Ron Bowes added an exploit module that targets multiple versions of Zimbra Collaboration Suite. The module leverages an authentication bypass (CVE-2022-37042) and a directory traversal vulnerability (CVE-2022-27925) to gain code execution as the zimbra
user. The auth bypass functionality correctly checks for a valid session; however, the function that performs the check does not return and instead proceeds with execution. Because of this, an attacker only needs a valid account to get a shell. The directory traversal vulnerability lives in Zimbraβs Zip file extraction functionality, enabling an attacker to write an arbitrary file to a web directory. Coupling those two vulnerabilities together, the module writes a JSP shell to the target via a POST request to the /mboximport
endpoint. These vulnerabilities have been reported as exploited in the wild.
Our very own zeroSteiner submitted a new module that exploits an authenticated .Net deserialization vulnerability in Microsoft Exchange. The vulnerability is due to a flaw in the ChainedSerializationBinder
, a type validator for serialized data. Provided the attacker has credentials for at least a low-privileged user, this exploit will result in code execution as NT AUTHORITY\SYSTEM
.
zimbra
user.auxiliary/scanner/http/cisco_asa_asdm
scanner module by adding the ability to brute force the Cisco ASAβs Clientless SSL VPN (webvpn) interface. The old module has been replaced by two new modules, this one and auxiliary/scanner/http/cisco_asa_asdm_bruteforce
, which provide brute force of the Cisco ASAβs ASDM interface directly.Msf::Post::Windows::Accounts.domain_controller?
method and removes is_dc?
methods from several modules in favor of using the new method.domain_list_gen
Meterpreter script which has been replaced by the post/windows/gather/enum_domain_group_users
post module.ldap_query
module has been updated to allow the stored query templates to specify a Base DN prefix. Additionally, two ADCS-related queries that then use this to enumerate certificate authorities and certificate templates.Rex::Post::Meterpreter::Extensions::Stdapi::AudioOutput.play_file
where a channel would be opened before the path parameter was verified. This could lead to dangling channels being opened which would not be closed until Meterpreter was shut down.mingw
is not present on the host machine for generating encrypted payloads.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).