Metasploit Weekly Wrap-Up: Jul 15, 2022

Last updated at Thu, 21 Dec 2023 22:22:18 GMT

JBOSS EAP/AS - More Deserializations? Indeed!

Community contributor Heyder Andrade added in a new module for a Java deserialization vulnerability in JBOSS EAP/AS Remoting Unified Invoker interface for versions 6.1.0 and prior. As far as we can tell this was first disclosed by Joao Matos in his paper at AlligatorCon. Later a PoC from Marcio Almeida came out that Heyder Andrade used as the basis for his Metasploit module. The exploit allows an unauthenticated attacker with network access to JBOSS EAP/AS <= 6.1.0 Remoting Unified Invoker interface to gain RCE as the user jboss by sending a crafted serialized object to this interface.

Deserialization attacks have certainly been quite popular as of late but we haven't seen many in JBOSS lately so we appreciate the efforts of these contributors to provide us with some alternative deserialization attacks :)

More Unauthenticated RCEs - Sourcegraph gitserver sshCommand RCE

One unauthenticated RCE is nice for a weekly wrapup, but we can always do better. Why not make it two this week? Courtesy of Spencer McIntyre and Altelus1's PoC, we now have a Metasploit module for CVE-2022-23642, an unauthenticated RCE in Sourcegraph Gitserver prior to 3.37.0 that allows attackers to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. Successful exploitation will allow an unauthenticated attacker to execute commands in the context of the Sourcegraph Gitserver server.

This is another cool attack, as we don't often see these types of configuration-related issues leading to unauthenticated RCE; typically when they do crop up, there are limitations on what one can do. However in this case we ended up with a full RCE as an unauthenticated user, which goes to show that even less common or more frequently overlooked issues under the right scenario can be exploited to gain privileged access.

Decrypting Ya Secrets - Citrix Netscaler Secrets Decrypter

Finally, community contributor npm-cesium137-io added a new module to decrypt Citrix Netscaler appliance configuration files and recover secrets encrypted with the KEK encryption scheme, provided you have the key fragment files.

We have heard both from npm-cesium137-io and others that Citrix Netscaler has been seen on a number of pen testing engagements so hopefully this module should assist those pen testing these environments by allowing them to more easily obtain secrets during their engagements.

New module content (3)

• Decrypt Citrix NetScaler Config Secrets by npm-cesium137-io - This auxiliary module allows users to decrypt secrets in Citrix NetScaler appliance configuration files.
• Sourcegraph gitserver sshCommand RCE by Altelus1 and Spencer McIntyre, which exploits CVE-2022-23642 - This module leverages an unauthenticated RCE in Sourcegraph's gitserver component which results in OS command execution in the context of gitserver.
• JBOSS EAP/AS Remoting Unified Invoker RCE by Heyder Andrade, Joao Matos, and Marcio Almeida - This module exploits a Java deserialization vulnerability in JBOSS EAP/AS Remoting Unified Invoker interface for versions 6.1.0 and prior.

Enhancements and features (2)

• #16735 from ErikWynter - This change sets the MeterpreterTryToFork advanced payload option to true by default for the Linux target in the aerohive_netconfig_lfi_log_poison_rce module to prevent the application from hanging once exploited.
• #16764 from bcoles - Adds two new HTTP client evasion options to msfconsole HTTP::shuffle_get_params, and HTTP::shuffle_post_params that allow users to randomize the order of the POST and GET parameters to evade static signatures.

Bugs fixed (5)

• #16617 from NikitaKovaljov - This fixes a race condition that was present in the ipv6_neighbor module that caused hosts to be missed when the scanned range was very short due to an adaptive timeout with an insufficient floor value.
• #16703 from e2002e - This fixes compatibility issues with the Censys V2 API and the censys_search.rb module.
• #16718 from cdelafuente-r7 - This fixes the run_as library and module to work correctly on 64-bit systems.
• #16727 from bcoles - Modules that use the tftp command stager fail due to a missing tftphost option. This ensures that the tftphost host is set and valid before proceeding with creating the command stager.
• #16736 from ErikWynter - This change fixes a bug in the confluence_widget_connector exploit module to prevent it from crashing when the HTTP response body received in the get_java_property method is empty or does not match expected regex.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.6...6.2.7
• Full diff 6.2.6...6.2.7

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).