Last updated at Fri, 25 Feb 2022 21:48:46 GMT
Exchange remote code execution vulnerabilities are always valuable exploits to have. This week Metasploit added an exploit for an authenticated RCE in Microsoft Exchange servers 2016 and server 2019 identified as CVE-2021-42321. The flaw leveraged by the exploit exists in a misconfigured denylist that failed to prevent a serialized blob from being loaded resulting in code execution. While this is an authenticated vulnerability, a standard user has sufficient permissions to trigger it which likely encompasses most users within an organization that uses Exchange. The vulnerability affects Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11 prior to Security Update 2, Exchange Server 2016 CU21 prior to Security Update 3, and Exchange Server 2016 CU22 prior to Security Update 2.
Chrome Password Decryption
Community member timwr updated the existing Chrome enumeration module to support decrypting passwords from modern versions of Chrome. The module can now decrypt both the new and old formats of passwords. This is helpful because when Chrome is updated, passwords in the old format are not updated to the new format.
New module content (2)
- Microweber CMS v1.2.10 Local File Inclusion (Authenticated) by Talha Karakumru - Adds a new module
auxiliary/gather/microweber_lfiwhich targets Microweber CMS v1.2.10 and allows authenticated users to read arbitrary files on disk.
- Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE by Grant Willcox, Microsoft Security Response Center, Microsoft Threat Intelligence Center, peterjson, pwnforsp, testanull, and zcgonvh, which exploits CVE-2021-42321 - This adds an exploit for CVE-2021-42321 which is an authenticated RCE in Microsoft Exchange. The vulnerability is related to a misconfigured deny-list that fails to properly prevent malicious serialized objects from being loaded, leading to code execution.
Enhancements and features
- #16061 from shoxxdj - The
wordpress_scannermodule has been updated to support enumerating WordPress users using the
- #16200 from timwr - This updates post/windows/enum_chrome to support decrypting stored passwords for Chrome versions greater than 80.
- #16197 from adfoster-r7 - This fixes an edge case when reading files on Windows, and fixes Ruby 3 crashes when reading files.
- #16215 from bwatters-r7 - This updates payloads version to 2.0.75, taking in the changes landed in https://github.com/rapid7/metasploit-payloads/pull/542 and fixes a bug in Windows Meterpreter
getsystemcommand where a failed attempt to elevate can result in a partially-broken session.
- #16093 from h00die - A number of broken URL references have been fixed in Metasploit modules. In addition, the
tools/modules/module_reference.rbcode has been updated to log redirects so that they can be appropriately triaged later and to support saving results to a CSV file. Finally, several modules had their code adjusted to conform to RuboCop standards.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).