Last updated at Wed, 17 Jan 2024 21:52:01 GMT

New module content (4)

Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control

Authors: Emir Polat and Unknown
Type: Auxiliary
Pull request: #18447 contributed by emirpolatt
Path: admin/http/atlassian_confluence_auth_bypass
AttackerKB reference: CVE-2023-22515

Description: This adds an exploit for CVE-2023-22515, which is an authentication bypass within Atlassian Confluence that enables a remote attacker to create a new administrator account.

VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure

Authors: Harsh Jaiswal ( <Harsh Jaiswal (@rootxharsh)>, Rahul Maini ( <Rahul Maini (@iamnoooob)>, SinSinology, and h00die
Type: Exploit
Pull request: #18460 contributed by h00die
Path: linux/ssh/vmware_vrni_known_privkey

Description: This adds a new exploit module that leverages the fact that SSH keys on VMWare Aria Operations for Networks (vRealize Network Insight) versions 6.0.0 through 6.10.0 are not randomized on initialization. It tries all the default SSH keys until one succeeds and gains unauthorized remote access as the "support" (root) user.

Splunk "edit_user" Capability Privilege Escalation

Authors: Heyder Andrade, Mr Hack (try_to_hack) Santiago Lopez, and Redway Security <redwaysecurity.com>
Type: Exploit
Pull request: #18348 contributed by heyder
Path: multi/http/splunk_privilege_escalation_cve_2023_32707

Description: This module exploits an authorization vulnerability in Splunk, targeting CVE-2023-32707, that allows a low privilege user with the capability edit_user to take over the admin account and log in to upload a malicious app, achieving remote code execution.

Add a new user to the system

Author: Nick Cottrell ncottrellweb@gmail.com
Type: Post
Pull request: #18194 contributed by rad10
Path: linux/manage/adduser

Description: This adds a post module that creates a new user on the target OS. It tries to use standard tools already available on the system, but it's also able to directly update the plaintext database files (/etc/passwd and /etc/shadow). This module requires root privileges.

Enhancements and features (4)

  • #18299 from zgoldman-r7 - Improves error messages for timeouts when interacting with a Meterpreter session. Previously an unclear error was printed. Now the user is notified how to increase the timeout limit.
  • #18421 from smashery - This adds the capability to store the TGT ticket in the MSF kerberos cache when a successful Kerberos login is received by the kerberos_login brute force module.
  • #18466 from nfsec - Updates the Docker entrypoint script to use getent instead of grep when detecting user/group details.
  • #18299 from h00die - This adds a db_stats command which gives the user information about how much data is in their database/workspace.

Bugs fixed (2)

  • #18400 from dwelch-r7 - This fixes an issue when searching for a Kerberos ticket and passing in the workspace. The workspace is now correctly used to query the database.
  • #18403 from cdelafuente-r7 - Fixes a potential bug with modules that register files to cleanup after a session opens. Previously modules could accidentally mutate registered file names to delete, causing the intended files to be left on the remote system still.

Documentation added (1)

  • #18470 from zgoldman-r7 - Adds a new Wiki page for session management, detailing how to search for sessions and killing stale sessions.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).