Stopped at the gate?
A fun new module from timwr, taking advantage of a technique reported by Cedric Owens, is reminding everyone if there is no fence a gate will not deter us. The new module provides a quick wrapper for payloads that bypasses download origination and authorization requirements known as GateKeeper in MacOS 10.15+ to simply sidestep the gate when a user opens their gift.
Cookies are tastier if you pilfer them from the jar.
Recent updates to how modules interact with cookies got a little more love baked in. This week agalway-r7 clarified the recipe a bit with documentation on various methods in the new API, and adfoster-r7 came around and swept up any crumbs modules might leave behind.
New Module Content (2)
- macOS Gatekeeper check bypass by Cedric Owens and timwr, which exploits CVE-2021-30657 - This adds the
exploit/osx/browser/osx_gatekeeper_bypassmodule that exploits a vulnerability in MacOS versions
11.3inclusive. The module generates an app that is missing an
Info.plistfile. When downloaded and executed by a user, the signed / notarization checks standard for downloaded files will be bypassed, granting code execution on the target.
- ExifTool DjVu ANT Perl injection by Justin Steven and William Bowling, which exploits CVE-2021-22204 - A new module has been added which exploits CVE-2021-22204, an arbitrary Perl injection vulnerability within the DjVu module of ExifTool 7.44 to 12.23 that allows for RCE when parsing a malicious file containing a crafted DjVu ANT (Annotation) section.
Enhancements and features
- #15054 from dwelch-r7 - Updates msfdb to work on additional platforms. Specifically Ubuntu through pg_ctlcluster, as well as existing or remote databases with the new
--connection-stringoption. This option can be used to interact with docker PostgreSQL containers
- #15125 from 1itt1eB0y - The
session_notifier.rbplugin has been updated to support Gotify, allowing users to be notified of new sessions via Gotify notifications.
- #15158 from adfoster-r7 - Adds tests for the auth brute mixin
- #15165 from agalway-r7 - Adds documentation for the new cookie jar implementation which is available for http-based modules
- #15175 from whokilleddb - The
rejetto_hfs_execmodule has been updated to replace calls to the depreciated
URI.encodefunction with calls to the
URI::encode_www_form_componentfunction. This prevents users from being shown depreciation warnings when running the module.
- #15149 from adfoster-r7 - Fixes an edge case were cookies left over from one module run could impact the next module run
- #15171 from timwr - The
lib/msf/ui/console/command_dispatcher/core.rblibraries have been updated to properly support passing timeouts to
session.sys.process.capture_output(), allowing users to specify timeouts when executing commands on sessions. Previously these options would be ignored and a default timeout of 15 seconds would be used instead.
- #15179 from dwelch-r7 - The
swagger-blocksdependency has been marked as a default dependency for all installs, preventing cases where if a user did not install the
testsgroups, they would be unable to start the web service.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).
- Image credit: Steve F, CC BY-SA 2.0 https://creativecommons.org/licenses/by-sa/2.0, via Wikimedia Commons