Last updated at Wed, 26 Oct 2022 17:50:54 GMT
Zimbra with Postfix LPE (CVE-2022-3569)
This week rbowes added an LPE exploit for Zimbra with Postfix. The exploit leverages a vulnerability whereby the Zimbra user can run postfix as root which in turn is capable of executing arbitrary shellscripts. This can be abused for reliable privilege escalation from the context of the
zimbra service account to
root. As of this time, this vulnerability remains unpatched.
Zimbra RCE (CVE-2022-41352)
rbowes also added an RCE for Zimbra as well. This exploit can be used to remotely obtain the initial access necessary to exploit CVE-2022-3569 and escalate privileges to root. This exploit leverages a path traversal vulnerability to write a malicious JSP file to the web directory which yields code execution. The vulnerability does not require authentication however it should be noted that pax must not be present on the target in order for it to be exploitable. A Zimbra patch adds pax as a requirement, so either the patch must not have been applied or pax must have been explicitly removed.
FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass (CVE-2022-40684)
Community member heyder submitted an exploit for multiple Fortinet products this week. The exploit involves an authentication bypass that is leveraged to establish an SSH session with the target. Unfortunately, the tested FortiGate v7.2.1 instance used during testing indicated that the target could not be used for SSH port forwarding.
Improved Qualys Scan Import Performance
Metasploit is capable of importing scan data produced by a variety of tools such as Qualys and Nessus. This week jmartin switched the XML parser used while processing Qualys scan files to obtain a dramatic performance improvement. Scans data which previously took hours to import takes only a few minutes now.
New module content (4)
- Unauthenticated information disclosure such as configuration, credentials and camera snapshots of a vulnerable Hikvision IP Camera by Monte Crypto and h00die-gr3y, which exploits CVE-2017-7921 - This adds an auxiliary module that leverages an authentication bypass vulnerability in Hikvision IP cameras (CVE-2017-7921) to disclose information such as detailed hardware and software configuration, user credentials, and camera snapshots.
- Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass. by Heyder Andrade and Zach Hanley, which exploits CVE-2022-40684 - This PR adds a remote code execution exploit module for CVE-2022-40684 affecting some Fortinet products
- TAR Path Traversal in Zimbra (CVE-2022-41352) by Alexander Cherepanov, Ron Bowes, and yeak, which exploits CVE-2022-41352 - This adds a module that exploits a symlink-based path traversal vulnerability in
cpioto get unauthenticated remote code execution as the
zimbrauser. This vulnerability is identified as CVE-2022-41352. The module generates a
.tarfile that will need to be emailed to any user on the target Zimbra server.
- Zimbra sudo + postfix privilege escalation by EvergreenCartoons and Ron Bowes, which exploits CVE-2022-3569 - This adds a new module to exploit a vulnerable sudo configuration in Zimbra that permits the
zimbrauser to execute
postfixas root. In turn,
postfixcan execute arbitrary shell scripts and get command execution as the root user. Currently, as of 2022-10-14, all versions of Zimbra are vulnerable.
Enhancements and features (4)
- #16982 from h00die - Updates the Dell iDRAC login scanner to work with version 8 and version 9
- #17135 from k0pak4 - This adds proper namespace to the hash identification library to avoid any potential collision with the constants defined previously.
- #17140 from nfsec - The Metasploit Docker image's Alpine version has been bumped from 3.12 to 3.15.
- #17154 from jmartin-r7 - The process for importing Qualys scan data has been switched over from
Nokigiri::XMLand XPath for improved performance.
Bugs fixed (1)
- #17157 from k0pak4 - Setting the global options to set LHOST for all modules will now be properly respected when loading a module, whereas before only the globally set RHOST option would be respected.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).