ProxyLogon

More Microsoft news this week!

Firstly, a big thank you to community contributors GreyOrder, Orange Tsai, and mekhalleh (RAMELLA Sébastien), who added three new modules that allow an attacker to bypass authentication and impersonate an administrative user (CVE-2021-26855) on vulnerable versions of Microsoft Exchange Server. By chaining this bug with another post-auth arbitrary-file-write vulnerability, code execution can be achieved on a vulnerable target (CVE-2021-27065), allwoing an unauthenticated attacker to execute arbitrary commands.

This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010)

Advantech iView

Great work by our very own wvu-r7 and zeroSteiner, who added a new exploit module for CVE-2021-22652.

This module exploits an unauthenticated configuration change vulnerability combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\SYSTEM.

The exploit functions by first modifying the EXPORTPATH to be a writable path in the webroot. An export function is then leveraged to write JSP content into the previously configured path, which can then be requested to trigger the execution of an OS command within the context of the application. Once completed, the original configuration value is restored.

FortiLogger

Nice work by community contributor erberkan, who added an exploit module for CVE-2021-3378.

This module exploits an arbitrary file upload via an unauthenticated POST request to the "/Config/SaveUploadedHotspotLogoFile" upload path for hotspot settings of FortiLogger 4.4.2.2.

FortiLogger is a web-based logging and reporting software designed specifically for FortiGate firewalls, running on Windows operating systems. It contains features such as instant status tracking, logging, search / filtering, reporting and hotspot.

New Modules (7)

  • Microsoft Exchange ProxyLogon by GreyOrder, Orange Tsai, and mekhalleh (RAMELLA Sébastien), which adds 3 modules that leverage two Microsoft Exchange Server vulnerabilities patched in March out-of-band security updates:

    • A scanner module that checks if the target is vulnerable to a Server-Side Request Forgery (SSRF) identified as CVE-2021-26855.
    • An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information. This module leverages the same SSRF vulnerability identified as CVE-2021-26855.
    • An exploit module that exploits an unauthenticated Remote Code Execution on Microsoft Exchange Server. This allows execution of arbitrary commands as the SYSTEM user, leveraging the same SSRF vulnerability identified as CVE-2021-26855 and also a post-auth arbitrary-file-write vulnerability identified as CVE-2021-27065.
  • VMware View Planner Unauthenticated Log File Upload RCE by wvu, Grant Willcox, and Mikhail Klyuchnikov, exploiting CVE-2021-21978, an arbitrary file upload vulnerability within VMWare View Planner Harness prior to 4.6 Security Patch 1.

  • Advantech iView Unauthenticated Remote Code Execution by wvu and Spencer McIntyre, which exploits CVE-2021-22652, allowing an unauthenticated user to make configuration changes on a remote Advantech iView server. The vulnerability can be leveraged to obtain remote code execution within the context of the server application (which runs as SYSTEM by default).

  • FortiLogger Arbitrary File Upload Exploit by Berkan Er, which exploits CVE-2021-3378, an unauthenticated arbitrary file upload vulnerability in FortiLogger 4.4.2.2.

  • Win32k ConsoleControl Offset Confusion by BITTER APT, JinQuan, KaLendsi, LiHao, MaDongZe, Spencer McIntyre, and TuXiaoYi, which exploits CVE-2021-1732, an LPE vulnerability in win32k.

Enhancements and features

  • #14878 from jmartin-r7 The recently introduced Zeitwerk loader is now wrapped and retained in a more flexible way. Additionally lib/msf_autoload.rb is now marked as a singleton class to ensure that only one instance of the loader can exist at any one time. The loading process has also been broken down into separate methods to allow for additional tweaking, extension, and suppression as needed.

  • #14893 from archcloudlabs avast_memory_dump.rb has been updated with additional paths to check for the avdump.exe utility, which should help Metasploit users in cases where the tool is bundled in with other Avast software besides the standard AV solution.

  • #14917 from pingport80 The search command has been updated to add in the -s and -r flags. The -s flag allows one to search by rank, disclosure date, module name, module type, or if the module implements a check method or not. The results will be ordered in ascending order, however users can show the results in descending order by using the -r flag.

  • #14927 from pingport80 The Ruby scripts under tools/exploits/* have been rewritten so that they capture signals and handle them gracefully instead of stack tracing.

  • #14938 from adfoster-r7 The time command has been added to msfconsole to allow developers to time how long certain commands take to execute.

Bugs Fixed

  • #14430 from cn-kali-team Provides feedback to the user when attempting to use UUID tracking without a DB connection.

  • #14815 from cgranleese-r7 Replaces deprecated uses of ::Rex:Socket.gethostbyname in favor of the newer ::Rex::Socket.getaddress functionality in preparation of Ruby 3 support.

  • #14844 from dwelch-r7 This moves the on_session_open event until after the session has been bootstrapped which is necessary to expose some functionality required by plugins such as auto_add_route.

  • #14879 from cgranleese-r7 The ssh_login_pubkey.rb module has been updated to support specifying the path to a private key for the KEY_PATH option, and to improve error handling in several places to reduce stack traces and make error messages are more understandable.

  • #14896 from AlanFoster The apache_activemq_upload_jsp exploit has been updated so that it can successfully exploit vulnerable systems running Java 8. Additionally, module documentation has been added.

  • #14910 from friedrico filezilla_client_cred.rb has been updated to prevent it from falsely identifying strings as being Base64 encoded when they are not. The new code now checks that the string is marked as being Base64 encoded before attempting to decode it.

  • #14912 from bcoles The netgear_r6700_pass_reset.rb module has been updated to fix a typo that could occasionally cause the check function to fail, and to fix a stack trace caused by calling a method on a nil object.

  • #14930 from adfoster-r7 This fixes a bug where the highlighting in msfconsole's search command would break when the search term was certain single letter queries.

  • #14934 from timwr A bug has been addressed whereby the download command in Meterpreter, if run on a directory containing UTF-8 characters, would result in an error. This has been resolved by enforcing the correct encoding.

  • #14941 from dwelch-r7 The smb_relay module has been updated to force the use of Rex::Proto::SMB::Client, which fixes several issues that were being encountered due to the module accidentally using ruby_smb vs Rex::Proto::SMB::Client.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from

GitHub:

To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).