The Salt must flow
A couple of vulnerabilities were found in the SaltStack task and configuration management framework publicized just a couple weeks ago: CVE-2020-11651 and CVE-2020-11652. Both of these vulns were discovered by F-Secure, and wvu was able to convert CVE-2020-11651 into a pair of spicy modules. The first module takes advantage of unauthenticated access to the
_prep_auth_info() method in the SaltStack Salt master's ZeroMQ request server to dump the master’s root key. The second module utilizes additional requests to Salt, this time in the
_send_pub() methods, to enable RCE on the master node. Failing to patch either of these vulns will likely result in increased sodium levels of admins running this stack.
(Net)sweeping vulnerabilities into the public eye
A new vulnerability in the Netsweeper application that allows unauthenticated code execution was also taken advantage of by wvu. This module allows an attacker to exploit the
unixlogin.php script within Netsweeper to execute code remotely on the server by injecting Python code into the login process. Hopefully, this reminds developers to always clean up their inputs.
Polish up those reflections
zeroSteiner added some helpful tools to support your reflective DLL injection needs. The first of his additions is a new template for Visual Studio to easily generate reflective DLLs for use within Metasploit Framework. He also added a README file to document the process for newbies like me. Collectively, this should smooth over the process of reflective DLL attacks so you can shine.
New modules (5)
- Cloud Lookup (and Bypass) by mekhalleh (RAMELLA Sébastien)
- Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation by Chris Lyne and bcoles, which exploits CVE-2019-3999
- SaltStack Salt Master/Minion Unauthenticated RCE by wvu and F-Secure, which exploits CVE-2020-11652
- SaltStack Salt Master Server Root Key Disclosure by wvu and F-Secure, which exploits CVE-2020-11652
- Netsweeper WebAdmin unixlogin.php Python Code Injection by wvu
Enhancements and features
- PR #13402 from bcoles adds a new
service_exists?()method to the
- PR #13405 from cnotin adds the ability to set
SRVHOSTby interface name.
- PR #13422 from bcoles updated the exploit for CVE-2019-13272 to better utilize auto-targeting.
- PR #13358 from OJ ensures out-of-order packets in pivoted sessions are handled correctly.
- PR #13433 from adfoster-r7 fixes a bug that was preventing
msf-json-rpcfrom running from folders other than
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).