METASPLOIT PROJECT

The Metasploit Project, owned by Rapid 7, is a computer security program which is the world’s most used penetration testing framework. This Free and Open Source Software (FOSS) is used by nearly all penetration testers, and is extremely common in training courses from SANS, EC-Council, and many others.

The Metasploit Project, being Open Source Software, flourishes from the contributions of the community. nDepth’s own Mike Cyr (h00die) is a frequent contributor to the project and has continued to spend their personal time conducting security research and providing enhancements to Metasploit for the benefit of the security community. This month, h00die contributed the following enhancements:

SPELLING AND REFERENCE FIXES

Spelling can be difficult, especially when writing code as there is a mix of code and natural language. Writing a document in an editor such as Microsoft Word lets you easily spellcheck everything, whereas code editors such as VS Code don’t have the same capability. The Codespell project was developed specifically to help with this problem. H00die used codespell against the Metasploit Project source code to correct many of the spelling errors, making the code and output of the project easier to read and understand. This month, documentation was one of the main focuses. 205 documentation files and 30 wiki pages were updated.

One module, a directory traversal against the webapp Grafana also had some additional metadata added.

VMWARE ARIA OPERATIONS FOR NETWORKS (VREALIZE NETWORK INSIGHT) STATIC SSH KEY REMOTE CODE EXECUTION

VMWare Aria Operations for Networks helps users create high availability and secure networks with cloud infrastructures.  Unfortunately, this product was shipped with a default remote access key, and the associated vulnerability is tracked as CVE-2023-34039. With this key, which is public information, it is possible to login as an administrator and completely take over the computer. H00die added an exploit for this vulnerability into Metasploit.

KIBANA < 7.6.3 UPGRADE ASSISTANT TELEMETRY REMOTE CODE EXECUTION

Elastic’s Kibana is a visualization dashboard for the Elastic database backend. Kibana versions before 7.6.3 contain a vulnerability where a user can change telemetry data related to an upgrade assistant to execute remote code. H00die was able to add this exploit to Metasploit, but the most interesting part of the vulnerability was the lack of information about it. While there was one page on the Internet detailing the vulnerability (https://hackerone.com/reports/852613), it was never issued a CVE, a release note, or public disclosure by Elastic.

APACHE NIFI CREDENTIALS STEALER

Apache NiFi is a product that creates data routing and transformation with a graph driven interface. Having previously written or improved other Apache Nifi modules, h00die created a new capability against the product for Metasploit. With this new module, if someone gains access to an Apache Nifi system, this capability finds and decrypts any credentials that are used. These credentials may be for security keys, logins to website or other data portals, and any other type of item which encrypts its sensitive data.

To view this month’s contributions, check the following links:

• https://github.com/rapid7/metasploit-framework/pull/18444
• https://github.com/rapid7/metasploit-framework/pull/18417
• https://github.com/rapid7/metasploit-framework/pull/18435
• https://github.com/rapid7/metasploit-framework/pull/18444
• https://github.com/rapid7/metasploit-framework/pull/18460
• https://github.com/rapid7/metasploit-framework/pull/18503
• https://github.com/rapid7/metasploit-framework/pull/18504