Containers that fail to Contain
Our own Christophe De La Fuente added a module for CVE-2019-5736 based on the work of Adam Iwaniuk that breaks out of a Docker container by overwriting the runc binary of an image which is run in the user context whenever someone outside the container runs
docker exec to make a request of the container.
Execute an Image Please, Wordpress
Community contributor Alexandre Zanni sent us a PR that uses native PHP functions to upload a file as an image attachment to Wordpress installations running the wpDiscuz plugin, then executes it by requesting the path of the uploaded file.
New module content (2)
- Docker Container Escape Via runC Overwrite by Adam Iwaniuk, Borys Popławski, Christophe De La Fuente, Nick Frichette, and Spencer McIntyre, which exploits CVE-2019-5736 - This adds an exploit for CVE-2019-5736 which is a flaw in Docker that can be leveraged by an attacker to overwrite the
runcbinary in the host and escape from a container.
- WordPress wpDiscuz Unauthenticated File Upload Vulnerability by Chloe Chamberland and Hoa Nguyen - SunCSR, which exploits CVE-2020-24186 - This adds an exploit module that targets versions >=
v7.0.4of the Wordpress plugin, wpDiscuz. An unauthenticated user has the ability to upload arbitrary files as image attachments through the wpDiscuz plugin due to the PHP functions used to process the attachments. Once uploaded, unauthenticated code execution is achieved by requesting the path of the file uploaded.
Enhancements and features
- #15363 from HynekPetrak - Enhances the
auxiliary/scanner/ipmi/ipmi_dumphashesmodule to have
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).