Newsy.co

Metasploit Weekly Wrap-Up

Scanner That Pulls Sensitive Information From Joomla Installations

Metasploit Weekly Wrap-Up

This week's Metasploit release includes a module for CVE-2023-23752 by h00die. Did you know about the improper API access vulnerability in Joomla installations, specifically Joomla versions between 4.0.0 and 4.2.7, inclusive? This vulnerability allows unauthenticated users access to web service endpoints which contain sensitive information such as user and config information. This module can be used to exploit the users and config/application endpoints.

No More Local Exploit Suggester Crashing Against Older Windows Targets

This week's Metasploit release includes a bug fix by our own adfoster-r7 addressing an issue related to the local exploit suggester crashing against older windows targets. This issue was tracked down to the bits_ntlm_token_impersonation module when it's checking the BITS/WinRM version via PowerShell. A patch has been added to prevent it crashing against older and newer Windows targets.

New module content (1)

Joomla API Improper Access Checks

Authors: Tianji Lab and h00die
Type: Auxiliary
Pull request: #17895 contributed by h00die
AttackerKB reference: CVE-2023-23752

Description: This adds a scanner that pulls user and config information from Joomla installations that permit access to endpoints containing sensitive information. This affects versions 4.0.0 through 4.2.7 inclusive.

Enhancements and features (3)

  • #17857 from steve-embling - This adds T3S support for the weblogic_deserialize_rawobject, weblogic_deserialize_marshalledobject, and weblogic_deserialize_badattr_extcomp exploit modules.
  • #17921 from bcoles - This add documentation for the module post/windows/gather/resolve_sid
  • #17941 from j-baines - Updates the exploits/linux/misc/zyxel_multiple_devices_zhttp_lan_rce module with CVE identifier CVE-2023-28769.

Bugs fixed (4)

  • #17912 from bwatters-r7 - Fixes a MinGW issue in the Meterpreter stdapi extension. The stdapi extension was using free() instead of FreeMibTable() to free memory allocated by GetIpForwardTable2() which led to a crash when compiled with MinGW.
  • #17913 from adfoster-r7 - Fixes a crash when running the local exploit suggester against older Windows targets.
  • #17914 from zeroSteiner - This fixes an issue where paths with trailing backslashes would wait for more input when passed to directory?() due to the " being escaped in the command testing for the existence of the path.
  • #17926 from bwatters-r7 - This fixes an issue with a railgun function definition that caused the post/windows/gather/resolve_sid module to fail on 64-bit systems. When the module failed, the session was lost.

Documentation added (2)

  • #17839 from cdelafuente-r7 - This improves Metasploit's documentation on the cleanup method for modules.
  • #17937 from adfoster-r7 - This fixes a formatting error due to a typo in the wiki page for setting up a Metasploit development environment.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

  • Pull Requests 6.3.13...6.3.14
  • Full diff 6.3.13...6.3.14

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).