Newsy.co

Metasploit Weekly Wrap-Up 10/25/2024

Hackers and Vampires Agree: Every Byte Counts

Metasploit Weekly Wrap-Up 10/25/2024

Headlining the release today is a new exploit module by jheysel-r7 that chains two vulnerabilities to target Magento/Adobe Commerce systems: the first, CVE-2024-34102 is an arbitrary file read used to determine the version and layout of the glibc library, and the second, CVE-2024-2961 is a single-byte buffer overflow, and it is impressive what can be done with a single byte. By creating an intricate heap layout though specific memory allocation calls in php, an attacker can groom the heap contents in such a way that they can use the single-byte overflow to change a flag in the custom_heap structure, which then results in a system call containing arbitrary data.

New module content (1)

CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961)

Authors: Charles Fol, Heyder, Sergey Temnikov, and jheysel-r7
Type: Exploit
Pull request: #19544 contributed by jheysel-r7
Path: linux/http/magento_xxe_to_glibc_buf_overflow
AttackerKB reference: CVE-2024-34102

Description: Adds a new module exploit/linux/http/magento_xxe_to_glibc_buf_overflow which uses a combination of an Arbitrary File Read (CVE-2024-34102) and a Buffer Overflow in glibc (CVE-2024-2961) to gain unauthenticated Remote Code Execution on multiple versions of Magento and Adobe Commerce, including versions less than 2.4.6-p5.

Enhancements and features (2)

  • #19536 from GhostlyBox - Updated the post/windows/gather/enum_unattend.rb module to now include checks for '.vmimport' files which may have been created by the AWS EC2 VMIE service which will contain cleartext credentials.
  • #19567 from bcoles - Adds default vendor passwords for common single-board computers (SBCs) to wordlists.

Bugs fixed (4)

  • #19571 from sjanusz-r7 - Fixes an issue that stopped users from using navigational arrow keys in msfconsole on newer Windows 11 installs.
  • #19572 from cdelafuente-r7 - Fixes an issue in the UPDATE action of admin/ldap/ad_cs_cert_template.
  • #19576 from adfoster-r7 - Fixes crash when importing a Metasploit xml file with Ruby 3.2 and above.
  • #19577 from adfoster-r7 - Fixes a crash when running the shell command with a Meterpreter session.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

  • Pull Requests 6.4.32...6.4.33
  • Full diff 6.4.32...6.4.33

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro