This week, contributor h00die added a module that leverages a prototype pollution bug in Kibana prior to version 7.6.3. Particularly, this issue is within the Upgrade Assistant and enables an attacker to execute arbitrary code. This vulnerability can be triggered by sending a queries that sets a new constructor.prototype.sourceURL
directly to Elastic or by using Kibana to submit the same queries. Note that Kibana needs to be restarted or wait for collection to happen for the payload to execute. This vulnerability doesn’t seem to be assigned a CVE. The module has been written based on a detailed description from Alex Brasetvik (alexbrasetvik) in a Hackerone report.
Our very own zeroSteiner added a module that exploits PyTorch model server by chaining multiple vulnerabilities. First, it takes advantage of a weak default configuration that binds the management interface to all IP addresses. Then, once it reaches the management interface, the module exploits a Server-Side Request Forgery vulnerability (CVE-2023-43654) to register MAR (Model Archive) model files from arbitrary servers. Finally, it leverages a vulnerability in SnakeYaml (CVE-2022-1471) that allows code execution when a YAML file is deserialized by SnakeYaml. The module embeds a malicious YAML file in a MAR file and gets an arbitrary Java class executed when this MAR file is loaded.
Thanks to the work of Rory McKinley, multiple MySQL modules now support authentication against newer MySQL 8.0 versions. This required a lot of effort unearthing and patching historical code across multiple contributions to the Metasploit codebase, and to the Ruby MySQL library dependency. MySQL module highlights include:
auxiliary/scanner/mysql/mysql_login
- Bruteforce and manual verification of MySQL credentialsauxiliary/scanner/mysql/mysql_version
- MySQL Server Version Enumerationauxiliary/scanner/mysql/mysql_hashdump
- MySQL password hashdump supportauxiliary/scanner/mysql/mysql_schemadump
- Extracting MySQL schema detailsauxiliary/admin/mysql/mysql_sql
- Run arbitrary MySQL SQL queries against a given targetAuthors: Alex Brasetvik (alexbrasetvik) and h00die
Type: Exploit
Pull request: #18417 contributed by h00die
Path: linux/http/kibana_upgrade_assistant_telemetry_rce
Description: Kibana before version 7.6.3 suffers from a prototype pollution bug within the Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we’re able to execute arbitrary code in the context of the Kibana user. There is no CVE for this at the moment.
Authors: Gal Elbaz, Guy Kaplan, Idan Levcovich, Spencer McIntyre, and Swapneil Kumar Dash
Type: Exploit
Pull request: #18427 contributed by zeroSteiner
Path: multi/http/torchserver_cve_2023_43654
Description: This PR adds a module that exploits PyTorch TorchServer by chaining an SSRF vulnerability with a deserialization RCE vulnerability to permit an unauthenticated remote attacker arbitrary Java code execution. The PR also fixes how the ClassLoader mixin handles datastore options.
--defer-module-loads
flag set. This also adds a new feature flag option defer_module_loads
which, when enabled, will defer module loads by default without the need to specify--defer-module-loads
every time the framework boots. Finally, this comes with a sizable improvement on frameworks boot up time.services -R
command generated invalid hosts such as 192.0.2.2%
if an empty string was registered for the scope metadata instead of nil.local
and the remote IP is listed under remote
.You can always find more documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).