Last updated at Fri, 19 Aug 2022 20:28:14 GMT
Advantech iView NetworkServlet Command Injection
This week Shelby Pace has developed a new exploit module for CVE-2022-2143. This module uses an unauthenticated command injection vulnerability to gain remote code execution against vulnerable versions of Advantech iView software below
5.7.04.6469. The software runs as NT AUTHORITY\SYSTEM, granting the module user unauthenticated privileged access with relatively low effort. Version 5.7.04.6469 has been patched to require authentication, but remote code execution can still be achieved - gaining a shell as the LOCAL SERVICE user.
Cisco ASA ASDM Brute-force Login
Our very own Jake Baines has contributed a new module which scans for the Cisco ASA ASDM landing page and performs login brute-force to identify valid credentials:
msf6 > use auxiliary/scanner/http/cisco_asa_asdm_bruteforce msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set RHOST 10.9.49.201 RHOST => 10.9.49.201 msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set VERBOSE false VERBOSE => false msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > run [*] The remote target appears to host Cisco ASA ASDM. The module will continue. [*] Starting login brute force... [+] SUCCESSFUL LOGIN - "cisco":"cisco123" [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) >
New module content (2)
- Cisco ASA ASDM Brute-force Login by jbaines-r7 - This adds a scanner module to brute force the Cisco ASA's ASDM interface in its default configuration.
- Advantech iView NetworkServlet Command Injection by Shelby Pace, rgod, and y4er, which exploits CVE-2022-2143 - This adds an exploit module that leverages a command injection vulnerability in Advantech iView (CVE-2022-2143) to get remote command execution as the SYSTEM user. Versions below 5.7.04.6469 are vulnerable and do not require authentication. Version 5.7.04.6469 is still vulnerable but requires valid credentials to be exploited. Also, this version only gets you RCE as the LOCAL SERVICE user.
Enhancements and features (7)
- #16883 from gwillcox-r7 -This PR deprecates the srt_webdrive_priv script as the same functionality is included in the service_permissions post module.
- #16884 from bcoles - This PR deprecates the credcollect script as it has effectively been replaced by post/windows/gather/credentials/credential_collector
- #16902 from bcoles - The
scripts/meterpreter/killav.rbscript has been removed since scripts have been depreciated for over 5 years. It has been replaced with
- #16905 from bcoles - The
scripts/meterpreter/panda_2007_pavsrv51.rbscript has been removed and replaced by
exploit/windows/local/service_permissions. Note that scripts have been deprecated for over 5 years and are no longer supported.
- #16908 from bcoles - Remove
./scripts/meterpreter/dumplinks.rb, replace with
post/windows/gather/dumplinkwhich does pretty much the same thing but is a proper module vs a deprecated script, since we stopped supporting scripts several years ago.
- #16909 from bcoles -
scripts/meterpreter/get_pidgin_creds.rbhas been removed since scripts have been depreciated for some time now and are no longer supported. It has been replaced by
- #16910 from bcoles - The
scripts/meterpreter/arp_scanner.rbscript has been replaced with
post/windows/gather/arp_scannerwhich implements the same logic with an improved OUI database to help fingerprint the MAC vendor.
Bugs fixed (1)
- #16881 from bcoles - This fixes a crash in the
post/windows/manage/forward_pageantmodule caused by the removal of
Dir::Tmpname.make_tmpname()in Ruby 2.5.0. This also makes some improvements to the code.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).