Two new Active Directory attacks

This week we added a pair of new post-exploitation modules from community contributor timb-machine. Both modules target UNIX machines running SSSD or One Identity's Vintela Authentication Services (VAS) as Active Directory integration solutions. The new UNIX Gather Cached AD Hashes module can be used on a UNIX target to obtain all cached Active Directory hashes, which can then be cracked using John the Ripper. The second module is UNIX Gather Kerberos Tickets, which as the name suggests, can similarly be used on a vulnerable target to obtain cached Kerberos tickets.

Focusing on Micro Focus

Thanks to pedrib for two new pull requests related to Micro Focus Operations Bridge Manager and Bridge Reporter. Pedrib contributed a new Micro Focus Operations Bridge Reporter Unauthenticated Command Injection module, which exploits an unauthenticated command injection vulnerability on Linux, versions 10.40 and below (CVE-2021-22502). Pedrib also updated the existing Micro Focus Operations Bridge Manager Local Privilege Escalation module to also support Operations Bridge Reporter.

PR #15000!

Congratulations to pingport80, who snagged PR #15,000! This enhancement replaces existing usages of which in Msf::Sessions::CommandShell.binary_exists with command -v — a more portable solution that works consistently across different shells.

New Module Content (6)

  • GravCMS Remote Command Execution by Mehmet Ince, which exploits CVE-2021-21425 - This adds a new remote exploit module that leverages unauthenticated arbitrary YAML write/update vulnerability to get remote code execution under the context of the web server user. This vulnerability has been fixed in the admin component version 1.10.10, which was released with GravCMS version 1.7.9.
  • Micro Focus Operations Bridge Reporter Unauthenticated Command Injection by Pedro Ribeiro, which exploits CVE-2021-22502. This is an unauthenticated OS command injection vulnerability in the Micro Focus Operations Bridge Reporter.
  • IGEL OS Secure VNC/Terminal Command Injection RCE by James Brytan, James Smith, Marisa Mack, Rob Vinson, Sergey Pashevkin, and Steven Laura - This adds a new module that exploits an unauthenticated command injection vulnerability in the Secure Terminal and Secure Shadow services in various versions of IGEL OS.
  • Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE by Bruno Keith (bkth_), Grant Willcox (tekwizz123), Niklas Baumstark (_niklasb), and Rajvardhan Agarwal (r4j0x00), which exploits CVE-2021-21220 - This adds an exploit module for a Chrome V8 XOR typer OOB Access RCE that was found in the 2021 Pwn2Own competition by Dataflow Security's Niklas Baumstark (@niklasb) and Bruno Keith (@bkth).
    Note that this module will require you to run Chrome without the sandbox enabled as it does not come with a sandbox escape.
  • UNIX Gather Cached AD Hashes by Tim Brown - Retrieves cached Active Directory credentials from two different solutions on UNIX (SSSD and VAS).
  • UNIX Gather Kerberos Tickets by Tim Brown - Retrieves cached Kerberos tickets from two different solutions on UNIX (SSSD and VAS).

Enhancements and features

  • #14831 from agalway-r7 - Updates the HttpClient mixin with a new cookie jar implementation which correctly updates and merges the Set-Cookie header responses when using the send_request_cgi keep_cookies option
  • #15000 from pingport80 - Replaces the use of the which command with command -v giving us a more portable solution
  • #15087 from pedrib - The exploit/windows/local/microfocus_operations_privesc module now supports both vulnerable Operations Bridge Manager installations and vulnerable Operations Bridge Reporter installations, with the new additional target being Operations Bridge Reporter.
  • #15096 from pingport80 - This adds shell session support to the post/windows/gather/checkvm module. This also notably adds cross-platform support for getting a list of running processes using shell and Meterpreter sessions.
  • #15136 from pedrib - Update the exploit/multi/http/microfocus_ucmdb_unauth_deser module default Linux payload from cmd/unix/generic to cmd/unix/reverse_python.
  • #15138 from h00die - This enhances the auxiliary/scanner/http/dell_idrac module by cleaning up the code, adding the last_attempted_at field to create_credential_login to prevent a crash, and adding documentation for the module.

Bugs Fixed

  • #15111 from timwr - This fixes an issue in how some Meterpreter session types would inconsistently run commands issued through sessions -c.
  • #15116 from jmartin-r7 - This fixes a bug that would occur when importing newer Acunetix reports into the database due to a change in how the timestamp is formatted.
  • #15120 from pedrib - Fixes a regression within tools/modules/module_author.rb so that it runs without crashing
  • #15140 from wvu-r7 - msftidy_docs.rb now doesn't double warn on optional (and missing) Options headers.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).