Windows BITS CVE-2020-0787 LPE in the Metasploit tree!
This week, Grant Willcox presents his first Metasploit module contribution as part of our team. Research from itm4n yielded CVE-2020-0787, describing a vulnerability in the Windows Background Intelligent Transfer Service (BITS). This vuln can be exploited to achieve local privilege escalation in Windows 10 (prior to the March 2020 update) and also Windows Server 2016 and 2019. And Grant's module does exactly that, popping a
SYSTEM shell on an affected target. Great work, the both of you!
QNAP QTS and Photo Station LFI in your eye?
Next up, community contributor Redouane NIBOUCHA brings us a local file inclusion (LFI) module for QNAP devices running Photo Station application versions that are vulnerable to CVE-2019-7192 and CVE-2019-7194 or CVE-2019-7195. Many thanks to Henry Huang for their incredible writeup of the vulnerabilities they found.
While there is a little confusion about which CVEs apply to this particular vulnerability, one thing is true: an unauthenticated attacker can download arbitrary files from an affected QNAP device... as root. That means SSH private keys and password hashes may be exposed by this vulnerability.
QNAP QTS systems that bundle the Photo Station application may be vulnerable by default. Patch but verify with the Metasploit module. This vuln is being actively exploited in the wild!
New modules (5)
- Cisco UCS Director Cloupia Script RCE by wvu and mr_me, which exploits CVE-2020-3243 (ZDI-20-540)
- LinuxKI Toolset 6.01 Remote Command Execution by Cody Winkler and numan türle, which exploits CVE-2020-7209
- Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability by Grant Willcox and itm4n, which exploits CVE-2020-0787
- QNAP QTS and Photo Station Local File Inclusion by Henry Huang and Redouane NIBOUCHA, which exploits CVE-2019-7192 and CVE-2019-7194 or CVE-2019-7195
- Windows Gather Xshell and Xftp Passwords by Kali-Team
Enhancements and features
- PR #13306 from h00die updates the
enum_xchatmodule by adding documentation, dumping creds to the database, adding Windows support, adding HexChat support, cleaning up the code, and using libraries when available. The new multi-module is named
- PR #13566 from wvu updates the Framework to select a default payload for a module when it is used instead of when it is run. This by extension allows the user to see the payload that will be used, offering them an opportunity to configure or change it prior to exploitation.
- PR #13442 from Redouane NIBOUCHA adds a fix for the
- PR #13468 from noncenz fixes the
memcached_extractorauxiliary module to work correctly with memcached servers that implement LRU. This applies to memchached servers of versions 1.5.4 and up.
- PR #13589 from Alan Foster fixes a bug where module description data can be lost when running
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).