wvu and Spencer McIntyre, which exploits CVE-2020-13166
- Synology Forget Password User Enumeration Scanner by Steve Kaun and h00die, which exploits CVE-2017-9554
- BIND TSIG Badtime Query Denial of Service by Shuto Imai and Tobias Klein, which exploits CVE-2020-8617
Enhancements and features
- We’ve updated the credits in bind_tsig_badtime to reflect updated CVE-2020-8617 information.
- Bcoles cleaned up and documented the TinyIdentD 2.2 Stack Buffer Overflow module.
- sbrun updated the wmiexec.py module to be Python3 compatible.
- acammack-r7 updated our search feature to prevent unloadable modules from returning in a search in PR 13500.
- h00die added documentation to the pop3 capture module in PR 13460.
- Our own adfoster-r7 has made us better stronger, and faster than before by fixing a memory leak in ms01_026_dbldecode
- Kalba-security updated the EyesOfNetwork exploit module to add support for deploying Meterpreter sessions using a command stager as well as an authentication bypass for versions 5.1 and 5.2. The authentication bypass leverages SQLi to obtain the session token of the admin user who must be logged in at the time. This vulnerability is identified as CVE-2020-9465.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).