Baron Samedit is coming to get you

Last week, a critical bug in sudo came out and could potentially affect most of the Linux-based operating systems, since this tool is usually installed by default. This vulnerability is identified as CVE-2021-3156, but better known as "Baron Samedit", and is sitting there in the code since July 2011, ready to guide you to the underworld. It affects legacy versions from 1.8.2 to 1.8.31p2 and stable versions from 1.9.0 to 1.9.5p1. If you have not done it already, patch now!

This week, our own Spencer McIntyre added a new module that leverages this vulnerability to gain root privileges from any local user without using a password. This exploit is based on the blasty PoC. It requires specific offsets to succeed, and currently has targets for Ubuntu 20.04 and 18.0[1-4]. We would like to extend that target list, and help from our awesome community would be greatly appreciated!

OneDrive to rule them all

Contributor @stufus added a very useful module that enumerates the Microsoft 365 Sharepoint/OneDrive endpoints on a target Windows system. This allows access to information related to sites that are being synchronised by the OneDrive application. This module will be very useful to get sensitive and extra information during a pentest engagement.

New Modules (3)

  • Abandoned Cart for WooCommerce SQLi Scanner by WPDeeply and h00die: This adds an auxiliary module that retrieves Wordpress user names and password hashes by leveraging an unauthenticated SQL injection vulnerability within the WooCommerce Abandoned Cart plugin for versions below 5.8.2.
  • Sudo Heap-Based Buffer Overflow by Alexander Krog, Qualys, Spencer McIntyre, blasty, and bwatters-r7, which exploits CVE-2021-3156: This adds an initial exploit for CVE-2021-3156 which is a heap-based buffer overflow in the sudo utility which came out recently.
  • OneDrive Sync Provider Enumeration Module by Stuart Morgan: A new module, post/windows/gather/enum_onedrive.rb, has been added which allows users to enumerate information relating to all of the sites (including teamsites) which OneDrive is configured to synchronize for a target host.

Enhancements and features

  • #14713 from yogeshwarram adds documentation for the auxiliary/scanner/redis/redis_login module.

Bugs Fixed

  • #14680 from digininja prevents exploit/windows/winrm/winrm_script_exec printing nil when no command output is returned.
  • #14684 from adfoster-r7 adds formatted logging to external python modules.
  • #14690 from timwr updates the Mettle payloads gem to 1.0.6, which includes a fix for a segmentation fault leading to the Meterpreter session crashing.
  • #14693 from dwelch-r7 fixes a regression error introduced in Metasploit 6.0.27 which caused the vhost header to not be correctly set for http modules
  • #14719 from acammack-r7 pivoted connections are now much less likely to close early when there is still data pending to be read or written

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).