Last updated at Thu, 25 Jan 2024 00:51:23 GMT

Pre-authenticated Remote Code Execution in VMware NSX Manager using XStream (CVE-2021-39144)

There’s nothing quite like a pre-authenticated remote code execution vulnerability in a piece of enterprise software. This week, community contributor h00die-gr3y added a module that targets VMware NSX Manager using XStream. Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of root on the appliance. VMware saw this vulnerability as such a risk, and they decided to release patches for versions that were no longer supported, which goes to show the value that this module provides.

Gitea Git Fetch Remote Code Execution (CVE-2022-30781)

Using Gitea in your environment? You better git-to-patching. Community contributor krastanoel wrote an awesome module which exploits a remote code execution vulnerability in versions of Gitea before 1.16.7. The vulnerability identified as CVE-2022-30781 is due to the application running a git fetch command in which an attacker can inject arbitrary commands resulting in code execution as the git user.

Metasploit on Twitch

This week Metasploit’s very own Spencer McIntyre went live on Twitch and went over writing Meterpreter features in Metasploit. Be sure to check out the recording and stay tuned for more fun and informative Metasploit streaming sessions.

New module content (2)

  • VMware NSX Manager XStream unauthenticated RCE by Sina Kheirkhah, Steven Seeley, and h00die-gr3y, which exploits CVE-2021-39144 - This adds an exploit module that leverages a Remote Command Injection vulnerability in VMware Cloud Foundation 3.x and NSX Manager Data Center for vSphere up to and including version 6.4.13. This vulnerability is identified as CVE-2021-39144.
  • Gitea Git Fetch Remote Code Execution by krastanoel, li4n0, and wuhan005, which exploits CVE-2022-30781 - This adds an exploit module that leverages a command injection vulnerability in Gitea. Due to an improper escaping of input, it is possible to execute commands on the system abusing the Gitea repository migration process. This vulnerability is identified as CVE-2022-30781 and affects Gitea versions prior to 1.16.7.

Enhancements and features (2)

  • #17243 from adfoster-r7 - Improves the TLV packet logging for Railgun
  • #17253 from h00die - The list of Wordpress plugins and themes has been updated to allow Metasploit tools to scan for a wider range of known themes and plugins on Wordpress targets.

Bugs fixed (2)

  • #17260 from zeroSteiner - This fixes an issue with the RBCD module due to the access_mask field of the Access Control Entry types being changed from the AccessMask type to an integer.
  • #17263 from zeroSteiner - The Metasploit-payloads gem has been bumped to 2.0.101, which fixes memory and handle leaks when using the incognito plugin's list_token functionality. It also updates the Mimikatz code in Metasploit to pull in the latest changes.
  • #17261 from zeroSteiner - This fixes support for port forwarding on Ruby 3 with meterpreter payloads.
  • #17264 from gwillcox-r7 - This bumps the Go version from 1.11.2 to 1.19.3 in the metasploit-framework Dockerfile.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).