Last updated at Tue, 13 Sep 2022 13:48:44 GMT

Authenticated command injection vulnerability of Cisco ASA-X with FirePOWER Services:

jbaines-r7 added a new module that exploits an authenticated command injection vulnerability CVE-2022-20828 of Cisco ASA-X with FirePOWER Services. This vulnerability affects all Cisco ASA appliances that support ASA FirePOWER module. Note that, although a patch has been added to most recent ASA FirePOWER module versions such as 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21, some versions such as 6.2.2 and earlier, 6.3, 6.5, and 6.7 will not receive the patch. This exploit could allow the attacker to get root access and pivot to the inside network along with the outside network. This exploit takes advantage of the FirePower Services SFR module's Linux virtual machine via ASA's ASDM web server which also runs snort on the traffic. Therefore, an attacker can have access to the diverted traffic as well. Check out the video of the exploit for more information!

Remote code execution vulnerability of Apache Spark:

KostyaKortchinsky and h00die-gr3y introduced a new module that exploits a remote code execution vulnerability CVE-2022-33891 in Apache Spark. This exploit affects several Apache Spark versions such as 3.0.3 and earlier, 3.1.1 to 3.1.2 and versions 3.2.0 to 3.2.1. Apache Spark allows its users to enable Access Control Lists (ACLs) via the configuration option spark.acls.enable. This was introduced in order to improve the security access within Apache Spark application but the code that's triggered by this configuration option leads to a malicious shell command injection vulnerability. Check out this post by HuskyHacks who provided more information along with great examples!

New module content (2)

  • Apache Spark Unauthenticated Command Injection RCE by KostyaKortchinsky and h00die-gr3y, which exploits CVE-2022-33891 - This exploits an unauthenticated command injection vulnerability in Apache Spark. The spark.acls.enable setting permits command injection through the id command via a POST request to Apache Spark’s base endpoint containing arbitrary code in the doAs parameter. The exploit achieves unauthenticated RCE as the spark user.
  • Cisco ASA-X with FirePOWER Services Authenticated Command Injection by jbaines-r7, which exploits CVE-2022-20828 - This adds an exploit module that leverages an authenticated command injection vulnerability in Cisco ASA-X with FirePOWER Services. This vulnerability is identified as CVE-2022-20828 and has been patched in ASA FirePOWER module versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. Note that versions 6.2.2 and earlier, 6.3, 6.5, and 6.7 won't receive a patch.

Enhancements and features (7)

  • #16901 from bcoles - The post/windows/manage/killav.rb script has been updated to support shell and PowerShell sessions and has undergone some code cleanup. Additionally, documentation has now been created to explain its operations and how to use it.
  • #16934 from bcoles - This adds support for dumping process memory by name in the post/windows/gather/memory_dump module.
  • #16947 from ILightThings - This adds support for formatting buffers for golang.
  • #16948 from gwillcox-r7 - This adds arguments for specifying the username, password and database to the #run_sql post method.
  • #16952 from bcoles - This PR improves the domain_controller? method to allow lower-priv users to invoke it, extends it to support shell sessions, and adds additional useful domain controller enumeration methods to the library.
  • #16973 from HuskyHacks - This adds support for formatting buffers for nim.
  • #16983 from bcoles - This PR adds documentation, references and a more complete description for the firefox_xpi_bootstrapped_addon module.

Bugs fixed (5)

  • #16861 from adfoster-r7 - Fixes a bug in cmd/unix/reverse_ssh that stopped reverse SSH sessions from opening.
  • #16926 from jmartin-r7 - Fixes a bug when using RPC service with the analyze command and specifying a workspace, i.e. within Metasploit RPC client - rpc.call('db.analyze_host', { host: '<metasploitable3 ip>', workspace: 'other' } ).
  • #16968 from luisfso - This PR adds support for the new syntax of the find command's perm parameter while also maintaining support for the deprecated syntax.
  • #16972 from cgranleese-r7 - Updates msfconsole's tables to support word wrapping when colors are present.
  • #16974 from jbaines-r7 - Updates Rex::Proto::Http::Client to rely on Ruby's built in string comparison.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo(master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers(which also include the commercial edition).