Newsy.co

Metasploit Weekly Wrap-Up

Taking a stroll down memory lane (Tomcat Init Script Privilege Escalation)

Metasploit Weekly Wrap-Up

Do you remember the issue with Tomcat init script that was originally discovered by Dawid Golunski back in 2016 that led to privilege escalation? This week's Metasploit release includes an exploit module for CVE-2016-1240 by h00die. This vulnerability allows any local users who already have tomcat accounts to perform privilege escalation and gain access to a target system as a root user. This exploit can be used against the following tomcat versions Tomcat 8 (8.0.36-2), Tomcat 7 (7.0.70-2) and Tomcat 6 (6.0.45+dfsg-1~deb8u1).

Lenovo Diagnostics Driver IOCTL memmove

Our own Jack Heysel contributed an exploit module for CVE-2022-3699 using the proof of concept created by alfarom256. A vulnerability within Lenovo Diagnostics Driver due to incorrect access control allows low-privileged users to issue device IOCTLs to perform arbitrary physical/virtual memory read/write.

New module content (8)

Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Execution

Author: Matthew Mathur
Type: Exploit
Pull request: #17494 contributed by k0pak4
AttackerKB reference: CVE-2021-25298

Description: A new authenticated RCE module for NagiosXI has been added which exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298 to get a shell as the apache user on NagiosXI devices running version 5.5.6 to 5.7.5 inclusive.

F5 Big-IP Create Admin User

Author: Ron Bowes
Type: Exploit
Pull request: #17392 contributed by rbowes-r7

Description: This PR adds a privilege escalation module for F5 that uses the unsecured MCP socket to create a new root account.

Apache Tomcat on Ubuntu Log Init Privilege Escalation

Authors: Dawid Golunski and h00die
Type: Exploit
Pull request: #17483 contributed by h00die
AttackerKB reference: CVE-2016-1240

Description: Adds a new exploit/linux/local/tomcat_ubuntu_log_init_priv_esc module for CVE-2016-1240 targetting Tomcat (6, 7, 8). By default repositories on Debian-based distributions (including Debian, Ubuntu etc.) provide a vulnerable tomcat init script that allows local attackers who have already gained access to the tomcat account (for example, by exploiting an RCE vulnerability in a java web application hosted on Tomcat, uploading a webshell etc.) to escalate their privileges from tomcat user to root and fully compromise the target system.

Fortra GoAnywhere MFT Unsafe Deserialization RCE

Author: Ron Bowes
Type: Exploit
Pull request: #17607 contributed by rbowes-r7
AttackerKB reference: CVE-2023-0669

Description: This PR adds a module that exploits CVE-2023-0669, which is an object deserialization vulnerability in Fortra GoAnywhere MFT.

ManageEngine ADSelfService Plus Unauthenticated SAML RCE

Authors: Christophe De La Fuente, Khoa Dinh, and horizon3ai
Type: Exploit
Pull request: #17556 contributed by cdelafuente-r7
AttackerKB reference: CVE-2022-47966

Description: This PR adds an exploit that uses an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ADSelfService Plus versions 6210 and below (https://github.com/advisories/GHSA-4w3v-83v8-mg94).

ManageEngine ServiceDesk Plus Unauthenticated SAML RCE

Authors: Christophe De La Fuente, Khoa Dinh, and horizon3ai
Type: Exploit
Pull request: #17527 contributed by cdelafuente-r7
AttackerKB reference: CVE-2022-47966

Description: This adds an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below. (https://github.com/advisories/GHSA-4w3v-83v8-mg94).

ManageEngine Endpoint Central Unauthenticated SAML RCE

Authors: Christophe De La Fuente, Khoa Dinh, h00die-gr3y, and horizon3ai
Type: Exploit
Pull request: #17567 contributed by h00die-gr3y
AttackerKB reference: CVE-2022-47966

Description: This adds an exploit targeting CVE-2022-47966, an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10 and below. See https://github.com/advisories/GHSA-mqq7-v29v-25f6 and ManageEngine security advisory.

Lenovo Diagnostics Driver IOCTL memmove

Authors: alfarom256 and jheysel-r7
Type: Exploit
Pull request: #17371 contributed by jheysel-r7
AttackerKB reference: CVE-2022-3699

Description: This PR adds a module that makes use of incorrect access control for the Lenovo Diagnostics Driver allowing a low-privileged user the ability to issue device IOCTLs to perform arbitrary physical/virtual memory read/write.

Enhancements and features (3)

  • #17597 from bcoles - Fix notes for SideEffects and Reliability in the auxiliary/dos/mirageos/qubes_mirage_firewall_dos module.
  • #17603 from dwelch-r7 - Updates admin/kerberos/inspect_ticket to show the UPN and DNS Information within a decrypted PAC.
  • #17615 from adfoster-r7 - Adds missing module notes for stability, reliability, and side effects to several modules.

Bugs fixed (2)

  • #17591 from zeroSteiner - A bug has been fixed in metasm_shell and nasm_shell whereby the shells were using readline but the dependency wasn't correctly imported. This has since been fixed and improved validation has been added.
  • #17592 from zeroSteiner - A bug has been fixed in the bypassuac_injection_winsxs module whereby a string was not properly being treated as being NULL terminated. Additionally, the definitions of the FindFirstFileA and FindFirstFileW functions have been corrected so that they work on x64 systems.

Documentation added (3)

  • #17398 from bwatters-r7 - Adds additional details on using command stagers.
  • #17587 from adfoster-r7 - This PR updates docs.metasploit.com to use the latest ruby conventions.
  • #17595 from mkonda - Updates the documentation on debugging dead Meterpreter sessions to use the correct option name ReverseListenerBindAddress.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

  • Pull Requests 6.3.1...6.3.2
  • Full diff 6.3.1...6.3.2

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).