I still like to MOVEit MOVEit
This week, our very own sfewer-r7 added a new exploit module that leverages an authentication bypass vulnerability in the MOVEit Transfer SFTP service (CVE-2024-5806). It is possible to authenticate to the SFTP service as any user as long as a valid username is known and the "Remote Access Rules" allows the attacker IP address. On successful attack, it is possible to access any file on the SFTP server that the user has permission to access. The module lets you list directories and display (or download) files.
The following version of MOVEit Transfer are affected:
- MOVEit Transfer 2023.0.x (fixed in 2023.0.11)
- MOVEit Transfer 2023.1.x (fixed in 2023.1.6)
- MOVEit Transfer 2024.0.x (fixed in 2024.0.2)
New module content (3)
Progress MOVEit SFTP Authentication Bypass for Arbitrary File Read
Author: sfewer-r7
Type: Auxiliary
Pull request: #19295 contributed by sfewer-r7
Path: gather/progress_moveit_sftp_fileread_cve_2024_5806
AttackerKB reference: CVE-2024-5806
Description: This module exploits an authentication bypass vulnerability in the MOVEit Transfer SFTP service. The vulnerable versions are MOVEit Transfer 2023.0.x until 2023.0.11; MOVEit Transfer 2023.1.x until 2023.1.6; MOVEit Transfer 2024.0.x until 2024.0.2; allowing to list remote directories and reading files without authentication.
Zyxel parse_config.py Command Injection
Authors: SSD Secure Disclosure technical team and jheysel-r7
Type: Exploit
Pull request: #19204 contributed by jheysel-r7
Path: linux/http/zyxel_parse_config_rce
AttackerKB reference: CVE-2023-33012
Description: This adds an exploit module that leverages multiple vulnerabilities in order to obtain pre-auth command injection on multiple VPN Series Zyxel devices.
Azure CLI Credentials Gatherer
Authors: James Otten and h00die
Type: Post
Pull request: #10113 contributed by james-otten
Path: multi/gather/azure_cli_creds
Description: This post module allows to exfiltrate azure tokens and configurations from old azure-cli versions using unencrypted formats.
Enhancements and features (2)
- #19287 from adeherdt-r7 - Updates the
auxiliary/scanner/redis/redis_loginmodule to support Redis 6.x. - #19297 from adeherdt-r7 - Improves the Redis login brute force functionality to better detect when auth is not required for the target.
Bugs fixed (3)
- #19252 from zgoldman-r7 - Improves error logging for unhandled exceptions for login scanners.
- #19285 from dledda-r7 - This fixes an issue with the Meterpreter's
sysinfocommand that was failing when the current working directory was deleted. - #19289 from h00die - Updates the
post/linux/gather/apache_nifi_credentialsmodule to now support extractingnifi.propertiesvalues that contain hyphens.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
Source: Rapid7
Source Link: https://blog.rapid7.com/2024/07/05/metasploit-wrapup-75/