METASPLOIT PROJECT

The Metasploit Project, owned by Rapid 7, is a computer security program which is the world’s most used penetration testing framework. This Free and Open Source Software (FOSS) is used by nearly all penetration testers, and is extremely common in training courses from SANS, EC-Council, and many others.

The Metasploit Project, being Open Source Software, flourishes from the contributions of the community. nDepth’s own Mike Cyr (h00die) is a frequent contributor to the project and has continued to spend their personal time conducting security research and providing enhancements to Metasploit for the benefit of the security community. This month, h00die contributed the following enhancements:

GITLAB PASSWORD RESET ACCOUNT TAKEOVER

Gitlab is a developer operations solution which is a web-based Git repository that provides easy viewing and maintenance. An issue was discovered in gitlab that when a user’s password is reset, it is possible to send the reset email to an additional email address. This allows an attacker to specify an email address they control and take over the user’s account by resetting the password. The new metasploit module written by h00die exploits this vulnerability.

SSH SCANNER UPDATES

Metasploit has included an SSH service scanner for a very long time. While the module did what it says, finding the version number of the SSH service, it was missing an opportunityy to do a more thorough investigation of the service. h00die was able to expand the scanner to now determine the compression, encryption, HMAC, host key, and key exchange values. Those are all then checked against industry standards to ensure they are cryptographically secure and adhere to best practices. This is similar to how NMAP service scans (enumerating aspects, not vulnerability checks), and Nessus vulnerability scans the service.

JENKINS UNAUTHENTICATED FILE READ

Jenkins is an open source automation server enabling developers to reliably build, test, and deploy software. An issue was discovered in Jenkin’s protocol where if Jenkins attempted to run the help command against a file, the first line or two of the file could be read with administrator (root) permissions. When reviewing the proof of concept exploits available on the Internet, h00die discovered there were several shortcomings such as only working against certain files.  h00die was able to determine the source of the bugs in the proof of concepts and fix them in the Metasploit exploit.

nDepth’s own Joel Garcia (6a6f656c) submitted their second contribution to the project this month. We are incredibly proud of their contribution and the community contributions they are making. This month, 6a6f656c contributed the following enhancements:

MINIO INFORMATION DISCLOSURE

MinIO is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. This module takes advantage of that vulnerability to show the user the administrator (root) password to the software. 6a6f656c was able to write a new module to take advantage of this vulnerability and allow penetration testers to demonstrate the insecurity to their customers.

To view this month’s contributions, check the following links:

• https://github.com/rapid7/metasploit-framework/pull/18716
• https://github.com/rapid7/metasploit-framework/pull/18686
• https://github.com/rapid7/metasploit-framework/pull/18764
• https://github.com/rapid7/metasploit-framework/pull/18775