Ron Bowes submitted two exploit modules for vulnerabilities he discovered in the UniRPC server for Rocket Software’s UniData product. The first exploit module, exploit/linux/misc/unidata_udadmin_auth_bypass
exploits an authentication bypass to ultimately gain remote code execution as the root
user. The vulnerable RPC service has a hardcoded username, :local:
and a predictable password of the form <username>:<uid>:<gid>
. Using the root
username and its corresponding uid and gid, an attacker can authenticate to the RPC service and execute a shell via the service’s OsCommand
command.
The second module, exploit/linux/misc/unidata_udadmin_password_stack_overflow
exploits an unauthenticated stack-based buffer overflow through the vulnerable service’s password field. Due to a lack of bounds checking on the buffer that the password is placed into, the saved return pointer can be overwritten, resulting in code execution as the root
user.
Along with SCTP session support, sempervictus added four new payloads that work over the aforementioned stream-based transport protocol. Included in this set are two Unix command payloads that work over socat
, a Python command payload, and lastly, a reverse SCTP shell payload for Linux.
This week, adfoster-r7 improved on Metasploit’s support for PKCS12 certificates issued by Active Directory Certificate Services (AD CS). The improvements cause the existing admin/dcerpc/icpr_cert
module to store certificates in the same manner as other credentials are stored when a database is attached. Now certificates will be visible from the creds
command, and new ones can be added using creds add user:alice pkcs12:/path/to/certificate.pfx
. This will help users manage these certificates and reuse them for Kerberos authentication with the admin/kerberos/get_ticket
module and the CERT_FILE
option as well as LDAP modules such as gather/ldap_query
with the LDAP::CertFile
option.
Author: Ron Bowes
Type: Exploit
Pull request: #17832 contributed by rbowes-r7
AttackerKB reference: CVE-2023-28503
Description: This adds two exploit modules that target UniData versions 8.2.4 (and earlier) on Linux. Due to a flaw in the udadmin service implementation, it is possible to get remote command execution as the root user. One module leverages a stack buffer overflow in a "password" field (CVE-2023-28502) and the other is an authentication bypass (CVE-2023-28503).
Author: Ron Bowes
Type: Exploit
Pull request: #17832 contributed by rbowes-r7
AttackerKB reference: CVE-2023-28502
Description: This adds two exploit modules that target UniData versions 8.2.4 (and earlier) on Linux. Due to a flaw in the udadmin service implementation, it is possible to get remote command execution as the root user. One module leverages a stack buffer overflow in a "password" field (CVE-2023-28502) and the other is an authentication bypass (CVE-2023-28503).
Author: sempervictus
Type: Payload
Pull request: #17502 contributed by sempervictus
Description: This PR adds support for SCTP sessions which Metasploit Framework can utilize for session transports similarly to TCP as it is a stream-wise transport.
.pfx
/.p12
files. The auxiliary/admin/dcerpc/icpr_cert
and auxiliary/admin/dcerpc/cve_2022_26923_certifried
modules will now persist requested certificates for future exploitation. The creds
command can also directly persist certificates - for example: creds add user:alice pkcs12:/path/to/certificate.pfx
.db_import
command. Both JSON and JSONL formats are supported.auxiliary/admin/http/trendmicro_dlp_traversal
and auxiliary/admin/http/tomcat_utf8_traversal
whereby print_good
was used when a file was missing instead of print_error
.modules/auxiliary/scanner/http/surgenews_user_creds.rb
module whereby the code did not properly check if there were no users in the nwauth.add
file prior to proceeding to operate on it.You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).