All about that RDP

Things have been ramping back up as we have been getting back up to speed as we have rehydrated from our trek to the desert and now we have two Exploits That Shall Not Be Named focusing our attention on RDP. For now improvements to our protocol handling have focused on things that should be relevant into the future: TLS improvements by cnotin and CredSSP-based fingerprinting support by zeroSteiner based on work by Tom Sellers using Nmap.

Maldocs for all!

Word processing documents with malicious code (maldocs) have become quite a common vector for mass-exploitation over phishing. While most research has centered around Microsoft products, LibreOffice has also had a few vulnerabilities in this area. This week, we landed another file format exploit that uses an event listener to trigger silent, interactionless Python code execution in one of LibreOffice's bundled components. Contributed by LoadLow and gotten over the line by bcoles and our own Shelby Pace, it affects LibreOffice versions <= 6.2.5 across Windows, macOS, and Linux.

New modules (1)

Enhancements and features

  • PR #12214 - This explicitly enables TLS 1.0 support with the RDP library, enabling compatibility with older versions of Windows.
  • PR #12203 - This disables Metasploit Pro autoexploitation for a couple modules due to false positives.
  • PR #12183 - This adds CredSSP-based fingerprinting to the RDP scanner and mixin which uses NLA to get Windows version information during NTLM negotiation.

Bugs fixed

  • PR #12221 - This fixes Metasploit RPC functionality enabling creation of multiple console instances simultaneously.
  • PR #12168 - This fixes redirection to an HTTPS url from an HTTP url with the HTTP client library.
  • PR #12181 - This fixes some bugs and adds some tests around our Juniper configuration file parser.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).