Yes, it’s a huge enterprise vulnerability week (again)
For our 100th release since the release of 5.0 18 months ago, our own zeroSteiner got us a nifty module for the SAP "RECON" vulnerability affecting NetWeaver version 7.30 to 7.50. It turns out those versions will allow anyone to create a new administrative user with the right SOAP requests. Many thanks to zeroSteiner and our own wvu-r7 for braving the wastelands of SOAP requests and SAP! Full admin access to SAP is nothing to sneeze at, so please patch now if this affects you!
Both kinds of sprint injection
Our other module this week was for an authenticated vulnerability for ZenTao Pro, a project management system. Versions 8.8.2 and earlier will run arbitrary commands as
SYSTEM for administrative users. Thanks to Erik Wynter for porting the PoC to Metasploit and our own space-r7 landing! Also, a special shout out to Metasploit alum and Rapid7 security nerd Tod Beardsley for getting CVE-2020-7361 assigned for this vuln.
New modules (2)
- ZenTao Pro 8.8.2 Remote Code Execution by Daniel Monzón, Erik Wynter, and Melvin Boers, which exploits CVE-2020-7361
- SAP Unauthenticated WebService User Creation by Dmitry Chastuhin, Pablo Artuso, and Spencer McIntyre, which exploits CVE-2020-6287
Enhancements and features
- PR #13885 - Added LDAPS (SSL/TLS) support to the LDAP mixin and updated the VMware vCenter Server vmdir (CVE-2020-3952) modules to use it.
- PR #13873 - Enhanced module
checkbehavior by preemptively warning about a missing
checkmethod before options are validated, such as when verifying that required options are set.
- PR #13868 - Added hash dumping to the auxiliary/gather/vmware_vcenter_vmdir_ldap (CVE-2020-3952) module.
- PR #13854 - Improved the robustness of the exploit/linux/http/f5_bigip_tmui_rce (CVE-2020-5902) module and set Meterpreter as the default payload type.
- PR #13853 - This improves the
bpf_sign_extension_priv_escexploit module by updating the code style, giving the option to compile the exploit on the target, leveraging the
AutoCheckmixin, and making the module information more descriptive.
- PR #13830 - This adds a new target setting for the CVE-2019-0708 (BlueKeep) exploit for vulnerable Windows 7 SP1 / Server 2008 systems that are virtualized within a QEMU environment.
- PR #13886 - Fix post/multi/manage/sudo module support for passwords containing shell substitution and meta characters.
- PR #13884 - Removed the unused and dangerous
- PR #13883 - Fixed a syntax error in Hardware Bridge.
- PR #13861 - Applied various fixes to the
- PR #13859 - Removes
exim4_deliver_message_priv_escmodule as this was crashing the local exploit suggester module.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).