Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-0599: Metasploit Release Notes

Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metasploit Pro user using a specially crafted request. Note that in most deployments, all Metasploit Pro users tend to enjoy privileges equivalent to local administrator.

CVE
#sql#xss#vulnerability#windows#git#java#wordpress#php#rce#ldap#samba#auth#ssl
  • Pro: We completed dependency updates required to support the latest Metasploit Framework version 6.3.

  • Pro: We completed a periodic update of the Java Runtime to maintain a good security posture.

  • PR 16685 - Updates the Kerberos Authentication support to include multiple new encryption types, which will allow Kerberos Authentication to work against newer targets that have older encryption types disabled.

  • PR 16689 - Adds support for host addresses in kerberos tickets.

  • PR 16700 - Updates LDAP modules to support Kerberos and NTLM authentication.

  • PR 16749 - Adds Kerberos Authentication support to WinRM modules.

  • PR 16760 - Updates WinRM sessions to support delegated Kerberos tickets, to be able to access additional network resources from the compromised server.

  • PR 16770 - This enables the reuse of previously obtained CCache files for MSSQL, SMB, WinRM, and LDAP authentication. After a successful authentication using Kerberos, tickets are stored in CCache files. They will be reused for subsequent authentications without having to renegotiate new Kerberos tickets.

  • PR 17025 - Adds a new USER_RID option to the Kerberos ticket forging module auxiliary/admin/kerberos/forge_ticket.

  • PR 17340 - The Python Meterpreter has been updated to warn that the bind information is ignored when a reverse port forward is created to prevent confusion when this information is supplied by a user.

  • PR 17343 - This makes performance improvements to the windows/local/unquoted_service_path module.

  • PR 17373 - Adds ticket flags when presenting krb5 ccaches on msfconsole.

  • PR 17374 - Adds klist command support to list Kerberos tickets in the database.

  • PR 17451 - This adds netntlm and netntlmv2 hashes support to auxiliary/analyze/crack_windows module.

  • PR 17456 - This PR adds a new KrbOfferedEncryptionTypes option that allows users to configure what encryption types are used with the KDC.

  • PR 17466 - This updates the auxiliary/scanner/smb/smb_version module to store additional service information in the database so it can be viewed later.

  • PR 17473 - Updates the docs site to have an edit link at the bottom of each page which will take you to the corresponding markdown file on Github for editing.

  • PR 17475 - Enables the datastore_fallbacks feature flag by default. This is a rewrite of Metasploit’s datastore to fix multiple bugs and edge-cases. The unset command will now consistently unset previously set datastore values, so that default values are used once again.

  • PR 17480 - A new alias has been added for payloads called exploit which will perform the same action as to_handler, to help users familiar with exploit modules to use the same familiar exploit method to open handlers when using payloads.

  • PR 17518 - A new adapter has been added to run Python payloads on Windows. This is notably useful for testing Python payloads as SYSTEM or delivered on demand through an exploit module such as psexec.

  • PR 17519 - Improves the SMTP delivery error handling for the auxiliary/client/smtp/emailer module.

  • PR 17526 - Updates the show options and show advanced command to visually group options with the same conditions together, such as options that require an action or datastore value to be set.

  • PR 17535 - This adds NTLM hash recover to the kerberos/get_ticket module.

  • PR 17539 - Adds additional error handling for Kerberos error codes.

  • Pro: We addressed CVE-2023-0599, a stored XSS vulnerability on the individual host services page reported by Michael Caruso. Thank you for the coordinated disclosure.

  • Pro: We improved the CLI startup process to ensure running tasks are no longer interrupted by starting a Pro console.

  • PR 17385 - This PR fixes the file write and file append methods to return the expected Boolean values rather than nil.

  • PR 17455 - Fixes an issue where Kerberos responses could not be received in smaller chunks, such as in bandwidth restricted networks.

  • PR 17482 - Fixes a connection issue with reverse_https stagers that are executed on Windows servers attempting to negotiate TLS1 when Metasploit was using OpenSSL3.

  • PR 17491 - A bug has been fixed in the lib/msf/core/exploit/remote/ldap.rb library that handles LDAP communications for several modules to ensure that failures use the right namespace when throwing errors to prevent crashes.

  • PR 17497 - This fixes an error where modules that issue certificates (icpr_cert and now auxiliary/admin/dcerpc/cve_2022_26923_certifried) would crash if the response from the server was that the certificate was submitted and no certificate was returned. This updates the code to check if the certificate is present before attempting to process it.

  • PR 17516 - The version of metasploit-payloads has been bumped up to add support for dual IPv4/IPv6 stacks to Python Meterpreter, add support for enumerating desktops with the enumdesktops command to Python Meterpreter, and also add support for binding to the specified localhost to compiled versions of Meterpreter.

  • PR 17525 - Fixes a deprecation warning when using socks proxy support in Metasploit.

  • PR 17541 - Fixes a crash that occurs when domain option is set to blank.

  • PR 17549 - Updates the inspect_ticket module to output a user friendly error if the ticket decryption has failed, i.e. due to an invalid decryption key.

  • PR 16625 - Adds a new scanner/kerberos/kerberos_login module for bruteforcing and verifying credentials against a Kerberos server. Accounts which do not require preauthnetication, i.e. AS-REP Roastable accounts, will have the hashes output for offline cracking.

  • PR 17348 - This PR adds a module that performs a DoS attack on Mirage Firewall versions 0.8.0-0.8.3.

  • PR 17407 - This adds an exploit that targets various versions of Cacti network-monitoring software. For versions 1.2.22 and below, there exists an unauthenticated command injection vulnerability in remote_agent.php that when exploited, will result in remote code execution as the user running the Cacti server.

  • PR 17449 - A new module has been added for CVE-2021-44529, an unauthenticated code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512. Successful exploitation requires sending a crafted cookie to the client endpoint at /client/index.php to get command execution as the nobody user.

  • PR 17479 - This adds an exploit module that leverages an unauthenticated SQLi against Wordpress plugin Paid Membership Pro. This vulnerability is identified as CVE-2023-23488 and affects versions prior to 2.9.8. This module retrieves Wordpress usernames and password hashes using Time-Based Blind SQL Injection technique.

  • PR 17533 - Enhances the auxiliary/admin/kerberos/get_ticket module with PKINIT functionality.

Related news

WordPress Paid Memberships Pro 2.9.8 SQL Injection

WordPress Paid Memberships Pro plugin version 2.9.8 suffers from a remote SQL injection vulnerability.

Ivanti Cloud Services Appliance (CSA) Command Injection

This Metasploit module exploits a command injection vulnerability in the Ivanti Cloud Services Appliance (CSA) for Ivanti Endpoint Manager. A cookie based code injection vulnerability in the Cloud Services Appliance before 4.6.0-512 allows an unauthenticated user to execute arbitrary code with limited permissions. Successful exploitation results in command execution as the nobody user.

CVE-2021-44529: Ivanti Community

A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907