National Cyber Warfare Foundation (NCWF) Forums


Metasploit Weekly Wrap-Up 04 05 2024
0 user ratings		2024-04-05 19:04:24
milo
Red Team (CNA)
 - archive -- 

New ESC4 Templates for AD CS


Metasploit added capabilities for exploiting the ESC family of flaws in AD CS in Metasploit 6.3. The ESC4 technique in particular has been supported for some time now thanks to the ad_cs_cert_templates module which enables users to read and write



New ESC4 Templates for AD CS


Metasploit Weekly Wrap-Up 04/05/2024

Metasploit added capabilities for exploiting the ESC family of flaws in AD CS in Metasploit 6.3. The ESC4 technique in particular has been supported for some time now thanks to the ad_cs_cert_templates module which enables users to read and write certificate template objects. This facilitates the exploitation of ESC4 which is a misconfiguration in the access controls of the LDAP object, allowing an attacker to tamper with them. This is typically used by an attacker to modify a certificate template object they are capable of modifying to make it susceptible to ESC1. Metasploit offers a premade template for ESC1 that a user could select to perform this attack.


This attack workflow was expanded on this week with two new templates for ESC2 and ESC3. These new templates allow Metasploit users that are concerned about ESC1 being detected with alternative options for exploitation. Additionally, the premade templates can be edited, to for example restrict permissions to a particular SID by changing the SDDL text of the ntSecurityDescriptor.


New module content (2)


WatchGuard XTM Firebox Unauthenticated Remote Command Execution


Authors: Charles Fol (Ambionics Security), Dylan Pindur (AssetNote), Misterxid, and h00die-gr3y [email protected]

Type: Exploit

Pull request: #18915 contributed by h00die-gr3y

Path: linux/http/watchguard_firebox_unauth_rce_cve_2022_26318

AttackerKB reference: CVE-2022-26318


Description: This PR adds a module for a buffer overflow at the administration interface of WatchGuard Firebox and XTM appliances. The appliances are built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.


Jenkins CLI Ampersand Replacement Arbitrary File Read


Authors: Vozec, Yaniv Nizry, binganao, h00die, and h4x0r-dz

Type: Auxiliary

Pull request: #18764 contributed by h00die

Path: gather/jenkins_cli_ampersand_arbitrary_file_read

AttackerKB reference: CVE-2024-23897


Description: This PR adds a new module to exploit CVE-2024-23897, an unauthorized arbitrary (first 2 lines) file read on Jenkins versions prior to 2.442 or for the LTS stream, versions prior to 2.426.3.


Enhancements and features (4)



  • #18906 from zeroSteiner - This PR adds support for leveraging the ESC4 attack on misconfigured AD-CS servers to introduce ESC2 and ESC3.

  • #18933 from sjanusz-r7 - Updates the new SQL session types to correctly remember previous commands that the user has entered.

  • #19003 from ArchiMoebius - Updates msfvenom and payload generation to support formatting payloads as a Zig buffer.

  • #19014 from cgranleese-r7 - Adds an initial set of acceptance tests for MySQL modules and session types.


Bugs fixed (3)



  • #18935 from zeroSteiner - This PR fixes a common user mistake when authenticating with LDAP modules. Now, users can specify either the USERNAME (user) and DOMAIN (domain.local) datastore options or the original format of just the USERNAME in the UPN format ([email protected]). This fix updates the LDAP library.

  • #19007 from dwelch-r7 - Fixes a regression that affected exploit/multi/http/log4shell_header_injection module which stopped the module from running successfully.

  • #19021 from cgranleese-r7 - Updates the admin/mysql/mysql_enum module to work with newer versions of MySQL.


Documentation


You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.


Get it


As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:



If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro




Source: Rapid7
Source Link: https://blog.rapid7.com/2024/04/05/metasploit-weekly-wrap-up-04-05-2024/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Red Team (CNA)


Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.