More Microsoft news this week!
Firstly, a big thank you to community contributors GreyOrder, Orange Tsai, and mekhalleh (RAMELLA Sébastien), who added three new modules that allow an attacker to bypass authentication and impersonate an administrative user (CVE-2021-26855) on vulnerable versions of Microsoft Exchange Server. By chaining this bug with another post-auth arbitrary-file-write vulnerability, code execution can be achieved on a vulnerable target (CVE-2021-27065), allwoing an unauthenticated attacker to execute arbitrary commands.
This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010)
This module exploits an unauthenticated configuration change vulnerability combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\SYSTEM.
The exploit functions by first modifying the
EXPORTPATH to be a writable path in the webroot. An export function is then leveraged to write JSP content into the previously configured path, which can then be requested to trigger the execution of an OS command within the context of the application. Once completed, the original configuration value is restored.
This module exploits an arbitrary file upload via an unauthenticated POST request to the "/Config/SaveUploadedHotspotLogoFile" upload path for hotspot settings of FortiLogger 126.96.36.199.
FortiLogger is a web-based logging and reporting software designed specifically for FortiGate firewalls, running on Windows operating systems. It contains features such as instant status tracking, logging, search / filtering, reporting and hotspot.
New Modules (7)
Microsoft Exchange ProxyLogon by GreyOrder, Orange Tsai, and mekhalleh (RAMELLA Sébastien), which adds 3 modules that leverage two Microsoft Exchange Server vulnerabilities patched in March out-of-band security updates:
- A scanner module that checks if the target is vulnerable to a Server-Side Request Forgery (SSRF) identified as CVE-2021-26855.
- An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information. This module leverages the same SSRF vulnerability identified as CVE-2021-26855.
- An exploit module that exploits an unauthenticated Remote Code Execution on Microsoft Exchange Server. This allows execution of arbitrary commands as the SYSTEM user, leveraging the same SSRF vulnerability identified as CVE-2021-26855 and also a post-auth arbitrary-file-write vulnerability identified as CVE-2021-27065.
VMware View Planner Unauthenticated Log File Upload RCE by wvu, Grant Willcox, and Mikhail Klyuchnikov, exploiting CVE-2021-21978, an arbitrary file upload vulnerability within VMWare View Planner Harness prior to 4.6 Security Patch 1.
Advantech iView Unauthenticated Remote Code Execution by wvu and Spencer McIntyre, which exploits CVE-2021-22652, allowing an unauthenticated user to make configuration changes on a remote Advantech iView server. The vulnerability can be leveraged to obtain remote code execution within the context of the server application (which runs as SYSTEM by default).
Enhancements and features
#14878 from jmartin-r7 The recently introduced Zeitwerk loader is now wrapped and retained in a more flexible way. Additionally
lib/msf_autoload.rbis now marked as a singleton class to ensure that only one instance of the loader can exist at any one time. The loading process has also been broken down into separate methods to allow for additional tweaking, extension, and suppression as needed.
#14893 from archcloudlabs
avast_memory_dump.rbhas been updated with additional paths to check for the
avdump.exeutility, which should help Metasploit users in cases where the tool is bundled in with other Avast software besides the standard AV solution.
#14917 from pingport80 The
searchcommand has been updated to add in the
-sflag allows one to search by rank, disclosure date, module name, module type, or if the module implements a check method or not. The results will be ordered in ascending order, however users can show the results in descending order by using the
#14879 from cgranleese-r7 The
ssh_login_pubkey.rbmodule has been updated to support specifying the path to a private key for the
KEY_PATHoption, and to improve error handling in several places to reduce stack traces and make error messages are more understandable.
#14896 from AlanFoster The
apache_activemq_upload_jspexploit has been updated so that it can successfully exploit vulnerable systems running Java 8. Additionally, module documentation has been added.
#14910 from friedrico
filezilla_client_cred.rbhas been updated to prevent it from falsely identifying strings as being Base64 encoded when they are not. The new code now checks that the string is marked as being Base64 encoded before attempting to decode it.
#14912 from bcoles The
netgear_r6700_pass_reset.rbmodule has been updated to fix a typo that could occasionally cause the
checkfunction to fail, and to fix a stack trace caused by calling a method on a
#14934 from timwr A bug has been addressed whereby the
downloadcommand in Meterpreter, if run on a directory containing UTF-8 characters, would result in an error. This has been resolved by enforcing the correct encoding.
#14941 from dwelch-r7 The
smb_relaymodule has been updated to force the use of
Rex::Proto::SMB::Client, which fixes several issues that were being encountered due to the module accidentally using
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from
- Pull Requests 6.0.36...6.0.37
- Full diff 6.0.36...6.0.37
If you are a
gituser, you can clone the Metasploit Framework repo (master branch) for the latest.