Last updated at Thu, 25 Jan 2024 00:52:02 GMT

Zimbra with Postfix LPE (CVE-2022-3569)

This week rbowes added an LPE exploit for Zimbra with Postfix. The exploit leverages a vulnerability whereby the Zimbra user can run postfix as root which in turn is capable of executing arbitrary shellscripts. This can be abused for reliable privilege escalation from the context of the zimbra service account to root. As of this time, this vulnerability remains unpatched.

Zimbra RCE (CVE-2022-41352)

rbowes also added an RCE for Zimbra as well. This exploit can be used to remotely obtain the initial access necessary to exploit CVE-2022-3569 and escalate privileges to root. This exploit leverages a path traversal vulnerability to write a malicious JSP file to the web directory which yields code execution. The vulnerability does not require authentication however it should be noted that pax must not be present on the target in order for it to be exploitable. A Zimbra patch adds pax as a requirement, so either the patch must not have been applied or pax must have been explicitly removed.

FortiOS, FortiProxy, and FortiSwitchManager Authentication Bypass (CVE-2022-40684)

Community member heyder submitted an exploit for multiple Fortinet products this week. The exploit involves an authentication bypass that is leveraged to establish an SSH session with the target. Unfortunately, the tested FortiGate v7.2.1 instance used during testing indicated that the target could not be used for SSH port forwarding.

Improved Qualys Scan Import Performance

Metasploit is capable of importing scan data produced by a variety of tools such as Qualys and Nessus. This week jmartin switched the XML parser used while processing Qualys scan files to obtain a dramatic performance improvement. Scans data which previously took hours to import takes only a few minutes now.

New module content (4)

Enhancements and features (4)

  • #16982 from h00die - Updates the Dell iDRAC login scanner to work with version 8 and version 9
  • #17135 from k0pak4 - This adds proper namespace to the hash identification library to avoid any potential collision with the constants defined previously.
  • #17140 from nfsec - The Metasploit Docker image's Alpine version has been bumped from 3.12 to 3.15.
  • #17154 from jmartin-r7 - The process for importing Qualys scan data has been switched over from REXML to using Nokigiri::XML and XPath for improved performance.

Bugs fixed (1)

  • #17157 from k0pak4 - Setting the global options to set LHOST for all modules will now be properly respected when loading a module, whereas before only the globally set RHOST option would be respected.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).