Last updated at Thu, 18 Jan 2024 20:44:10 GMT

Pollution in Kibana

This week, contributor h00die added a module that leverages a prototype pollution bug in Kibana prior to version 7.6.3. Particularly, this issue is within the Upgrade Assistant and enables an attacker to execute arbitrary code. This vulnerability can be triggered by sending a queries that sets a new constructor.prototype.sourceURL directly to Elastic or by using Kibana to submit the same queries. Note that Kibana needs to be restarted or wait for collection to happen for the payload to execute. This vulnerability doesn't seem to be assigned a CVE. The module has been written based on a detailed description from Alex Brasetvik (alexbrasetvik) in a Hackerone report.

Torch chain attack

Our very own zeroSteiner added a module that exploits PyTorch model server by chaining multiple vulnerabilities. First, it takes advantage of a weak default configuration that binds the management interface to all IP addresses. Then, once it reaches the management interface, the module exploits a Server-Side Request Forgery vulnerability (CVE-2023-43654) to register MAR (Model Archive) model files from arbitrary servers. Finally, it leverages a vulnerability in SnakeYaml (CVE-2022-1471) that allows code execution when a YAML file is deserialized by SnakeYaml. The module embeds a malicious YAML file in a MAR file and gets an arbitrary Java class executed when this MAR file is loaded.

Updated MySQL version support

Thanks to the work of Rory McKinley, multiple MySQL modules now support authentication against newer MySQL 8.0 versions. This required a lot of effort unearthing and patching historical code across multiple contributions to the Metasploit codebase, and to the Ruby MySQL library dependency. MySQL module highlights include:

  • auxiliary/scanner/mysql/mysql_login - Bruteforce and manual verification of MySQL credentials
  • auxiliary/scanner/mysql/mysql_version - MySQL Server Version Enumeration
  • auxiliary/scanner/mysql/mysql_hashdump - MySQL password hashdump support
  • auxiliary/scanner/mysql/mysql_schemadump - Extracting MySQL schema details
  • auxiliary/admin/mysql/mysql_sql - Run arbitrary MySQL SQL queries against a given target

New module content (2)

Kibana Upgrade Assistant Telemetry Collector Prototype Pollution

Authors: Alex Brasetvik (alexbrasetvik) and h00die
Type: Exploit
Pull request: #18417 contributed by h00die
Path: linux/http/kibana_upgrade_assistant_telemetry_rce

Description: Kibana before version 7.6.3 suffers from a prototype pollution bug within the Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we're able to execute arbitrary code in the context of the Kibana user. There is no CVE for this at the moment.

PyTorch Model Server Registration and Deserialization RCE

Authors: Gal Elbaz, Guy Kaplan, Idan Levcovich, Spencer McIntyre, and Swapneil Kumar Dash
Type: Exploit
Pull request: #18427 contributed by zeroSteiner
Path: multi/http/torchserver_cve_2023_43654

Description: This PR adds a module that exploits PyTorch TorchServer by chaining an SSRF vulnerability with a deserialization RCE vulnerability to permit an unauthenticated remote attacker arbitrary Java code execution. The PR also fixes how the ClassLoader mixin handles datastore options.

Enhancements and features (6)

  • #18171 from dwelch-r7 - This fixes an issue when users use a payload when framework is started with the --defer-module-loads flag set. This also adds a new feature flag option defer_module_loads which, when enabled, will defer module loads by default without the need to specify--defer-module-loads every time the framework boots. Finally, this comes with a sizable improvement on frameworks boot up time.
  • #18256 from jmartin-tech - Performs a routine update of multiple library dependencies.
  • #18296 from rorymckinley - Updates multiple MySQL modules to support authenticating with newer versions of MySQL.
  • #18383 from cgranleese-r7 - This adds a variety of improvements to the enum_computers module including Shell and Powershell support as well as improvements when running on non-english systems.

Bugs fixed (2)

  • #18411 from rtpt-erikgeiser - Fixes an issue where the services -R command generated invalid hosts such as 192.0.2.2% if an empty string was registered for the scope metadata instead of nil.
  • #18431 from zeroSteiner - This switches the way in which port forwarded IPs are displayed so that the local IP is listed under local and the remote IP is listed under remote.

Documentation added (1)

  • #18394 from errorxyz - This adds documentation for the auxiliary/scanner/http/http_traversal module.
  • #18435 from h00die - Fixes multiple spelling mistakes in the Wiki.
  • #18444 from h00die - Fixes spelling mistakes in module documentation.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).