Two new Active Directory attacks
This week we added a pair of new post-exploitation modules from community contributor timb-machine. Both modules target UNIX machines running SSSD or One Identity's Vintela Authentication Services (VAS) as Active Directory integration solutions. The new UNIX Gather Cached AD Hashes module can be used on a UNIX target to obtain all cached Active Directory hashes, which can then be cracked using John the Ripper. The second module is UNIX Gather Kerberos Tickets, which as the name suggests, can similarly be used on a vulnerable target to obtain cached Kerberos tickets.
Focusing on Micro Focus
Thanks to pedrib for two new pull requests related to Micro Focus Operations Bridge Manager and Bridge Reporter. Pedrib contributed a new Micro Focus Operations Bridge Reporter Unauthenticated Command Injection module, which exploits an unauthenticated command injection vulnerability on Linux, versions 10.40 and below (CVE-2021-22502). Pedrib also updated the existing Micro Focus Operations Bridge Manager Local Privilege Escalation module to also support Operations Bridge Reporter.
Congratulations to pingport80, who snagged PR #15,000! This enhancement replaces existing usages of
command -v — a more portable solution that works consistently across different shells.
New Module Content (6)
- GravCMS Remote Command Execution by Mehmet Ince, which exploits CVE-2021-21425 - This adds a new remote exploit module that leverages unauthenticated arbitrary YAML write/update vulnerability to get remote code execution under the context of the web server user. This vulnerability has been fixed in the admin component version 1.10.10, which was released with GravCMS version 1.7.9.
- Micro Focus Operations Bridge Reporter Unauthenticated Command Injection by Pedro Ribeiro, which exploits CVE-2021-22502. This is an unauthenticated OS command injection vulnerability in the Micro Focus Operations Bridge Reporter.
- IGEL OS Secure VNC/Terminal Command Injection RCE by James Brytan, James Smith, Marisa Mack, Rob Vinson, Sergey Pashevkin, and Steven Laura - This adds a new module that exploits an unauthenticated command injection vulnerability in the Secure Terminal and Secure Shadow services in various versions of IGEL OS.
- Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE by Bruno Keith (bkth_), Grant Willcox (tekwizz123), Niklas Baumstark (_niklasb), and Rajvardhan Agarwal (r4j0x00), which exploits CVE-2021-21220 - This adds an exploit module for a Chrome V8 XOR typer OOB Access RCE that was found in the 2021 Pwn2Own competition by Dataflow Security's Niklas Baumstark (@niklasb) and Bruno Keith (@bkth).
Note that this module will require you to run Chrome without the sandbox enabled as it does not come with a sandbox escape.
- UNIX Gather Cached AD Hashes by Tim Brown - Retrieves cached Active Directory credentials from two different solutions on UNIX (SSSD and VAS).
- UNIX Gather Kerberos Tickets by Tim Brown - Retrieves cached Kerberos tickets from two different solutions on UNIX (SSSD and VAS).
Enhancements and features
- #14831 from agalway-r7 - Updates the HttpClient mixin with a new cookie jar implementation which correctly updates and merges the
Set-Cookieheader responses when using the
- #15000 from pingport80 - Replaces the use of the
command -vgiving us a more portable solution
- #15087 from pedrib - The
exploit/windows/local/microfocus_operations_privescmodule now supports both vulnerable Operations Bridge Manager installations and vulnerable Operations Bridge Reporter installations, with the new additional target being Operations Bridge Reporter.
- #15096 from pingport80 - This adds shell session support to the
post/windows/gather/checkvmmodule. This also notably adds cross-platform support for getting a list of running processes using shell and Meterpreter sessions.
- #15136 from pedrib - Update the
exploit/multi/http/microfocus_ucmdb_unauth_desermodule default Linux payload from
- #15138 from h00die - This enhances the
auxiliary/scanner/http/dell_idracmodule by cleaning up the code, adding the
create_credential_loginto prevent a crash, and adding documentation for the module.
- #15111 from timwr - This fixes an issue in how some Meterpreter session types would inconsistently run commands issued through
- #15116 from jmartin-r7 - This fixes a bug that would occur when importing newer Acunetix reports into the database due to a change in how the timestamp is formatted.
- #15120 from pedrib - Fixes a regression within
tools/modules/module_author.rbso that it runs without crashing
- #15140 from wvu-r7 -
msftidy_docs.rbnow doesn't double warn on optional (and missing)
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).