Telemetry is for gathering data, not executing commands as root, right?...

This week's highlight is a new exploit module by our own wvu for VMware vCenter Server CVE-2021-22005, a file upload vuln that arises from a flaw in vCenter’s analytics/telemetry service, which is enabled by default. Attackers with network access to port 443 can upload a specially crafted file, after which commands can be executed as the root user without prior authentication. As usual, this latest vCenter Server vulnerability was exploited in the wild quickly after details were released. See Rapid7’s full technical analysis in AttackerKB.

Good ol' Netfilter

This week’s release also includes a privilege escalation module for a Linux kernel vulnerability in Netfilter that lets you get a root shell through an out-of-bounds write. The vulnerability was discovered by Andy Nguyen and has been present in the Linux kernel for the past 15 years. The module currently supports 18 versions of the Ubuntu kernel ranging between 5.8.0-23 to 5.8.0-53 thanks to bcoles, and there are plans to add further support for kernel versions 4.x in the future, once an ROP chain for said version is created.

New module content (3)

Enhancements and features

  • #15735 from jaydesl - Fixes a Rails 6 deprecation warning when a user ran db_disconnect in msfconsole
  • #15740 from h00die - Several improvements have been made to the Ghostcat module to align it with recent standards changes that the team has made and to ensure its documentation is more descriptive.
  • #15750 from jmartin-r7 - Improves Ruby 3.0.2 support on Windows

Bugs fixed

  • #15729 from ErikWynter - This fixes a bug in the PrintNightmare check method where if an RPC function returns a value that can't be mapped to a Win32 error code, the module would crash.
  • #15730 from adfoster-r7 - The check method for the Gitea Git hooks RCE module has been updated to correctly handle older versions of Gitea and report their exploitability as unknown vs reporting the target as not running Gitea.
  • #15737 from adfoster-r7 - A bug has been fixed whereby action wasn't correctly being set when using the action name as a command. action should now hold the right value when using the action name as a command.
  • #15745 from bwatters-r7 - A bug has been fixed in tools/dev/msftidy.rb whereby if the Notes section was placed before the References section, then msftidy would end up not checking the References section and would therefore state the module didn't have a CVE reference, even when it did.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).