Last updated at Sat, 20 Jan 2024 22:29:28 GMT
Safari Proxy Object Type Confusion
Metasploit committer timwr recently added a macOS Safari RCE exploit module based on a solution that saelo developed and used successfully at Pwn2Own 2018. saelo's exploit is a three-bug chain: a Safari RCE (CVE-2018-4233), a sandbox escape (CVE-2018-4404), and a macOS LPE to kernel (CVE-2018-4237). This Metasploit module exploits CVE-2018-4233 and CVE-2018-4404. timwr also added a macOS LPE module that exploits CVE-2018-4237 back in November of this year.
Remote code execution is achieved by taking advantage of a bug in the WebKit directed flow graph (DFG) just-in-time (JIT) compiler. Using the JavaScript Proxy Object, it is possible to inject arbitrary code due to type confusion during the execution of the CreateThis operation. The macOS Safari exploit module uses this technique to inject shellcode that bootstraps the sandbox breakout stage by writing a .dylib to disk and loading it into the WebContent process via dlopen(). The loaded code then uses launchd's legacy_spawn API to spawn a process that executes a malicious payload outside of the sandbox. The API fails to validate whether the caller is allowed to spawn such a process. Safari versions for macOS 10.12 through 10.13.3 are vulnerable.
Erlang Port Mapper Daemon Cookie RCE
wetw0rk added an Erlang RCE module based on an article written by Daniel Mende. This exploit targets the Erlang Port Mapper Daemon (EPMD), which is used to coordinate distributed Erlang nodes. An authentication cookie is used as a shared "secret password" between nodes. There is an implicit vulnerability in the fact that the cookie is a simple string and is usually stored in ~/.erlang.cookie. By default, it is a random string of 20 characters from [A-Z]. If an attacker gains the cookie, then they can gain access to a process running on an Erlang node. RCE becomes trivial. The Erlang command os:cmd('id')., for example, can be run to execute the system id command.
New Modules
Exploit modules (2 new)
- Erlang Port Mapper Daemon Cookie RCE by Daniel Mende and Milton Valencia (wetw0rk)
- Safari Proxy Object Type Confusion by saelo, which exploits CVE-2018-4233 and CVE-2018-4404
Auxiliary and post modules (1 new)
- Java JMX Server Insecure Endpoint Code Execution Scanner by rocktheboat, which exploits CVE-2015-2342
Improvements
- Negative test case added to the
nc -jcheck for thepost/multi/escalate/cups_root_file_readmodule, by wvu-r7 - Startup error fixed for the VAX reverse_tcp payload, by LouDnl
TARGETURIsupport added to thestruts2_namespace_ognlmodule, by wvu-r7- Support added for an alternate Web UI port in the
hp_van_sdn_cmd_injectmodule, by wvu-r7 - Checks and cleanup improved for the
exploit/linux/local/bpf_priv_escmodule, by bcoles - Arbitrary user-agent support added to the HTTP/HTTPS payloads, by busterb
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers,or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.
