Intensity not on the Fujita scale

SOC folks may have been feeling increased pressure as word spread of CVE-2020-5902 being exploited in the wild. Vulnerabilities in networking equipment always pose a unique set of constraints for IT operations when it comes to mitigations and patches given their role in connecting users to servers, services or applications. Yet from an attacker’s perspective this vulnerability provides an excellent pivot to attack all applications behind the BIG-IP product. Our own wvu contributed the F5 BIG-IP TMUI Directory Traversal and File Upload RCE exploit module for the vulnerability discovered by security researcher Mikhail Klyuchnikov. The exploit/linux/http/f5_bigip_tmui_rce module achieves unauthenticated remote code execution (RCE) as the root user through a directory traversal vulnerability in the Traffic Management User Interface (TMUI). Known vulnerable versions are:

  • 11.6.1 - 11.6.5
  • 12.1.0 - 12.1.5
  • 13.1.0 - 13.1.3
  • 14.1.0 - 14.1.2
  • 15.0.0
  • 15.1.0.

Hacking your enrollment in advanced English class

EgiX discovered multiple vulnerabilities (CVE-2020-13381, CVE-2020-13382, and CVE-2020-13383) in openSIS, open source Student Information System/School Management Software, and contributed the openSIS Unauthenticated PHP Code Execution exploit module. The unix/webapp/opensis_chain_exec module consists of an exploit chain first abusing incorrect access control to access a script as an unauthenticated user. Then, using a local file inclusion to finally perform a SQL injection via a session variable to achieve arbitrary PHP code execution as a result of an unsafe use of the eval function. Known vulnerable versions include 7.3 and 7.4; however, older versions may be affected as well.

Discover the gateless gate

The FortiMail Login Bypass Scanner scanner module contributed by Patrick Schmid attempts to detect a vulnerability (CVE-2020-9294) in FortiMail, a secure email gateway. Mike Connor discovered the improper authentication vulnerability in FortiMail 5.4.10, 6.0.7, 6.2.2, and earlier and FortiVoiceEntreprise 6.0.1 and earlier. The vulnerability may allow an unauthenticated user system access as a legitimate user through a password change request. The scanner module was tested against the following versions of FortiMail:

  • 5.4.9, 5.4.10, 5.4.11
  • 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9
  • 6.2.1, 6.2.2, 6.2.3
  • 6.4.0

New modules (4)

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).