MicroFocus? More like MacroVuln

MicroFocus’s Operations Bridge Manager is a security information and event management (SIEM) tool designed to collect and parse security logs from multiple disparate sources. OBM has a large attack surface—something Pedro Ribeiro was able to take advantage of with his new RCE module. This module leverages a Java deserialization bug to allow payload execution as either root or SYSTEM, depending on the victim OS.

We've one other OBM module currently in the process of being landed, but for anyone who needs their fix of MicroFocus hacks right away, we'd recommend pedrib’s super detailed writeup of his findings.

Patches? We don't need no stinkin' patches!

While PR #14607 doesn’t add a totally new exploit for Microsoft Exchange Server, that's only because zeroSteiner was able to update an earlier module to support a bypass for the patch that was supposed to fix the vuln it exploited.

CVE-2020-16875 originally allowed remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server so long as they were authenticated as a user who had an active mailbox and who was assigned the Data Loss Prevention role. This was believed to have been patched in the Exchange Server 2016 Cumulative Update 18 (September 15 2020) and Exchange Server 2019 Cumulative Update 7 (September 15 2020). However, this patch was later bypassed and assigned CVE-2020-17132. Microsoft’s second patch was also later bypassed—a tough shake for organizations’ patch cycles. Both the original vulnerability and the patch bypass) were discovered by Steven Seeley, and the Metasploit code is based on his work.

zeroSteiner's changes allow the exchange_ecp_dlp_policy module to exploit the two patched versions of Exchange Server and the unpatched server.

External modules, internal quality

Last but not least, cgranleese-r7 has spearheaded our efforts to improve usability of Metasploit’s external modules by providing more informative error messages for users when they lack the required languages in their environment (#14480). This will help avoid instances of users missing out on useful modules due to their not knowing some languages outside of ruby can be needed for the full metasploit experience.

msf6 > use auxiliary/scanner/msmail/host_id
[-] Failed to load module: LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
msf6 >

New modules (1)

  • Micro Focus Operations Bridge Manager Authenticated Remote Code Execution by Pedro Ribeiro, which exploits ZDI-20-1327 / CVE-2020-11853 This adds an exploit module that leverages an insecure Java deserialization vulnerability in multiple Micro Focus products. This allows remote code execution as the root user on Linux or the SYSTEM user on Windows. Initial authentication is required, but any low-privileged user can be used to successfully run this exploit.

Enhancements and features

  • #14154 from cgranleese-r7 This ensures that all modules that previously used manual AutoCheck behavior now leverage the AutoCheck mixin instead.
  • #14480 from cgranleese-r7 Improves the handling of external modules when they're missing runtime dependencies and gives the user a more useful error. It will now return which runtime language the user is missing on their environment (this has been implemented for both Python and Go).
  • #14607 from zeroSteiner This updates the Exchange ECP DLP Policy module exploit to leverage a new technique that bypasses the original patch. This new technique also works on unpatched versions.
  • #14669 from jmartin-r7 Improves error message feedback when using the auxiliary/analyze/crack_* modules. Examples include notifying the user that the database needs to be active, and having JohnTheRipper Jumbo patch installed
  • #14685 from geyslan Reduced the size of the linux/x64/shell_bind_tcp_random_port payload while maintaining the functionality.
  • #14708 from timwr Add offsets to the exploit/osx/browser/safari_proxy_object_type_confusion exploit module for Mac OSX 10.13.1 and 10.13.2.
  • #14721 from bcoles This adds a target for Debian 10 to the sudo exploit CVE-2021-3156.
  • #14728 from FireFart Updates have been made to lib/msf/core/module/reference.rb as well as associated tools and documentation to update old WPVDB links with the new WPVDB domain and to also ensure that the new URL format is properly checked in the respective tools.
  • #14725 by h00die moves creds to a default-cred "userpass" list instead of splitting known cred pairs across files.

Bugs fixed

  • #14714 from adfoster-r7 Updates the sqlite gem in preparation for Ruby 3.0 support & fixes SQLite3 deprecation warning.
  • #14720 from dwelch-r7 Fixed an issue in the lib/msf/core/exploit/remote/http_client.rb and lib/msf/core/opt_http_rhost_url.rb libraries where the VHOST datastore variable would be set incorrectly if a user used an /etc/hosts entry for resolving a hostname to an IP address.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).