Las Vegas 2016 is in The Books
This week's wrap-up actually covers two weeks thanks in large part to the yearly pilgrimage to Las Vegas. I myself elected not to attend, but I'm told everyone had a great time. Many on the team are still recuperating, but I'd wager that they all enjoyed seeing you there as well. Here's to everyone's speedy recovery.
Centreon Web UserAlias Command Execution
Our first new module this go-around exploits a remote command execution vulnerability in Centreon Web via a pre-auth SQL injection. The bug, originally discovered by Nicolas Chatelain, is detailed in a nice writeup here: https://www.exploit-db.com/exploits/39501/. The short version is that they don't escape "", they call 'echo' via exec(), and very bad things happen. Luckily the bug was promptly fixed in late 2014 and doesn't affect current versions, but, if for some reason you haven't updated by now, you should probably look into it.
Polycom Command Shell Authorization Bypass
Next, we have a module that managed to slip through the cracks for about 4 years now. Sorry. It targets an authorization bypass vulnerability in older firmware releases for the Polycom HDX line of video conferencing endpoints. The original vulnerability discovery was made by Paul Haas in 2012 and publicly disclosed in January of 2013. You can check out his original advisory here https://www.exploit-db.com/exploits/24494/. Paul released a module at the time, but for some reason it wasn't incorporated into Metasploit Framework. That's all changed thanks to h00die, who has ported the module to work with newer versions of the framework. While bugs this old are often not that exciting, it's reasonable to assume that firmware for video equipment may be one of the last things on the mind of many IT administrators when considering a maintenance strategy for their organization, making this one a bit more interesting.
Drupal RESTWS Moule Remote PHP Code Execution
In other SQL injection news, we recently landed a module by Mehmet Ince targeting a remote code execution vulnerability in the Drupal 7.x RESTWS Module. RESTWS versions below 2.6 in the 2.x series and 1.7 in the 1.x series are affected by the issue. Despite resulting in arbitrary code execution on any host running the affect module, the bug is fairly simple, and exploitation couldn't be easier thanks to Mehmet's module:
Internet Explorer 11 VBScript Memory Corruption
Last week, some jerk wrote a module for CVE-2016-0189, which exploits a memory corruption vulnerability within Internet EXplorer 11's VBScript engine. The module was based off the original PoC publicized by Theori, who provided an excellent writeup on their efforts reversing this interesting bug from patches here http://theori.io/research/cve-2016-0189. In a nutshell, the exploit leverages some logical errors into a write primitive and uses this to enable execution of arbitrary VBScript. While Internet Explorer 11 on Windows 10 isn't that popular, and VBScript is akin to a Lovecraftian horror that would drive one to insanity should they even contemplate it, vulnerabilities such as these are quite interesting to work with, especially given that mitigations against common browser exploit vectors such as Use-after-Free's continue to improve.
Utility Module Goodness
Our last two modules this week aren't exactly exploits, but they do provide some awesome auxiliary capabilities. For one, we landed an incredibly useful SMB Delivery module by Andrew Smith and Russel Van Tuyl. Hosting payloads via an SMB share is sometimes the best option available for delivery depending on the situation. In the past, authors have had to roll their own SMB functionality into their Metasploit modules. This module greatly simplifies that process. Finally, Robert Kugler submitted a module that lets one recover the installation password for recent versions of Avira Antivirus.