Last updated at Thu, 25 Jan 2024 01:43:21 GMT

Zyxel firewall unauthenticated command injection

This week, our very own Jake Baines added an exploit module that leverages CVE-2022-30525, an unauthenticated remote command injection vulnerability in Zyxel firewalls with zero touch provisioning (ZTP) support. Jake is also the author of the original research and advisory that was published last week. This module allows an attacker to achieve arbitrary code execution as the nobody user on affected devices. It takes advantage of an unsanitized user input that feeds the python os.system method behind the scenes. Well done Jake!

SAML credentials generator for vCenter Server

Community contributor npm-cesium137-io added an auxiliary module that forges valid SAML credentials for vCenter server. These credentials are very useful since they can be used to gain access to the SSO domain as a vSphere administrator. Note that this module cannot run offline and must be executed while the target vCenter is reachable over the network to properly acquire the administrator session token. Also, the vCenter SSO Identity Provider (IdP) trusted certificate chain needs to be provided. This can be extracted manually from the vmdir database file at /storage/db/vmware-vmdir/data.mdb using binwalk or using this post module, which is still in review at the time of writing.

GSOC 2022

The Metasploit project was accepted again for the Google Summer of Code program. This year the team welcomes back pingport80 as a returning contributor and 3V3RYONE. These students will be working on Post API improvements and expanded HTTP-Trace support respectively. We look forward to mentoring and working with them in the coming months, so stay tuned for further updates as they get started!

New module content (3)

  • VMware vCenter Forge SAML Authentication Credentials by npm - This module forges valid SAML credentials for vCenter server using the vCenter SSO IdP certificate, IdP private key, and VMCA root certificate as input objects.
  • Zyxel Firewall ZTP Unauthenticated Command Injection by jbaines-r7, which exploits CVE-2022-30525 - A new module has been added to exploit CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the nobody user.
  • Bookmarked Sites Retriever by jerrelgordon - This adds a module to retrieve the bookmarks from Internet Explorer, Opera, Google Chrome, and Edge.

Enhancements and features (3)

  • #16430 from adfoster-r7 - This adds support for logging AS-REP Roastable accounts, as well as storing the generated Kerberos token within the creds database. Additionally improves error handling.
  • #16442 from sjanusz-r7 - This adds a new vars_form_data field to the Rex HTTP Client for uploading files/form values to a remote HTTP server with ease:
vars_form_data = [
  { 'name' => 'nsp', 'data' => @csrf_token },
  { 'name' => 'upload', 'data' => 1 },
  { 'name' => 'MAX_FILE_SIZE', 'data' => 1000000 },
  { 'name' => 'uploadedfile', 'data' => payload_zip, 'mime_type' => 'application/zip', 'encoding' => 'binary', 'filename' => zip_filename }
]

res = send_request_cgi(
  'method' => 'POST',
  'uri' => uri,
  'vars_form_data' => vars_form_data
)
  • #16555 from zeroSteiner - This moves a duplicated retry_until_truthy function into a centralized location for better reuse. This function is useful for retrying operations that may fail the first time, such as checking if Kubernetes containers are ready yet etc.

Bugs fixed (6)

  • #16487 from red0xff - This fixes a deprecation warning in the auxiliary/capture/server/mssql warning as well as outputting a valid John The Ripper format for offline password cracking
  • #16499 from adfoster-r7 - This fixes an issue where SSL connections made by Metasploit would fail when the Server Name Indicator (SNI) extension was in use.
  • #16505 from AdrianVollmer - This fixes an issue in the auxiliary/scanner/lotus/lotus_domino_hashes #dump_hashes parsing logic.
  • #16570 from ssst0n3 - This fixes a bug in the generation of aarch64 stagers so that when the stage is received and written to memory, the stage can execute in a lower-privileged process.
  • #16572 from zeroSteiner - A bug has been fixed whereby a PayloadSpaceViolation exception might be raised when the --smallest flag was used with msfvenom, due to msfvenom setting the space available to 0 instead of a positive number. The code should now appropriately account for this case.
  • #16588 from zeroSteiner - This adds a check to the two new Powershell adapter payload modules. The size check intends to ensure that payloads that are too large (like unstaged Meterpreters) are marked as incompatible.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).