SaltStack RCE

wvu-r7 added an exploit module that targets SaltStack’s Salt software. Specifically, the module exploits both an authentication bypass (CVE-2020-25592) and a command injection vulnerability (CVE-2020-16846) in SaltStack’s REST API to get code execution as root through Salt’s SSH client on infected versions. You can read more about the vulns on AttackerKB.

Hack Metasploit with Metasploit

justinsteven both discovered a vulnerability (CVE-2020-7384) in and added an exploit module for Metasploit’s msfvenom utility. msfvenom allows users to use custom apk templates to inject a payload into; however, msfvenom does not sanitize certain fields, such as the Owner field, that get passed into a Open3.popen3() call. Because of this, an unsuspecting user of msfvenom might use a malicious template and subsequently give an attacker a shell on the user’s computer. This issue has been fixed in Metasploit’s 6.0.12 release and Metasploit Pro’s 4.19.0 release.

Wordpress File Manager RCE

ide0x90 added an exploit module that targets various versions of a popular Wordpress plugin, Wordpress File Manager. The vulnerability (CVE-2020-25213) is due to a leftover example file that enables unauthenticated execution of a set of commands. One of those commands is an upload command, which makes uploading a php webshell and getting code execution effortless.

Apache Zookeeper Info Disclosure

juushya added an auxiliary module that obtains useful information such as IPs of connected clients, server OS information and statistics, and log files from Apache Zookeeper instances.

New modules (4)

Enhancements and features

  • PR #14387 by adfoster-r7 added a check to ensure that uses of AutoCheck are always prepended as opposed to included in modules.
  • PR #14373 by dwelch-r7 removed the unused Netware console session type from Framework.
  • PR #14371 by h00die added vulnerable version information to the auxiliary/scanner/http/drupal_views_user_enum module.
  • PR #14353 by agalway-r7 modified the msfdb command to show more readable and informative output to the user.

Bugs fixed

  • PR #14304 by b4rtik updated the post/windows/manage/execute_dotnet_assembly module to be able to handle additional function signatures of the code that will be injected into.
  • PR #14382 from h00die fixed a crash in the auxiliary/analyze/apply_pot module caused by an out-of-date symbol name.
  • PR #14378 by adfoster-r7 added proper synchronization to the job status tracker that is used by Metasploit’s RPC service.
  • PR #14370 by cgranleese-r7 fixed a crash in msfconsole’s generate command caused by attempting to tab complete input with no results.
  • PR #14363 by zeroSteiner fixed an issue in the auxiliary/scanner/smb/smb_login module that reported false negatives for valid credentials when msfconsole was started with bundle exec preceding the command.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).