Last updated at Fri, 26 Mar 2021 17:36:13 GMT
More Microsoft news this week!
Firstly, a big thank you to community contributors GreyOrder, Orange Tsai, and mekhalleh (RAMELLA Sébastien), who added three new modules that allow an attacker to bypass authentication and impersonate an administrative user (CVE-2021-26855) on vulnerable versions of Microsoft Exchange Server. By chaining this bug with another post-auth arbitrary-file-write vulnerability, code execution can be achieved on a vulnerable target (CVE-2021-27065), allwoing an unauthenticated attacker to execute arbitrary commands.
This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010)
Great work by our very own wvu-r7 and zeroSteiner, who added a new exploit module for CVE-2021-22652.
This module exploits an unauthenticated configuration change vulnerability combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\SYSTEM.
The exploit functions by first modifying the
EXPORTPATH to be a writable path in the webroot. An export function is then leveraged to write JSP content into the previously configured path, which can then be requested to trigger the execution of an OS command within the context of the application. Once completed, the original configuration value is restored.
Nice work by community contributor erberkan, who added an exploit module for CVE-2021-3378.
This module exploits an arbitrary file upload via an unauthenticated POST request to the "/Config/SaveUploadedHotspotLogoFile" upload path for hotspot settings of FortiLogger 220.127.116.11.
FortiLogger is a web-based logging and reporting software designed specifically for FortiGate firewalls, running on Windows operating systems. It contains features such as instant status tracking, logging, search / filtering, reporting and hotspot.
New Modules (7)
Microsoft Exchange ProxyLogon by GreyOrder, Orange Tsai, and mekhalleh (RAMELLA Sébastien), which adds 3 modules that leverage two Microsoft Exchange Server vulnerabilities patched in March out-of-band security updates:
- A scanner module that checks if the target is vulnerable to a Server-Side Request Forgery (SSRF) identified as CVE-2021-26855.
- An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information. This module leverages the same SSRF vulnerability identified as CVE-2021-26855.
- An exploit module that exploits an unauthenticated Remote Code Execution on Microsoft Exchange Server. This allows execution of arbitrary commands as the SYSTEM user, leveraging the same SSRF vulnerability identified as CVE-2021-26855 and also a post-auth arbitrary-file-write vulnerability identified as CVE-2021-27065.
VMware View Planner Unauthenticated Log File Upload RCE by wvu, Grant Willcox, and Mikhail Klyuchnikov, exploiting CVE-2021-21978, an arbitrary file upload vulnerability within VMWare View Planner Harness prior to 4.6 Security Patch 1.
Advantech iView Unauthenticated Remote Code Execution by wvu and Spencer McIntyre, which exploits CVE-2021-22652, allowing an unauthenticated user to make configuration changes on a remote Advantech iView server. The vulnerability can be leveraged to obtain remote code execution within the context of the server application (which runs as SYSTEM by default).
FortiLogger Arbitrary File Upload Exploit by Berkan Er, which exploits CVE-2021-3378, an unauthenticated arbitrary file upload vulnerability in FortiLogger 18.104.22.168.
Win32k ConsoleControl Offset Confusion by BITTER APT, JinQuan, KaLendsi, LiHao, MaDongZe, Spencer McIntyre, and TuXiaoYi, which exploits CVE-2021-1732, an LPE vulnerability in win32k.
Enhancements and features
#14878 from jmartin-r7 The recently introduced Zeitwerk loader is now wrapped and retained in a more flexible way. Additionally
lib/msf_autoload.rbis now marked as a singleton class to ensure that only one instance of the loader can exist at any one time. The loading process has also been broken down into separate methods to allow for additional tweaking, extension, and suppression as needed.
#14893 from archcloudlabs
avast_memory_dump.rbhas been updated with additional paths to check for the
avdump.exeutility, which should help Metasploit users in cases where the tool is bundled in with other Avast software besides the standard AV solution.
#14917 from pingport80 The
searchcommand has been updated to add in the
-sflag allows one to search by rank, disclosure date, module name, module type, or if the module implements a check method or not. The results will be ordered in ascending order, however users can show the results in descending order by using the
#14927 from pingport80 The Ruby scripts under
tools/exploits/*have been rewritten so that they capture signals and handle them gracefully instead of stack tracing.
#14938 from adfoster-r7 The
timecommand has been added to
msfconsoleto allow developers to time how long certain commands take to execute.
#14430 from cn-kali-team Provides feedback to the user when attempting to use UUID tracking without a DB connection.
#14815 from cgranleese-r7 Replaces deprecated uses of
::Rex:Socket.gethostbynamein favor of the newer
::Rex::Socket.getaddressfunctionality in preparation of Ruby 3 support.
#14844 from dwelch-r7 This moves the on_session_open event until after the session has been bootstrapped which is necessary to expose some functionality required by plugins such as auto_add_route.
#14879 from cgranleese-r7 The
ssh_login_pubkey.rbmodule has been updated to support specifying the path to a private key for the
KEY_PATHoption, and to improve error handling in several places to reduce stack traces and make error messages are more understandable.
#14896 from AlanFoster The
apache_activemq_upload_jspexploit has been updated so that it can successfully exploit vulnerable systems running Java 8. Additionally, module documentation has been added.
#14910 from friedrico
filezilla_client_cred.rbhas been updated to prevent it from falsely identifying strings as being Base64 encoded when they are not. The new code now checks that the string is marked as being Base64 encoded before attempting to decode it.
#14912 from bcoles The
netgear_r6700_pass_reset.rbmodule has been updated to fix a typo that could occasionally cause the
checkfunction to fail, and to fix a stack trace caused by calling a method on a
#14930 from adfoster-r7 This fixes a bug where the highlighting in msfconsole's search command would break when the search term was certain single letter queries.
#14934 from timwr A bug has been addressed whereby the
downloadcommand in Meterpreter, if run on a directory containing UTF-8 characters, would result in an error. This has been resolved by enforcing the correct encoding.
#14941 from dwelch-r7 The
smb_relaymodule has been updated to force the use of
Rex::Proto::SMB::Client, which fixes several issues that were being encountered due to the module accidentally using
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from
- Pull Requests 6.0.36...6.0.37
- Full diff 6.0.36...6.0.37
If you are a
gituser, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).