Arista Shell Escape Exploit

Community contributor SecurityBytesMe added an exploit module for various Arista switches. With credentials, an attacker can SSH into a vulnerable device and leverage a TACACS+ shell configuration to bypass restrictions. The configuration allows the pipe character to be used only if the pipe is preceded by a grep command. This configuration ultimately allows the chaining of commands and could result in code execution as the root user.

Cayin Exploits

Contributors h00die and liquidworm added two new exploit modules for Cayin CMS software.

The cayin_cms_ntp module exploits an authenticated command injection vulnerability in the Cayin CMS-SE software for Linux. Sending a request to system_service.cgi with code injected into the ntpIp parameter enables code execution as root.

The second module, cayin_xpost_sql_rce, exploits a blind SQL injection vulnerability in Cayin’s xPost software for Windows. The vulnerability can be exploited through a GET request to wayfinder_meeting_input.jsp with code injected into the unsanitized wayfinder_seqid parameter. The exploit module writes a payload into the webroot which, once executed, will give the attacker SYSTEM privileges. Authentication is not needed to exploit this vulnerability.

New modules (5)

Enhancements and features

PR #13734 by h00die adds some sanity checks on the Shodan API key in auxiliary/gather/shodan_honeyscore.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).