Last updated at Fri, 13 Oct 2023 19:50:49 GMT
Pollution in Kibana
This week, contributor h00die added a module that leverages a prototype pollution bug in Kibana prior to version 7.6.3. Particularly, this issue is within the Upgrade Assistant and enables an attacker to execute arbitrary code. This vulnerability can be triggered by sending a queries that sets a new
constructor.prototype.sourceURL directly to Elastic or by using Kibana to submit the same queries. Note that Kibana needs to be restarted or wait for collection to happen for the payload to execute. This vulnerability doesn't seem to be assigned a CVE. The module has been written based on a detailed description from Alex Brasetvik (alexbrasetvik) in a Hackerone report.
Torch chain attack
Our very own zeroSteiner added a module that exploits PyTorch model server by chaining multiple vulnerabilities. First, it takes advantage of a weak default configuration that binds the management interface to all IP addresses. Then, once it reaches the management interface, the module exploits a Server-Side Request Forgery vulnerability (CVE-2023-43654) to register MAR (Model Archive) model files from arbitrary servers. Finally, it leverages a vulnerability in SnakeYaml (CVE-2022-1471) that allows code execution when a YAML file is deserialized by SnakeYaml. The module embeds a malicious YAML file in a MAR file and gets an arbitrary Java class executed when this MAR file is loaded.
Updated MySQL version support
Thanks to the work of Rory McKinley, multiple MySQL modules now support authentication against newer MySQL 8.0 versions. This required a lot of effort unearthing and patching historical code across multiple contributions to the Metasploit codebase, and to the Ruby MySQL library dependency. MySQL module highlights include:
auxiliary/scanner/mysql/mysql_login- Bruteforce and manual verification of MySQL credentials
auxiliary/scanner/mysql/mysql_version- MySQL Server Version Enumeration
auxiliary/scanner/mysql/mysql_hashdump- MySQL password hashdump support
auxiliary/scanner/mysql/mysql_schemadump- Extracting MySQL schema details
auxiliary/admin/mysql/mysql_sql- Run arbitrary MySQL SQL queries against a given target
New module content (2)
Kibana Upgrade Assistant Telemetry Collector Prototype Pollution
Description: Kibana before version 7.6.3 suffers from a prototype pollution bug within the Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we're able to execute arbitrary code in the context of the Kibana user. There is no CVE for this at the moment.
PyTorch Model Server Registration and Deserialization RCE
Description: This PR adds a module that exploits PyTorch TorchServer by chaining an SSRF vulnerability with a deserialization RCE vulnerability to permit an unauthenticated remote attacker arbitrary Java code execution. The PR also fixes how the ClassLoader mixin handles datastore options.
Enhancements and features (6)
- #18171 from dwelch-r7 - This fixes an issue when users use a payload when framework is started with the
--defer-module-loadsflag set. This also adds a new feature flag option
defer_module_loadswhich, when enabled, will defer module loads by default without the need to specify
--defer-module-loadsevery time the framework boots. Finally, this comes with a sizable improvement on frameworks boot up time.
- #18256 from jmartin-tech - Performs a routine update of multiple library dependencies.
- #18296 from rorymckinley - Updates multiple MySQL modules to support authenticating with newer versions of MySQL.
- #18383 from cgranleese-r7 - This adds a variety of improvements to the enum_computers module including Shell and Powershell support as well as improvements when running on non-english systems.
Bugs fixed (2)
- #18411 from rtpt-erikgeiser - Fixes an issue where the
services -Rcommand generated invalid hosts such as
192.0.2.2%if an empty string was registered for the scope metadata instead of nil.
- #18431 from zeroSteiner - This switches the way in which port forwarded IPs are displayed so that the local IP is listed under
localand the remote IP is listed under
Documentation added (1)
- #18394 from errorxyz - This adds documentation for the auxiliary/scanner/http/http_traversal module.
- #18435 from h00die - Fixes multiple spelling mistakes in the Wiki.
- #18444 from h00die - Fixes spelling mistakes in module documentation.
You can always find more documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).