Chaining Vulnerabilities

Philip Pettersson discovered vulnerabilities in certain PAN OS versions that could lead to remote code execution and hdm wrote a Metasploit module for the exploit chain. The exploit chain starts off with an authentication bypass, which allows the module to access a page that is vulnerable to an XML injection. This page is then used to create a directory where a payload is stored. Finally, a cron job, vulnerable to command injection via a bug in its filename parsing, runs and the payload is executed.

RubySMB Integration Update

More RubySMB integration work has landed in Framework. The changes in the pull request allow a module author to decide whether or not to support SMBv2, which is implemented by the RubySMB client, by setting a versions parameter in the module. The use of RubySMB is not enforced across all of the module since some client updates/integrations are still being worked on. Currently, smb/upload_file and smb/download_file modules are using the RubySMB library and can enjoy SMBv2 support. When other modules are ready, they can also be switched to use RubySMB in the future.

Improvements

  • William Vu created a Drupal mixin for Metasploit Framework by taking Drupal specific checks from the drupal_drupalgeddon2 module. The new mixin should help in future development of modules that target the Drupal platform (on which there are already several new vulnerabilities).
  • clong updated the OSX keylog_recorder module to work with more recent versions of MacOS.
  • Also, a bug in the linux/x64/reverse_tcp payload that caused it to fail after entering a retry loop was fixed. The fix was pushed by timwr, originally identified by plestrin. The bug occured when the first connection attempt by the payload fails and a future connection attempt contacts a listener.

New Modules

Exploit modules (5 new)

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.