Hello, World!

This week’s wrapup features six new modules, including a double-dose of Synology and everyone’s favorite, Pi-Hole.

Little NAS, featuring RCE

Synology stations are small(ish) NAS devices, but as Steve Kaun, Nigusu Kassahun, and h00die have shown, they are not invulnerable. In the first module, a command injection exists in a scanning function that allows for an authenticated RCE, and in the second, a coding feature leaks whether a user exists on the system, allowing for brute-force user enumeration.

Cram it in your Pi-Hole, Again

Still hilarious, though significantly less original, Pi-Hole makes an encore appearance in the form of a DHCP reservation with accompanying RCE and a whitelist addition with shell.

myLittleAdmin Administration sharing tool

A ViewState .NET deserialization bug allows others to manage your MS SQL server. Brought to you by wvu-r7 and his .NET deserialization muse smcintyre-r7, this is yet another use of smcintyre-r7’s .NET deserialization library because sharing is a kindness, and magic makes it all complete!

It is never DNS, especially after a DoS attack

Shuto Imai and Tobias Klein added a DoS module targeting the BIND service by forcing execution down a path with an assert statement that causes the server process to exit.

New modules (6)

Enhancements and features

  • We’ve updated the credits in bind_tsig_badtime to reflect updated CVE-2020-8617 information.
  • Bcoles cleaned up and documented the TinyIdentD 2.2 Stack Buffer Overflow module.
  • sbrun updated the wmiexec.py module to be Python3 compatible.
  • acammack-r7 updated our search feature to prevent unloadable modules from returning in a search in PR 13500.
  • h00die added documentation to the pop3 capture module in PR 13460.

Bugs fixed

  • Our own adfoster-r7 has made us better stronger, and faster than before by fixing a memory leak in ms01_026_dbldecode
  • Kalba-security updated the EyesOfNetwork exploit module to add support for deploying Meterpreter sessions using a command stager as well as an authentication bypass for versions 5.1 and 5.2. The authentication bypass leverages SQLi to obtain the session token of the admin user who must be logged in at the time. This vulnerability is identified as CVE-2020-9465.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).