Security is hard
I usually focus exclusively on the Metasploit Framework here on these wrapups, but this week is a little special. This week the Metasploit commercial products (Pro, Express, and Community) come with a fix for a couple of vulnerabilities. You heard that right, remotely exploitable vulns in Metasploit. Our lovely engineering manager, Brent Cook, helpfully wrote up the details yesterday.
TL;DR - Three bugs, two of which work together: 1) the filter restricting the creation of the first admin account to localhost was broken. As has always been the case having an admin account on Metasploit lets you run commands on the server. And 2) the randomly generated session key got stepped on by a static one whenever updates were applied, so the same key was used for every Metasploit installation. Because of 3) session cookies are serialized ruby, so that's code exec, too.
Security is hard and even experts like us screw it up some times. But in true Metasploit fashion, we're not content to just patch the vuln. There is currently a Pull Request in review that will get you shells on Metasploit if you know credentials. Since it's Authenticated Code Execution by Design, it will work even without this vulnerability as long as you can steal a username and password. Expect that to land soon and be in the next wrapup. And while you're waiting, go double check to make sure you did the initial account setup on your Metasploit installs.
It's a bit of a hassle if a download gets interrupted, especially if the file is large. Thanks to first-time contributor cayee, you can now continue an interrupted download with Meterpreter's new
We've been pumping out better documentation for individual modules for a few months now, since the introduction of
info -d, which gives you nice pretty markdown.
If you have wanted to contribute but didn't know what you wanted to work on, this is a great place to get started. Check out the Module Documentation milestone for a list of the modules we think are the highest priority. Github won't let you assign a ticket to someone who isn't part of the Metasploit organization, so leave a comment on one of those issues to claim it so others don't duplicate your work.
Exploit modules (1 new)
Auxiliary and post modules (4 new)
- Zabbix toggle_ids SQL Injection by 1n3, and bperry
- Octopus Deploy Login Utility by James Otten
- OWA Exchange Web Services (EWS) Login Scanner by Rich Whitcroft
- Windows Gather MDaemonEmailServer Credential Cracking by Manuel Nader exploits BID-4686
As always, you can update to the latest Metasploit Framework with a simple
msfupdate and the full diff since the last blog post is available on GitHub: 4.12.22...4.12.25