wvu-r7 added an exploit module that targets SaltStack’s Salt software. Specifically, the module exploits both an authentication bypass (CVE-2020-25592) and a command injection vulnerability (CVE-2020-16846) in SaltStack’s REST API to get code execution as
root through Salt’s SSH client on infected versions. You can read more about the vulns on AttackerKB.
Hack Metasploit with Metasploit
justinsteven both discovered a vulnerability (CVE-2020-7384) in and added an exploit module for Metasploit’s
msfvenom allows users to use custom apk templates to inject a payload into; however,
msfvenom does not sanitize certain fields, such as the
Owner field, that get passed into a
Open3.popen3() call. Because of this, an unsuspecting user of
msfvenom might use a malicious template and subsequently give an attacker a shell on the user’s computer. This issue has been fixed in Metasploit’s
6.0.12 release and Metasploit Pro’s
Wordpress File Manager RCE
ide0x90 added an exploit module that targets various versions of a popular Wordpress plugin,
Wordpress File Manager. The vulnerability (CVE-2020-25213) is due to a leftover example file that enables unauthenticated execution of a set of commands. One of those commands is an
upload command, which makes uploading a php webshell and getting code execution effortless.
Apache Zookeeper Info Disclosure
New modules (4)
- SaltStack Salt REST API Arbitrary Command Execution by wvu and KPC, which exploits CVE-2020-16846 and CVE-2020-25592
- WordPress File Manager Unauthenticated Remote Code Execution by Alex Souza (w4fz5uck5) and Imran E. Dawoodjee, which exploits CVE-2020-25213
- Rapid7 Metasploit Framework msfvenom APK Template Command Injection by Justin Steven, which exploits CVE-2020-7384
- Apache ZooKeeper Information Disclosure by Karn Ganeshen
Enhancements and features
- PR #14387 by adfoster-r7 added a check to ensure that uses of
AutoCheckare always prepended as opposed to included in modules.
- PR #14373 by dwelch-r7 removed the unused Netware console session type from Framework.
- PR #14371 by h00die added vulnerable version information to the
- PR #14353 by agalway-r7 modified the
msfdbcommand to show more readable and informative output to the user.
- PR #14304 by b4rtik updated the
post/windows/manage/execute_dotnet_assemblymodule to be able to handle additional function signatures of the code that will be injected into.
- PR #14382 from h00die fixed a crash in the
auxiliary/analyze/apply_potmodule caused by an out-of-date symbol name.
- PR #14378 by adfoster-r7 added proper synchronization to the job status tracker that is used by Metasploit’s RPC service.
- PR #14370 by cgranleese-r7 fixed a crash in
generatecommand caused by attempting to tab complete input with no results.
- PR #14363 by zeroSteiner fixed an issue in the
auxiliary/scanner/smb/smb_loginmodule that reported false negatives for valid credentials when
msfconsolewas started with
bundle execpreceding the command.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).