Telemetry is for gathering data, not executing commands as root, right?...
This week's highlight is a new exploit module by our own wvu for VMware vCenter Server CVE-2021-22005, a file upload vuln that arises from a flaw in vCenter’s analytics/telemetry service, which is enabled by default. Attackers with network access to port 443 can upload a specially crafted file, after which commands can be executed as the root user without prior authentication. As usual, this latest vCenter Server vulnerability was exploited in the wild quickly after details were released. See Rapid7’s full technical analysis in AttackerKB.
Good ol' Netfilter
This week’s release also includes a privilege escalation module for a Linux kernel vulnerability in Netfilter that lets you get a root shell through an out-of-bounds write. The vulnerability was discovered by Andy Nguyen and has been present in the Linux kernel for the past 15 years. The module currently supports 18 versions of the Ubuntu kernel ranging between 5.8.0-23 to 5.8.0-53 thanks to bcoles, and there are plans to add further support for kernel versions 4.x in the future, once an ROP chain for said version is created.
New module content (3)
- VMware vCenter Server Analytics (CEIP) Service File Upload by wvu, Derek Abdine, George Noseevich, Sergey Gerasimov, and VMware, which exploits CVE-2021-22005 - This adds an exploit for CVE-2021-22005 which is an unauthenticated RCE within the VMWare vCenter appliance.
- Netfilter x_tables Heap OOB Write Privilege Escalation by Andy Nguyen (theflow0), Szymon Janusz and bcoles, which exploits CVE-2021-22555 - This PR adds a module for CVE-2021-22555, a 15-year-old heap out-of-bounds write vulnerability in Linux Netfilter.
- Diagnostic State by Jay Turla - Adds a new
post/hardware/automotive/diagnostic_statemodule which will keep the vehicle in a diagnostic state.
Enhancements and features
- #15735 from jaydesl - Fixes a Rails 6 deprecation warning when a user ran
- #15740 from h00die - Several improvements have been made to the Ghostcat module to align it with recent standards changes that the team has made and to ensure its documentation is more descriptive.
- #15750 from jmartin-r7 - Improves Ruby 3.0.2 support on Windows
- #15729 from ErikWynter - This fixes a bug in the PrintNightmare check method where if an RPC function returns a value that can't be mapped to a Win32 error code, the module would crash.
- #15730 from adfoster-r7 - The
checkmethod for the Gitea Git hooks RCE module has been updated to correctly handle older versions of Gitea and report their exploitability as unknown vs reporting the target as not running Gitea.
- #15737 from adfoster-r7 - A bug has been fixed whereby
actionwasn't correctly being set when using the action name as a command.
actionshould now hold the right value when using the action name as a command.
- #15745 from bwatters-r7 - A bug has been fixed in
tools/dev/msftidy.rbwhereby if the
Notessection was placed before the
msftidywould end up not checking the
Referencessection and would therefore state the module didn't have a CVE reference, even when it did.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).