Blown up by your own Fusion bomb

If you use Mac, keep an eye on your favorite virtualization software—it might blow up unexpectedly! Community contributor h00die added a new module that exploits an improper use of setuid binaries within VMware Fusion version 10.1.3 through 11.5.3 on OS X to get local privilege escalation. This module also bypass the patch added in version 11.5.3 by exploiting a TOCTOU race
condition
. Note that, at the time of writing, version 11.5.3 is the latest version available. Watch out!

Dotnet Nukem Forever

A new module targeting the famous web application framework DNN (formerly DotNetNuke) has been added this week by holdonasec. Versions 5.0.0 through 9.3.0-RC got hit by a cookie deserialization vulnerability that leads to remote code execution. The DNNPersonalization cookie stores user profile information that includes a type attribute used by the server to define the type of object to be deserialized. In its default configuration, DNN handles 404 errors with its built-in error page, which makes the server process the cookie and trigger the vulnerability.

Lost in the Solr system

Community contributor ide0x90 added a new module that exploits a remote code execution in Apache Solr versions 5.0.0 through 8.3.0 via a custom Velocity template. This exploit first enables the use of Velocity template by setting the VelocityResponseWriter params.resource.loader.enabled parameter to true. Then it sends a specially crafted request containing a weaponized Velocity template to get remote code execution.

New modules (6)

Enhancements and features

  • PR #13164 by tekwizz123 adds documentation for the http_hsts auxiliary scanner module.
  • PR #13159 by exigentmidnight adds documentation for the apache_mod_cgi_bash_env.rb auxiliary scanner module.
  • PR #13155 by adamgalway-r7 updates the Metasploit Profiling tools with two new methods Metasploit::Framework::Profiler.record_cpu and Metasploit::Framework::Profiler.record_memory, to allow for specific code sections to be profiled.
  • PR #13148 by adamgalway-r7 reduces unknown commands handling from 1 second to 0.5 seconds.
  • PR #13141 by bcoles adds a reverse shell payload for tclsh, a "simple shell containing Tcl interpreter."

Bugs fixed

  • PR #13176 by h00die fixes an issue in issue_finder.py to no longer lists .pyc files or files beginning with _.
  • PR #13172 by timwr updates metasploit_payloads-mettle gem version to 0.5.21 to add OSX Catalina support.
  • PR #13105 by Auxilus fixes an issue that improves pattern_create, pattern_offset, and makeiplist tools loading time.
  • PR #13093 by mmetince adds an alias of ftp_connect to connect within Exploit::Remote::Ftp to avoid name collisions when Msf::Exploit::Remote::HttpClient and Msf::Exploit::Remote::Ftp are included in the same module.
  • PR #13085 by Green-m renames module redis_unauth_exec to redis_replication_cmd_exec.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).