CVE-2017-16995 is a Linux kernel vulnerability in the way that a Berkeley Packet Filter (BPF) is verified. Multiple sign extension bugs allows memory corruption by unprivileged users, which could be used for a local privilege escalation attack by overwriting a credential structure in memory to gain root access to a compromised host. The bpf_sign_extension_priv_esc module uses C exploit code written by rlarabee to perform the privilege escalation.
How debug exceptions are handled after a MOV SS or POP SS instruction could lead to a privilege escalation vulnerability against certain Windows kernels. bwatters-r7 created a module in framework that utilizes a compiled version of can1357's exploit to gain SYSTEM access on vulnerable 64-bit Windows hosts. Because the CVE is recent, the exploit works with several modern releases of Windows 10x64. If you would like to dig more into how this exploit works and see brilliant older features sometimes have unexpected effects on current software, check out can1357's blog post about it.
Open Source Security Meetup (OSSM): Vegas 2018
Like open source security? Want to take a break from corporate events at hacker summer camp to share projects and chat in a low-key environment? Stop by the fourth annual Open Source Security Meetup (OSSM) in Vegas from 4-6 PM August 9. There are no formal presentations this year (true meetup-style), but if you’re an open source security dev with a project you want to discuss, let us know here.
Exploit modules (5 new)
- Hadoop YARN ResourceManager Unauthenticated Command Execution by Green-m and cbmixx
- QNAP Q'Center change_passwd Command Execution by Brendan Coles and Ivan Huertas, which exploits CVE-2018-0707
- Linux BPF Sign Extension Local Privilege Escalation by Jann Horn, bcoles, bleidl, h00die, rlarabee, and vnik, which exploits CVE-2017-16995
- Nanopool Claymore Dual Miner APIs RCE by phra and reversebrain, which exploits CVE-2018-1000049
- Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability by Can Bölük, Nemanja Mulasmajic, Nick Peterson, and bwatters-r7, which exploits CVE-2018-8897
- Support has been added for running external modules at the command line by acammack-r7.
- Authentication has been added to the data services REST API endpoints by mkienow-r7.
- bcoles added HTTP POST and Basic authentication support to the password sniffer psnuffle.
- wvu-r7 improved bind handler to wait until an exploit has completed before attempting to connect to the remote host.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.