Who watches the watchers?
If you are checking up on an organization using Trend Micro Web Security, it might be you. A new module this week takes advantage of a chain of vulnerabilities to give everyone (read unauthenticated users) a chance to decide what threats the network might let slip through.
Following the trend, what about watchers that are not supposed to be there?
Agent Tesla Panel is a fun little trojan (not to be found zipping around on our highways and byways) which now offers, again for everyone, extra control of long running undetected instances. Then again, if your trojan is still running after 2 years, it probably deserves some new friends.
Just when you think you have you lost them, they light your safe space on fire!
After going to all the trouble of connecting to a VPN to "protect" those cat videos form prying eyes, your Cisco AnyConnect client just gave you away. With help from someone with access rights, a new local privilege escalation module for CVE-2020-3153 talks to a friendly localhost service and asks nicely to receive SYSTEM access on Windows endpoints.
New modules (4)
- Trend Micro Web Security (Virtual Appliance) Remote Code Execution by Mehmet Ince, which exploits ZDI-20-678
- Agent Tesla Panel Remote Code Execution by Ege Balcı, Grant Willcox, and mekhalleh (RAMELLA Sébastien)
- Inductive Automation Ignition Remote Code Execution by Pedro Ribeiro and Radek Domanski, which exploits ZDI-20-686
- Cisco AnyConnect Priv Esc through Path Traversal by Antoine Goichot (ATGO), Christophe De La Fuente, and Yorick Koster, which exploits CVE-2020-3153
Enhancements and features
- Standardise Error Logging by Adam Galway, updates the error logging API to additionally take an error object, and updates the existing elog calls within the codebase to use this new API.
- Exclude multi payloads from automatic PAYLOAD selection by wvu,
multipayloads were being automatically selected in some cases. The
multipayloads are not usable in a normal context. Modules should now have platform-specific payloads selected for them.
- Check that ctx has a datastore attribute by zeroSteiner, fixes a bug that stopped users from killing a job by ID when that job was a running auxiliary module.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).