METASPLOIT PROJECT

The Metasploit Project, owned by Rapid 7, is a computer security program which is the world’s most used penetration testing framework. This Free and Open Source Software (FOSS) is used by nearly all penetration testers, and is extremely common in training courses from SANS, EC-Council, and many others.

The Metasploit Project, being Open Source Software, flourishes from the contributions of the community. nDepth’s own Mike Cyr (h00die) is a frequent contributor to the project and has continued to spend their personal time conducting security research and providing enhancements to Metasploit for the benefit of the security community. This month, h00die contributed the following enhancements:

KIBANA TIMELION PROTOTYPE POLLUTION REMOTE CODE EXECUTION

Elastic’s Kibana is a visualization dashboard for the Elastic database backend. Until September, there were no exploits for the Kibana project in Metasploit. H00die added an exploit for CVE-2019-7609, a prototype pollution exploit within the Timelion visualization. This vulnerability was unique in that when exploited it would result in the payload being executed multiple times.

ELASTICSEARCH MEMORY DISCLOSURE

Keeping with the Elastic product vulnerabilities, h00die wrote a new metasploit module to exploit CVE-2021-22145. When exploited, this vulnerability discloses arbitrary memory similar to the infamous Heartbleed vulnerability in SSL. This memory may contain sensitive information such as query results, or credentials.

SSL_VERSION MODULE BUG FIX

The ssl_version module within Metasploit is used to identify which versions of SSL, and cipher suites, are available on a server. Typically users will use it to scan for every version of SSL their computer is able to connect with, however the module allows a user to specify a specific version of SSL to try. When a user used this option to specify a specific SSL version to use, the module would crash before this patch.  After the bug fix, the module works as intended.

nDepth’s own Joel Garcia (cudalac) submitted their first contribution to the project this month. We are incredibly proud of their contribution and joining the ranks of other community leaders. This month, cudalac contributed the following enhancements:

ROUNDCUBE ARBITRARY FILE READ

Roundcube is a Free and Open Source Software (FOSS) webmail product used to create a web based portal for users to access their email. Roundcube is vulnerable to CVE-2017-16651, an authenticated arbitrary file read. When logging into the system, a user is able to specify a time zone file on the server, which can be abused to specify an arbitrary server file. Once logged in, a request can be made to review the timezone file which the user had previously specified and read its contents.

UBERGUIDOZ FLIPPER ZERO FIRMWARE

Flipper Zero is a portable multi-tool for penetration testers, containing several input and output interfaces such as Infrared, Bluetooth LE, NFC, RFID, iButton, and RF (radio frequencies). The device is commercially produced by Flipper Devices Inc.; however, the software is Free and Open Source Software (FOSS). Example uses for this device include controlling devices (TVs, Lights), cloning access control badges, acting as a USB keyboard to type commands and many more.

Due to Radio Frequency limitations imposed by the FCC, a Flipper Zero is only able to use specific frequencies, however it is capable of more. In order to use an extended frequency range (such as those used by ceiling fans), a 3^rd party firmware is required such as one provided by UberGuidoZ or RogueMaster. nDepth’s own Mike Cyr (h00die) is an occasional contributor to a few Flipper Zero 3^rd party firmware projects to enable control of multiple commercial devices. This month, h00die contributed the following enhancements:

HUNTER CEILING FANS ON 302.5 GHZ

Some older models of Hunter ceiling fans utilize a 302.5 GHz radio frequency for communications between the remote control and the fan itself. H00die was able to clone an old remote control for these fans and provided the necessary files to enable their control from a Flipper Zero. This contribution was especially important as h00die’s own ceiling fan remote is only partially functional and had to be disassembled to clone all the functionality. Since this ceiling fan and remote control are no longer produced, it is hard to find a replacement remote and they are relatively expensive.

To view this month’s contributions, check the following links:

• https://github.com/rapid7/metasploit-framework/pull/18316
• https://github.com/rapid7/metasploit-framework/pull/18322
• https://github.com/rapid7/metasploit-framework/pull/18327
• https://github.com/rapid7/metasploit-framework/pull/18286
• https://github.com/UberGuidoZ/Flipper/pull/481