Security fix for the libnotify plugin (CVE-2020-7350)

If you use the libnotify plugin to keep track of when file imports complete, the interaction between it and db_import allows a maliciously crafted XML file to execute arbitrary commands on your system. In proper Metasploit fashion, pastaoficial PR'd a file format exploit to go along with the fix, and our own smcintyre-r7 did some git magic to make the changes properly visible and over the line. Scans and anything else besides db_import do not trigger the vulnerability, and libnotify plugin must be used to open up the command injection path.

Twitch Plays Python

Thanks our streaming contributor mmetince and one of his viewers hasantayyar, our Python staged and stageless payloads are now 100% whitespace free. Keeping compatibility with old fossils of Python like 2.4 and 3.1, which have little in the way of forwards or backwards compatibility, is quite a feat. To top it off, this approach even saves space compared to our previous compatibility approach!

New modules (6)

Enhancements and features

  • PR #13311 from kernelsmith - This updates msftidy to handle expected ZDI references.
  • PR #13282 from cn-kali-team - This PR adds Unicode support to the search command to allow users to find entries containing Unicode characters, thereby fixing the issue reported in #13150.
  • PR #13268 from adfoster-r7 - This PR adds in two additional productivity tips to the tip command that help users be more efficient.
  • PR #13267 from adfoster-r7 - This PR depreciates the old tip command in favor of tips, which now returns a list of all productivity tips.
  • PR #13263 from mmetince - This updates the library which generates the Python payload stager to remove whitespace.
  • PR #13252 from timwr - This PR adds a new payload type, reverse_tcp_uuid for OSX x64 systems which adds support for displaying UUID information. This PR also updates the existing reverse_tcp stager to print out UUID information if requested.

Bugs fixed

  • PR #13298 from zeroSteiner - Fixes the to_handler command for payloads and evasion modules to now correctly set ExitOnSession to false
  • PR #13277 from bwatters-r7 - This PR bumps the payloads gem to bring in a fix from timwr for a race condition that existed in the filesystem library in the Java meterpreter.
  • PR #13266 from pastaoficial via zeroSteiner - Rapid7 Metasploit Framework version 5.0.85 and prior suffers from an instance of CWE-78: OS Command Injection, wherein the libnotify plugin accepts untrusted user-supplied data via a computer's hostname or service name. An attacker can create a specially-crafted hostname or service name to be imported by Metasploit from a variety of sources and trigger a command injection on the operator's terminal. Note, only the Metasploit Framework and products that expose the plugin system is susceptible to this issue -- notably, this does not include Rapid7 Metasploit Pro. Also note, this vulnerability cannot be triggered through a normal scan operation -- the attacker would have to supply a file that is processed with the db_import command.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).