Newsy.co

Metasploit Weekly Wrap-Up

VMware Workspace ONE Access exploit chain

Metasploit Weekly Wrap-Up

A new module contributed by jheysel-r7 exploits two vulnerabilities in VMware Workspace ONE Access to attain Remote Code Execution as the horizon user.
First being CVE-2022-22956, which is an authentication bypass and the second being a JDBC injection in the form of CVE-2022-22957 ultimately granting us RCE.
The module will seamlessly chain these two vulnerabilities together, simplifying the whole process.

More speeeeeeed!

Our own adfoster-r7 has added caching to Ruby's loadpath logic with the help of bootsnap to improve the bootup performance of Metasploit.
On the hardware we tested we were getting an average of 2-3 seconds reduced time to boot which is a really nice quality of life improvement.

New module content (3)

VMware Workspace ONE Access VMSA-2022-0011 exploit chain

Authors: jheysel-r7 and mr_me
Type: Exploit
Pull request: #17854 contributed by jheysel-r7
AttackerKB reference: CVE-2022-22957, CVE-2022-22956

Description: This PR adds an exploit chaining CVE-2022-22956 and CVE-2022-22957 to gain code execution as the horizon user on VMWare Workspace One Access. The first vulnerability, CVE-2022-22956, is an authentication bypass in OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the authentication mechanism and execute any operation. The second vulnerability, CVE-2022-22957, is a JDBC injection RCE specifically in the DBConnectionCheckController class's dbCheck method which allows an attacker to deserialize arbitrary Java objects which can allow remote code execution.

VMware Workspace ONE Access CVE-2022-22960

Authors: jheysel-r7 and mr_me
Type: Exploit
Pull request: #17874 contributed by jheysel-r7
AttackerKB reference: CVE-2022-22960

Description: This PR adds an exploit module targeting CVE-2022-22960, which allows the user to overwrite the permissions of the certproxyService.sh script so that it can be modified by the horizon user. This allows a local attacker with the uid 1001 to escalate their privileges to root access.

SPIP form PHP Injection

Authors: Julien Voisin, Laluka, and coiffeur
Type: Exploit
Pull request: #17711 contributed by jvoisin
AttackerKB reference: CVE-2023-27372

Description: This module exploits a PHP code injection in SPIP. The vulnerability exists in the oubli parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges.

Enhancements and features (4)

  • #17809 from adfoster-r7 - Adds caching to Ruby's load path logic to improve the bootup performance of msfconsole on startup, averaging 2-3 seconds faster boot time on the tested hardware.
  • #17820 from manishkumarr1017 - This PR fixes the Nagios XI authenticated modules to work with even when autocheck is disabled as well as refactors reusable code.
  • #17884 from adfoster-r7 - Adds database migration validation before attempting to run the test suite. Users who have not migrated their local test database will be notified of the steps required to resolve this issue.
  • #17892 from h00die - Adds additional documentation for the exploit/windows/misc/unified_remote_rce module.

Bugs fixed (7)

  • #17873 from zgoldman-r7 - Updates the scanner/ftp/ftp_login module to ensure that opened connections are correctly closed after attempting to log in. Additionally, this fixes a bug where the FTPTimeout option was being ignored after being set by a user.
  • #17882 from zeroSteiner - A bug has been fixed in the getsystem command where getsystem techniques 5 and 6 were crashing sessions on Windows 11 22H2. Additionally, Python Windows Meterpreter payloads have been updated to include memory lock/unlock abilities.
  • #17883 from adfoster-r7 - Fixes a crash when running the modules/auxiliary/scanner/lotus/lotus_domino_hashes module and the database is not active.
  • #17888 from bcoles - Fixes a crash when running the help setg command in msfconsole.
  • #17893 from h00die - Updates the documentation for the modules/exploit/linux/local/asan_suid_executable_priv_esc module to be in the correct location.
  • #17907 from jheysel-r7 - Fixes a crash when running the exploits/linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain.rb module.
  • #17909 from adfoster-r7 - Fixes a Windows7 Meterpreter crash when in debug mode.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

  • Pull Requests 6.3.12...6.3.13
  • Full diff 6.3.12...6.3.13

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).