• 4.17.1 Product Update 2020-04-27

    • Bugs Fixed

      • Pro: MS-4920 - File imports now redirect properly to the new task when using Google Chrome browser.
      • PR 13266 - Rapid7 Metasploit Framework version 5.0.85 and prior suffers from an instance of CWE-78: OS Command Injection, where the libnotify plugin accepts untrusted user-supplied data via a computer's hostname or service name. An attacker can create a specially crafted hostname or service name to be imported by Metasploit from a variety of sources and trigger a command injection on the operator's terminal. Only the Metasploit Framework and products that expose the plugin system is susceptible to this issue.
        This does not include Rapid7 Metasploit Pro. This vulnerability cannot be triggered through a normal scan operation, the attacker would have to supply a file that is processed with the db_import command.
      • PR 13277 - The payload gem was bumped to bring in a fix for a race condition that existed in the filesystem library in the Java meterpreter.
      • PR 13282 - Unicode support was added to the search command to allow users to find entries containing Unicode characters. This fixes bug issues reported in #13150.
      • PR 13298 - The to_handler command for payloads and evasion modules now correctly sets ExitOnSession to false.

      Enhancements and Features

      • PR 11967 - The modules/post/multi/manage/screenshare.rb module was updated to allow it to interact with a remote target desktop using a web browser to control the keyboard and mouse.
      • PR 13049 - A new exploit for CVE-2020-7350 was addded. metasploit_libnotify_cmd_injection is a command execution vulnerability through a malicious file in Rapid7's Metasploit Framework versions prior to 5.0.86.
      • PR 13140 - Payload completion support for the existing msfvenom zsh completion definition was added.
      • PR 13154 - Windows Meterpreter's window enumeration capabilities were enhanced to support Unicode, display the window class, and to extract the values from password fields. It also updates the Teamviewer password extraction module to support this technique for obtaining credentials.
      • PR 13193 - The module modules/exploits/windows/local/unquoted_service_path was updated to allow you try multiple paths, attempt longest to shortest and leave the payload on the disk.
      • PR 13227 - This cleans up the Ubiquiti, Cisco and Brocade config file ingestion libraries. Additionally, the Cisco library no longer stores redundant information on disk.
      • PR 13252 - A new payload type, reverse_tcp_uuid for OSX x64 systems was added. It adds support for displaying UUID information. This PR also updates the existing reverse_tcp stager to print out UUID information if requested.
      • PR 13253 - Two new auxiliary modules were added. These modules exploit CVE-2020-3952. The PR also adds a new LDAP library which allows Metasploit to act as an LDAP client.
        • modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass - Bypasses LDAP authentication in VMware vCenter Server's vmdir service to add an arbitrary administrator user.
        • modules/auxiliary/gather/vmware_vcenter_vmdir_ldap - Allow users to both dump the full contents of an LDAP directory from vulnerable VMware vCenter Server machines.
      • PR 13256 - Recent Ruby vulns were addressed by bumping suggested versions to the latest release.
      • PR 13263 - The library which generates the Python payload stager to remove whitespace was updated.
      • PR 13267 - The tip command was deprecated in favor of tips, which now returns a list of all productivity tips.
      • PR 13268 - Two new productivity tips were added to the tip command to help you be more efficient.
        • sessions -1 - Use sessions -1 to interact with the last opened session.
        • show missing - Use show missing to view missing module options.
      • PR 13311 - msftidy can now handle expected ZDI references.

      New Modules

      • PR 12145 - The module modules/auxiliary/admin/http/grafana_auth_bypass was added to exploit a vulnerability in Grafana versions 2-5.2.2 that allows attackers to generate authentication cookies for users whose accounts are backed by LDAP or OAuth. This vulnerability is identified as CVE-2018-15727.
      • PR 12405 - A new module, modules/post/windows/manage/execute_dotnet_assembly was added that allows a user to load and run a dotnet executable in memory on the remote target.
      • PR 13094 - A new module, modules/exploits/linux/http/vestacp_exec was added that exploits CVE-2020-10808, an authenticated command injection vulnerability within the v-list-user-backups script of Vesta Control Panel 0.9.8-26 and prior. Successful exploitation results in remote code execution as the root user.
      • PR 13102 - A new module, modules/exploits/linux/http/unraid_auth_bypass_exec was added that exploits CVE-2020-5847 and CVE-2020-5849. This exploits an authentication bypass vulnerability caused by an insecure whitelisting mechanism in auth_request.php and then performs remote code execution as root by abusing the extract function used in the template.php file.
      • PR 13195 - A new module, modules/exploits/linux/http/nexus_repo_manager_el_injection was added that exploits CVE-2020-10199, an authenticated Java EL Injection RCE in Nexus Repository Manager 3.x for versions 3.21.1 and prior. Successful exploitation results in RCE as the user nexus.
      • PR 13208 - A new module, modules/exploits/linux/misc/tplink_archer_a7_c7_lan_rce was added that exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer) running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726. This module exploits CVE's:
        • CVE-2020-10882
        • CVE-2020-10883
        • CVE-2020-10884
      • PR 13213 - A new module, modules/exploits/multi/http/liferay_java_unmarshalling was added that exploits CVE-2020-7961, a unauthenticated unmarshalling RCE in LifeRay Portal versions prior to 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2. Successful exploitation results in remote code execution as the liferay user.
      • PR 13215 - A new auxiliary module , modules/auxiliary/scanner/http/limesurvey_zip_traversals that exploits two separate authenticated directory traversal vulnerabilities in LimeSurvey, CVE-2019-9960 and CVE-2020-11455. For versions between v4.0 and v4.1.11, the getZipFile() function allows for the download of arbitrary files due to insufficient sanitization of the path parameter. For versions v3.15.9 and lower the downloadZip() function enables arbitrary file downloads via the unsanitized szip parameter.
      • PR 13235 - A new auxiliary module, modules/auxiliary/scanner/http/zenload_balancer_traversal was added that exploits a directory traversal vulnerability in Zen Load Balancer v3.10.1. Local files can be downloaded by requesting files through the filelog parameter in a GET request to index.cgi.
      • PR 13240 - A new exploit module, modules/exploits/unix/webapp/thinkphp_rce was added to leverage two unauthenticated RCEs in the ThinkPHP web application identified as CVE-2018-20062 and CVE-2019-9082. The module will automatically select the appropriate vulnerability to exploit at runtime.

      Offline Update

      • https://updates.metasploit.com/packages/8d4a118253d7684f8c9b391b7da91ddd0be75d20.bin

      Metasploit Framework and Pro Installers

      • https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version