Clone your way to code execution

We’ve had a busy week bringing you exploits, features, enhancements, and fixes. Exploit modules for Git and El Finder lead the pack this week with an information disclosure against Jira and a post exploitation module targeting Geutebruck white-labelled cameras to freeze them like every movie ever!

Git push upstream git-lfs:payload

Our own Jack Hysel and Shelby Pace had some fun creating an exploit module targeting Github, originally discovered by Dawid Golunski. The exploit requires a user to clone an infected Github repository to gain remote code execution, and before you ask, we promise it is safe to clone ours.

Jira users

Brian Halbach and Mikhail Klyuchnikov sent us a nice module exploiting CVE-2020-14181 to get a list of Jira users, helping those social engineers among us to get more targets or login scanners more data. Unfortunately, it does not track my tickets and keep them up to date.

New module content (4)

  • Jira Users Enumeration by Brian Halbach and Mikhail Klyuchnikov, which exploits CVE-2020-14181 - This obtains user names on Jira Server by exploiting an information disclosure vulnerability that exists at the /ViewUserHover.jspa endpoint.
  • elFinder Archive Command Injection by Shelby Pace and Thomas Chauchefoin, which exploits CVE-2021-32682 - This adds an exploit for CVE-2021-32682 which is an unauthenticated RCE in the elFinder PHP application. The vulnerability is due to a flaw that allows a malicious argument to be passed to the zip command when an archive action is performed.
  • Git Remote Code Execution via git-lfs (CVE-2020-27955) by Dawid Golunski, jheysel-r7, and space-r7, which exploits CVE-2020-27955 - This adds an exploit for CVE-2020-27955 which is a vulnerability in the Git version control system. The module can be used to execute code in the context of a user that can be convinced to clone a malicious repository.
  • Geutebruck Camera Deface by Ibrahim Ayadhi and Sébastien Charbonnier - A new post exploitation module has been added which allows one to take a session on a Geutebruck Camera shell and either freeze the current display stream, replace the current display stream with a static image, or restore the display stream such that it will display the current live feed from the camera.

Enhancements and features

  • #15609 from adfoster-r7 - Adds additional metadata to exploit modules to specify Meterpreter command requirements. This information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn't support the required command functionality.
  • #15674 from digininja - Updates the Apache Tomcat Ghostcat module to correctly handle a larger range of possible success status codes when verifying if the module has succeeded

Bugs fixed

  • #15667 from bwatters-r7 - Fix powershell_reverse_tcp file operations and update the file operations test module

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).