OMIGOD It's RCE

We are excited to announce that we now have a module for the OMIGOD vulnerability that exploits CVE-2021-38647 courtesy of our very own Spencer McIntyre! Successful exploitation will allow an unauthenticated attacker to gain root level code execution against affected servers. Given that this has seen exploitation in the wild by the Mirai botnet, we hope you're patched, lest your servers decide to join the zombie horde this Halloween!

Sophos Contributes to the RCE Pile

Continuing the trend of unauthenticated RCE exploits that grant root level code execution, this week we also have an exploit for CVE-2020-25223, an unauthenticated RCE within the Sophos UTM WebAdmin service. Whilst we haven't yet seen exploitation in the wild of this bug, this is definitely one to patch given its severity. Stay frosty folks!

Guess Who’s Back, Back Again, Apache's Back, Tell a Friend

Whilst not a marshalling bug (I'm sorry, it's Halloween some puns are needed), community contributors Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), have added a scanner and exploit for CVE-2021-41773 and CVE-2021-42013, which was based off of work from RootUp, ProjectDiscovery, and HackerFantastic. Path traversal vulnerabilities are relatively easy to exploit, and this got a lot of attention in the news since it's been a long time since Apache has seen a reliable RCE exploit against it. This is definitely one to patch if you're running any Apache servers. Successful exploitation will result in remote code execution as the user running the Apache server.

New module content (6)

  • Squid Proxy Range Header DoS by Joshua Rogers, which exploits CVE-2021-31806 and CVE-2021-31807 - This adds a module that leverages CVE-2021-31806 and CVE-2021-31807 to trigger a denial of service condition in vulnerable Squid proxy servers.
  • Apache 2.4.49/2.4.50 Traversal RCE scanner by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-41773 and CVE-2021-42013 - This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires mod_cgi to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
  • Sophos UTM WebAdmin SID Command Injection by wvu and Justin Kennedy, which exploits CVE-2020-25223 - This adds an exploit for CVE-2020-25223 which is an unauthenticated RCE within the Sophos UTM WebAdmin service. Exploitation results in OS command execution as the root user.
  • Microsoft OMI Management Interface Authentication Bypass by wvu, Nir Ohfeld, Shir Tamari, and Spencer McIntyre, which exploits CVE-2021-38647 - We added an unauthenticated RCE exploit for Microsoft OMI "OMIGOD" CVE-2021-38647. Successful exploitation grants code execution as the root user.
  • Apache 2.4.49/2.4.50 Traversal RCE by Ash Daulton, Dhiraj Mishra, and mekhalleh (RAMELLA Sébastien), which exploits CVE-2021-41773 and CVE-2021-42013 - This adds both a scanner and exploit module for the two recent path traversal vulnerabilities in the apache2 HTTP server. The RCE module requires mod_cgi to be enabled but can be exploited remotely without any authentication. These vulnerabilities are identified as CVE-2021-41773 and CVE-2021-42013.
  • Browse the session filesystem in a Web Browser by timwr - This adds a post module that allows the user to view the Meterpreter sessions filesystem via a locally hosted web page.

Enhancements and features

  • #15681 from smashery - This adds support for reverse port forwarding via established SSH sessions.
  • #15778 from k0pak4 - This PR adds documentation for the http trace scanner.
  • #15788 from zeroSteiner - When generating a Powershell command payload would exceed the maximum length allowed to successfully execute, gracefully fall back to omitting an ASMI bypass.
  • #15803 from k0pak4 - This adds f5_bigip_virtual_server scanner documentation.

Bugs fixed

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest version of Metasploit Framework. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).