METASPLOIT PROJECT

The Metasploit Project, owned by Rapid 7, is a computer security program which is the world’s most used penetration testing framework. This Free and Open Source Software (FOSS) is used by nearly all penetration testers, and is extremely common in training courses from SANS, EC-Council, and many others.

The Metasploit Project, being Open Source Software, flourishes from the contributions of the community. nDepth’s own Mike Cyr (h00die) is a frequent contributor to the project and has continued to spend their personal time conducting security research and providing enhancements to Metasploit for the benefit of the security community. This month, h00die contributed the following enhancements:

VMWARE VCENTER VSCALATION PRIV ESC FIXES

h00die was able to identify a bug in the VMWare VCenter vscalation module, which he had previously submitted.  When the module was run against a system which didn’t have a required file on it, it printed a confusing error message. This has been fixed to ensure the file is on the system before proceeding to additional vulnerability checks.

DOCKER CGROUP ESCAPE

Docker is a set of platform as a service products that use OS-level virtualization to deliver software in packages called containers. Docker is used industry-wide for quickly and securely deploying software in a controlled environment. A vulnerability was identified in some implementations of Docker, and was tracked as CVE-2022-0492 where it was possible to “escape” the controlled environment and gain access to the host system. This can allow security practitioners to test Docker implementations and properly secure them from attack.

OWNCLOUD PHPINFO READER

Speaking of Docker, when ownCloud was deployed within Docker it contained a serious vulnerability. OwnCloud is an enterprise grade file sync and sharing platform. When the Docker container of ownCloud was deployed, a vulnerability allowed unauthenticated users to access a protected phpinfo page which was also not intended to be included. Combining these two vulnerabilities, anyone is able to potentially access sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.

nDepth’s own Bill MacCormack (n00bhaxor) submitted their first contribution to the project this month. We are incredibly proud of their contribution and joining the ranks of other community leaders. This month, n00bhaxor contributed the following enhancements:

SPLUNK RAW SERVER INFO GATHER

Splunk is a unified security and observation platform which helps analysts review logs and defend their network in an efficient manner. Unfortunately, the product contained a vulnerability which allowed an unauthenticated user to gather sensitive information about the product’s installation. This vulnerability was identified as CVE 2018-11409.

To view this month’s contributions, check the following links:

• https://github.com/rapid7/metasploit-framework/pull/18635
• https://github.com/rapid7/metasploit-framework/pull/18631
• https://github.com/rapid7/metasploit-framework/pull/18591
• https://github.com/rapid7/metasploit-framework/pull/18578