Stopped at the gate?

*

A fun new module from timwr, taking advantage of a technique reported by Cedric Owens, is reminding everyone if there is no fence a gate will not deter us. The new module provides a quick wrapper for payloads that bypasses download origination and authorization requirements known as GateKeeper in MacOS 10.15+ to simply sidestep the gate when a user opens their gift.

Cookies are tastier if you pilfer them from the jar.

Recent updates to how modules interact with cookies got a little more love baked in. This week agalway-r7 clarified the recipe a bit with documentation on various methods in the new API, and adfoster-r7 came around and swept up any crumbs modules might leave behind.

New Module Content (2)

  • macOS Gatekeeper check bypass by Cedric Owens and timwr, which exploits CVE-2021-30657 - This adds the exploit/osx/browser/osx_gatekeeper_bypass module that exploits a vulnerability in MacOS versions 10.15 to 11.3 inclusive. The module generates an app that is missing an Info.plist file. When downloaded and executed by a user, the signed / notarization checks standard for downloaded files will be bypassed, granting code execution on the target.
  • ExifTool DjVu ANT Perl injection by Justin Steven and William Bowling, which exploits CVE-2021-22204 - A new module has been added which exploits CVE-2021-22204, an arbitrary Perl injection vulnerability within the DjVu module of ExifTool 7.44 to 12.23 that allows for RCE when parsing a malicious file containing a crafted DjVu ANT (Annotation) section.

Enhancements and features

  • #15054 from dwelch-r7 - Updates msfdb to work on additional platforms. Specifically Ubuntu through pg_ctlcluster, as well as existing or remote databases with the new --connection-string option. This option can be used to interact with docker PostgreSQL containers
  • #15125 from 1itt1eB0y - The session_notifier.rb plugin has been updated to support Gotify, allowing users to be notified of new sessions via Gotify notifications.
  • #15158 from adfoster-r7 - Adds tests for the auth brute mixin
  • #15165 from agalway-r7 - Adds documentation for the new cookie jar implementation which is available for http-based modules
  • #15175 from whokilleddb - The rejetto_hfs_exec module has been updated to replace calls to the depreciated URI.encode function with calls to the URI::encode_www_form_component function. This prevents users from being shown depreciation warnings when running the module.

Bugs Fixed

  • #15149 from adfoster-r7 - Fixes an edge case were cookies left over from one module run could impact the next module run
  • #15171 from timwr - The lib/msf/core/post/common.rb and lib/msf/ui/console/command_dispatcher/core.rb libraries have been updated to properly support passing timeouts to session.sys.process.capture_output(), allowing users to specify timeouts when executing commands on sessions. Previously these options would be ignored and a default timeout of 15 seconds would be used instead.
  • #15179 from dwelch-r7 - The swagger-blocks dependency has been marked as a default dependency for all installs, preventing cases where if a user did not install the development and tests groups, they would be unable to start the web service.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).