Dell DBUtil_2_3.sys IOCTL memmove privilege escalation

Our very own zeroSteiner added a new module, which exploits insufficient access control in Dell's dbutil_2_3.sys firmware update driver included in the Dell Bios Utility that comes pre-installed with most Windows machines. The driver accepts Input/Output Control (IOCTL) requests without ACL requirements, allowing non-privileged users to perform memory read/write operations via the memmove function. This module exploits the arbitrary read/write vulnerability to perform local kernel-mode privilege escalation using the same token upgrade technique developed for the Win32k ConsoleControl Offset Confusion exploit. The exploit needs to be run from within at least a Medium integrity process to be successful, and any invalid read/write addresses will result in an immediate blue screen. The module has been tested on Windows version 1803 through 20H2.

Windows TokenMagic privilege escalation

Metasploit contributor jheysel-r7 added a new exploit module that leverages TokenMagic to elevate privileges and execute code as SYSTEM. This module can either be used to spawn a malicious service on a target system using the TokenMagic High IL, or it can be used to write a System32 DLL that is vulnerable to hijacking. The service method has been tested against Windows 7, 8.1, and 10 (1511, 1803). The DLL method has been tested against Windows 10 (1703, 1803).

New module content (4)

  • NetMotion Mobility Server MvcUtil Java Deserialization by wvu and mr_me, which exploits CVE-2021-26914 - This adds an exploit for CVE-2021-26914 which is a remotely exploitable vulnerability within NetMotion Mobility, whereby a crafted request can trigger a deserialization vulnerability resulting in code execution.
  • Dell DBUtil_2_3.sys IOCTL memmove by Kasif Dekel, SentinelLabs, and Spencer McIntyre, which exploits CVE-2021-21551 - This adds an exploit for CVE-2021-21551 which is an IOCTL that is provided by the DBUtil_2_3.sys driver distributed by Dell that can be abused to perform kernel-mode memory read and write operations.
  • Windows Privilege Escalation via TokenMagic (UAC Bypass) by James Forshaw, Ruben Boonen (@FuzzySec), bwatters-r7, and jheysel-r7 - A new module has been added to exploit TokenMagic, an exploitation technique affecting Windows 7 to Windows 10 build 17134 inclusive, that allows users to elevate their privileges to SYSTEM. Affected systems can be exploited either via exploiting a DLL hijacking vulnerability affecting Windows 10 build 15063 up to build 17134 inclusive, or by creating a new service on the target system.
  • SaltStack Salt Information Gatherer by c2Vlcgo and h00die - This PR adds a post module to gather salt information, configs, etc..

Enhancements and features

  • #15011 from acammack-r7 - Enhances the analyze command to show additional information about an identified exploit being immediately runnable, or if it requires additional credentials or options to be set before being ran
  • #15146 from smashery - This makes two improvements to the exploit for CVE-2021-3156 (Baron Samedit). It removes the dependency on GCC being present in the target environment. It also adds new targets for Ubuntu 16.04, Ubuntu 14.04, CentOS 7, CentOS 8 and Fedora 23-27.
  • #15178 from pingport80 - The auxiliary/client/telegram/send_message.rb module has been updated to support sending documents as well as to send documents and/or messages to multiple chat IDs.
  • #15202 from h00die - The list of WordPress plugins and themes have been updated to allow users to discover more plugins and themes when running tools such as auxiliary/scanner/http/wordpress_scanner
  • #15210 from adfoster-r7 - The documentation for exploit/multi/http/gitlab_file_read_rce has been updated to provide additional information on how to set GitLab up with a SSL certificate for encrypted communications, allowing users to easily test scenarios in which an encrypted GitLab connection might be needed.
  • #15212 from cgranleese-r7 - Metasploit modules implemented in Python now explicitly require python3 to be present on the system path. This ensures that python2 is no longer used unintentionally, which previously occurred on Kali systems

Bugs fixed

  • #15196 from dwelch-r7 - A bug has been fixed in the msfdb script that prevented users from being able to run the script if they installed Metasploit into a location that contained spaces within its path.
  • #15205 from willy00 - A bug has been fixed in the exploit/multi/http/gitlab_file_read_rce module to allow it to target vulnerable GitLab servers where TLS is enabled.
  • #15213 from dwelch-r7 - A fix has been applied to msfdb to use the passed in SSL key path (if provided) instead of the default one at ~/.msf4/msf-ws-key.pem, which may not exist if users have passed in a SSL key path as an option.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).