Last updated at Fri, 27 Oct 2023 16:49:53 GMT
That Privilege Escalation Escalated Quickly
This release features a module leveraging CVE-2023-22515, a vulnerability in Atlassian’s on-premises Confluence Server first listed as a privilege escalation, but quickly recategorized as a “broken access control” with a CVSS score of 10. The exploit itself is very simple and easy to use so there was little surprise when CISA published an advisory stating that threat actors were using it in the wild. It is imperative that anyone using the affected versions mitigate risk and patch as quickly as possible.
Improved sessions searching
This release enhances the sessions command with additional search filters, for instance:
# Return all sessions that have a session id of 1 or 5 sessions -S 'sesion_id:1 session_id:5' # Return all sessions that have a session_type equal to meterpreter sessions -S 'session_type:meterpreter' # Return all sessions that have a check in time between 1 hour and 10 minutes, and less than 2 hours sessions -S 'last_checkin:greater_than:1h10m last_checkin:less_than:2h'
These search options can be used in conjunction with other session options. For instance the
msf6 exploit(windows/smb/psexec) > sessions -S 'last_checkin:greater_than:2h30m' -v Active sessions =============== Session ID: 8 Name: Type: meterpreter windows Info: NT AUTHORITY\SYSTEM @ WINDEV Tunnel: 192.168.123.1:4444 -> 192.168.123.132:50564 (192.168.123.132) Via: exploit/windows/smb/psexec Encrypted: Yes (AES-256-CBC) UUID: 4d78f75abbdbf0c8/x86=1/windows=1/2023-10-19T19:44:23Z CheckIn: 18003s ago @ 2023-10-19 15:45:30 +0100 Registered: No Session ID: 9 Name: Type: meterpreter windows Info: NT AUTHORITY\SYSTEM @ WINDEV Tunnel: 192.168.123.1:4444 -> 192.168.123.132:50565 (192.168.123.132) Via: exploit/windows/smb/psexec Encrypted: Yes (AES-256-CBC) UUID: 48d32692e0633293/x86=1/windows=1/2023-10-19T19:44:23Z CheckIn: 10803s ago @ 2023-10-19 17:45:30 +0100 Registered: No
Or as an easy way to search for and kill matching stale sessions with
msf6 exploit(windows/smb/psexec) > sessions -S 'last_checkin:greater_than:2h30m' -K [*] Killing matching sessions... Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 4 meterpreter x86/windows NT AUTHORITY\SYSTEM @ WINDEV 192.168.123.1:4444 -> 192.168.123.132:50540 (192.168.123.132) 5 meterpreter x86/windows NT AUTHORITY\SYSTEM @ WINDEV 192.168.123.1:4444 -> 192.168.123.132:50555 (192.168.123.132) [*] 192.168.123.132 - Meterpreter session 4 closed. [*] 192.168.123.132 - Meterpreter session 5 closed.
New module content (2)
Apache Superset Signed Cookie RCE
Description: This adds an exploit for CVE-2023-37941 which is an authenticated RCE in Apache Superset.
Atlassian Confluence Unauthenticated Remote Code Execution
Description: This adds an exploit module that leverages an improper input validation issue in Atlassian Confluence versions between 8.0.0 through to 8.3.2, 8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1. This vulnerability is identified as CVE-2023-22515 and allows unauthenticated remote code execution. The module first creates a new administrator by abusing the embedded XWorks2 middleware and uploading a malicious plugin to get code execution. Note that the module is currently not able to delete the new administrator account it created. This would require a manual clean up.
Enhancements and features (7)
- #17689 from manishkumarr1017 - Adds an additional column to the
credscommand to additionally show any cracked passwords that have been created by the
auxiliary/analyze/crack_databasesmodule or similar.
- #18364 from zgoldman-r7 - Add support for filtering sessions based on last checkin time, session type and id.
- #18381 from sjanusz-r7 - Adds new options
reruncommands. This new option will reload all library files before performing the original command.
- #18428 from AleksaZatezalo - This PR adds documentation for the mssql_login module.
- #18438 from adfoster-r7 - Makes improvements to the UX for database management prompts. Now when running
msfdb initthe user is no longer prompted for database deletion. The message for clearing unused data service credentials has been reworded.
- #18450 from adfoster-r7 - Adds support for Ruby 3.3.0-preview2.
- #18451 from adfoster-r7 - Updates the newly added cracked password column as part of the
credsto work with the remote database.
Bugs fixed (3)
- #18442 from adfoster-r7 - Improves stability of msfdb initialization on windows environments. Previously the msfdb init script would hang indefinitely on Windows environments, as well as there being false negatives on detecting if the database was running or not.
- #18443 from adfoster-r7 - Adds a fix for the
handler/reverse_sshmodule that was returning warnings when msfconsole was booted on a Windows machine.
- #18449 from adfoster-r7 - Fixes an issue with the
scanner/mysql/mysql_authbypass_hashdumpmodule to now correctly close sockets.
Documentation added (1)
- #18452 from jheysel-r7 - Updates the Metasploit Wiki to include information on how to run quality tools on module documentation.
You can always find more documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).