Yes, it’s a huge enterprise vulnerability week (again)

For our 100th release since the release of 5.0 18 months ago, our own zeroSteiner got us a nifty module for the SAP "RECON" vulnerability affecting NetWeaver version 7.30 to 7.50. It turns out those versions will allow anyone to create a new administrative user with the right SOAP requests. Many thanks to zeroSteiner and our own wvu-r7 for braving the wastelands of SOAP requests and SAP! Full admin access to SAP is nothing to sneeze at, so please patch now if this affects you!

Both kinds of sprint injection

Our other module this week was for an authenticated vulnerability for ZenTao Pro, a project management system. Versions 8.8.2 and earlier will run arbitrary commands as SYSTEM for administrative users. Thanks to Erik Wynter for porting the PoC to Metasploit and our own space-r7 landing! Also, a special shout out to Metasploit alum and Rapid7 security nerd Tod Beardsley for getting CVE-2020-7361 assigned for this vuln.

New modules (2)

Enhancements and features

  • PR #13885 - Added LDAPS (SSL/TLS) support to the LDAP mixin and updated the VMware vCenter Server vmdir (CVE-2020-3952) modules to use it.
  • PR #13873 - Enhanced module check behavior by preemptively warning about a missing check method before options are validated, such as when verifying that required options are set.
  • PR #13868 - Added hash dumping to the auxiliary/gather/vmware_vcenter_vmdir_ldap (CVE-2020-3952) module.
  • PR #13854 - Improved the robustness of the exploit/linux/http/f5_bigip_tmui_rce (CVE-2020-5902) module and set Meterpreter as the default payload type.
  • PR #13853 - This improves the bpf_sign_extension_priv_esc exploit module by updating the code style, giving the option to compile the exploit on the target, leveraging the AutoCheck mixin, and making the module information more descriptive.
  • PR #13830 - This adds a new target setting for the CVE-2019-0708 (BlueKeep) exploit for vulnerable Windows 7 SP1 / Server 2008 systems that are virtualized within a QEMU environment.

Bugs fixed

  • PR #13886 - Fix post/multi/manage/sudo module support for passwords containing shell substitution and meta characters.
  • PR #13884 - Removed the unused and dangerous download_cmd method from Msf::Post::Linux::Priv.
  • PR #13883 - Fixed a syntax error in Hardware Bridge.
  • PR #13861 - Applied various fixes to the exploit/freebsd/local/intel_sysret_priv_esc module.
  • PR #13859 - Removes fail_with call from check method in exim4_deliver_message_priv_esc module as this was crashing the local exploit suggester module.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).