Windows BITS CVE-2020-0787 LPE in the Metasploit tree!

This week, Grant Willcox presents his first Metasploit module contribution as part of our team. Research from itm4n yielded CVE-2020-0787, describing a vulnerability in the Windows Background Intelligent Transfer Service (BITS). This vuln can be exploited to achieve local privilege escalation in Windows 10 (prior to the March 2020 update) and also Windows Server 2016 and 2019. And Grant's module does exactly that, popping a SYSTEM shell on an affected target. Great work, the both of you!

QNAP QTS and Photo Station LFI in your eye?

Next up, community contributor Redouane NIBOUCHA brings us a local file inclusion (LFI) module for QNAP devices running Photo Station application versions that are vulnerable to CVE-2019-7192 and CVE-2019-7194 or CVE-2019-7195. Many thanks to Henry Huang for their incredible writeup of the vulnerabilities they found.

While there is a little confusion about which CVEs apply to this particular vulnerability, one thing is true: an unauthenticated attacker can download arbitrary files from an affected QNAP device... as root. That means SSH private keys and password hashes may be exposed by this vulnerability.

QNAP QTS systems that bundle the Photo Station application may be vulnerable by default. Patch but verify with the Metasploit module. This vuln is being actively exploited in the wild!

New modules (5)

Enhancements and features

  • PR #13306 from h00die updates the enum_xchat module by adding documentation, dumping creds to the database, adding Windows support, adding HexChat support, cleaning up the code, and using libraries when available. The new multi-module is named enum_hexchat.
  • PR #13566 from wvu updates the Framework to select a default payload for a module when it is used instead of when it is run. This by extension allows the user to see the payload that will be used, offering them an opportunity to configure or change it prior to exploitation.

Bugs fixed

  • PR #13442 from Redouane NIBOUCHA adds a fix for the winrm_login module.
  • PR #13468 from noncenz fixes the memcached_extractor auxiliary module to work correctly with memcached servers that implement LRU. This applies to memchached servers of versions 1.5.4 and up.
  • PR #13589 from Alan Foster fixes a bug where module description data can be lost when running rubocop -a.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).