New Olympic Discipline: Hive Hunting

This week, community contributor Hakyac added a new Olympic discipline to Metasploit exploit sport category, which is based on the work of community security researchers @jonasLyk and Kevin Beaumont). The rules are simple: You need to abuse a flaw in Windows 10 and 11 configuration to pass through the defense and access Security Account Manager (SAM) files. Any local unprivileged player is able to read this sensitive security information, such as hashes of user/admin passwords. The best strategy to win a gold medal is to start abusing Windows Volume Shadow Copy Service (VSS) to access these files and copy them locally. Finally, you just need to dump the NTLM hashes, use them in a pass-the-hash attack and score with a remote code execution.

Note that Microsoft issued an out-of-band advisory and tracked this vulnerability as CVE-2021-36934. You can find more information about the rules in this blog post. Happy Hive hunting!

Gold Medal for NetGear R7000 in Swimming 100m Heap Overflow

Our own Grant Willcox added a new exploit module that won the Swimming 100m Heap Overflow discipline. It took advantage of a flaw in genie.cgi?backup.cgi page of Netgear R7000 routers to enable a telnet server and easily got code execution as the root user. Note that, whereas firmware versions 1.0.11.116 and prior are vulnerable, this module can only be used with versions 1.0.11.116 at the moment. The check method can still be used to detect if older devices are vulnerable. This module is based on research done by @colorlight2019. A new gold medal for the Metasploit team, great job!

New module content (5)

  • Netgear R7000 backup.cgi Heap Overflow RCE by Grant Willcox, SSD Disclosure, and colorlight2019, which exploits CVE-2021-31802 - This adds an module that will leverage CVE-2021-31802 which is an unauthenticated RCE in Netgear R7000 routers. The vulnerability is leveraged to execute a shellcode stub that will enable telnet which can then be accessed for root privileges on the affected device.
  • Pi-Hole Remove Commands Linux Priv Esc by Emanuele Barbeno and h00die, which exploits CVE-2021-29449 - This adds a local privilege escalation module that targets Pi-Hole versions >= 3.0 and <= 5.2.4. In vulnerable versions of the software, a user with sudo privileges can escalate to root by passing shell commands to either the removecustomcname, removecustomdns, or removestaticdhcp function. The functions have minimal sanitization, and they pass the input to the sed command. By default, the www-data user is permitted to run sudo without supplying a password as configured in the sudoers.d/pihole file.
  • Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution by Nguyen Van Khanh, Ron Jost, and Yann Castel, which exploits CVE-2021-24145 - This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin known as Modern Events Calendar. For versions before 5.16.5, an administrative user can upload a php payload via the calendar import feature by setting the content type of the file to text/csv. Code execution with the privileges of the user running the server is achieved by sending a request for the uploaded file.
  • Wordpress Plugin SP Project and Document - Authenticated Remote Code Execution by Ron Jost and Yann Castel, which exploits CVE-2021-24347 - This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin, SP Project and Document Manager. For versions below 4.22, an authenticated user can upload arbitrary PHP code because the security check only blocks the upload of files with a .php extension, meaning that uploading a file with a .pHp extension is allowed. Once uploaded, requesting the file will result in code execution as the www-data user.
  • Windows SAM secrets leak - HiveNightmare by Kevin Beaumont, Yann Castel, and romarroca, which exploits CVE-2021-36934 - This adds a new exploit module that exploits a configuration issue in Windows 10 (from version 1809) and 11, identified as CVE-2021-36934. Due to permission issues, any local user is able to read SAM and SYSTEM hives. This module abuses Windows Volume Shadow Copy Service (VSS) to access these files and save them locally.

Enhancements and features

  • #15444 from pingport80 - This adds additional support for Powershell sessions to some methods in the File mixin leveraged by post modules.
  • #15465 from sjanusz-r7 - Updates the local exploit suggester to gracefully handle modules raising unintended exceptions and nil target information

Bugs fixed

  • #15359 from stephenbradshaw - Fixes a bug in the ssh_login_pubkey which would crash out when not connected to the db
  • #15460 from pingport80 - This fixes a localization-related issue in the File libraries copy_file method caused by it searching for a word in the output to determine success.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).