It's a feature!
A new module added by ide0x90 takes advantage of a feature in the DNS service offered by Windows Server to escalate to SYSTEM level privileges. Getting access to a user with DnsAdmin privileges will enable this module to create a registry key in the DNS parameters namespace to load plugin DLLs. Luckily this can be pointed to any arbitrary DLL anywhere on the system, allowing the custom code to run as SYSTEM.
Pwn2Own 2020 representation in Framework
Contributor timwr added a module for a local privilege escalation vulnerability in Mac OSX 10.15.4. The module takes advantage of a race condition and allows the attacker to write arbitrary files. The module overwrites the
/etc/pam.d/login file to allow a root login without a password, and then returns the file to its original state after root permissions are obtained. This exploit comes from a winning submission to Pwn2Own 2020 that used a six-bug chain to gain root access.
How to report security issues in MSF
Rapid7 is a big fan of security research and coordinated vulnerability disclosure. As a provider of security software, solutions, and services, we take security issues in our own applications and open-source projects very seriously. This, of course, includes security issues within Metasploit Framework. To better facilitiate speedy response and clearer understanding of how community members can disclose security issues to us, our vuln disclosure champion todb-r7 added a security.md file to Metasploit that guides folks through where and how to report. (Spoiler: Please don't report possible vulnerabilities in our GitHub issue queue!) You can read our security policy here. Rapid7's vulnerability disclosure policy contains even more info on information that will help us resolve security issues as quickly as possible.
New modules (3)
- macOS cfprefsd Arbitrary File Write Local Privilege Escalation by Insu Yun, Jungwon Lim, Taesoo Kim, Yonghwi Jin, and timwr, which exploits CVE-2020-9839
- DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation by Imran E. Dawoodjee and Shay Ber
- Modbus Banner Grabbing by Ezequiel Fernandez and Juan Escobar
Enhancements and features
- PR #13978 from zeroSteiner adds proxy support to the python meterpreter and removes the HttpProxyType flag as it's no longer needed.
- PR #14089 from rptp-erikgeiser updates the smb_version module to use select instead of filter for backwards compatibility with older Ruby versions.
- PR #14090 from cgranleese-r7 adds an example of using info <search_index> to the search results command.
- PR #14106 from adfoster-r7 updates the search command to always show an additional note on how interact with the search module results.
- PR #14096 from zeroSteiner adds architecture-specific options during payload cache size generation to accommodate the new reflective PE payloads. Also pulls in new payloads with fixes for older versions of PHP and Python, and proxy authentication support.
- PR #14099 from egypt to fix an issue whereby enum_powershell_env.rb incorrectly calculated the path of the user's PowerShell profile path on Windows versions later than Windows 7. The new fix should now ensure that the new profile path is correctly applied to all systems later than Windows XP/Windows Server 2003.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).