METASPLOIT PROJECT
The Metasploit Project, owned by Rapid 7, is a computer security program which is the world’s most used penetration testing framework. This Free and Open Source Software (FOSS) is used by nearly all penetration testers, and is extremely common in training courses from SANS, EC-Council, and many others.
The Metasploit Project, being Open Source Software, flourishes from the contributions of the community. nDepth’s own Mike Cyr (h00die) is a frequent contributor to the project and has continued to spend their personal time conducting security research and providing enhancements to Metasploit for the benefit of the security community. This month, h00die contributed the following enhancements:
ENHANCED METADATA FOR VCENTER VMON PRIVILEGE ESCALATION MODULE
For quite a while now, there’s been a discussion within Metasploit about adding a new reliability metadata field for modules. The problem was that some modules require user interaction, such as having another user click on a link, having an admin restart a service or computer, or an automated action to occur which is time related (like a window scheduled task or cron job). Allowing a user to quickly identify those additional requirements can help prevent them from unnecessarily running exploits which have little to no chance of success. A new ‘EVENT_DEPENDENT’ metadata flag was created, and h00die was able to add it to one of the modules which sparked the debate.
GITLENS (VSCODE EXTENSION) EXPLOIT MODULE
VSCode is a very popular code editor developed by Microsoft, which includes the ability to add extensions to enhance the user’s experience. One of those extensions, GitLens focuses on enriching the programmer’s experience by adding information from git such as when a line of code was last edited and by who. Unfortunately, it was discovered that GitLens was unsafely utilizing git, and that it was possible to open an untrusted (treated more securely) piece of code which would exploit a command injection, allowing a malicious user to remotely take over that developer’s computer. The issue is tracked as CVE-2023-46944, and h00die’s new Metasploit module allows penetration testers to test for this vulnerability.
VISUAL STUDIO MALICIOUS EXTENSION EXPLOIT MODULE
Going off the previously mentioned GitLense work, h00die set their sights on creating a malicious extension. The extension, when installed in VSCode allows a penetration tester to execute arbitrary code, and remotely take over the developer’s computer. Since this is a feature, not a bug, there is no CVE to track this vulnerability. The exploit also utilizes built-in features of VSCode; therefore, it is unlikely to be patched. Developers need to stay vigilant to avoid installing malicious extensions, or ones with ‘extra features’.
RANCHER AUDIT LOG INFORMATION LEAK MODULE
Rancher is an enterprise Kubernetes management platform which helps larger organizations manage multi-cluster orchestration platforms. Unfortunately, on some versions it was discovered when the audit logs feature was enabled, not all sensitive information was removed from the logs. Tracked as CVE-2023-22649, this allowed low privileged users to view usernames, and credentials which they shouldn’t have access to. H00die’s module allows a user to quickly and efficiently review the log files for sensitive information.
nDepth’s own Bill MacCormack (n00bhaxor) submitted their second contribution to the project back in February, and we somehow missed it! OOPS! We are incredibly proud of their contribution and the community contributions they are making. n00bhaxor contributed the following enhancements:
GITLAB PUBLIC EMAIL DISCLOSURE
Gitlab is an enterprise focused and locally hosted offshoot of github, an extremely popular development platform. Unfortunately, an information disclosure vulnerability was discovered where the RSS feed may contain the email address of a user who creates a project tag. This information was not supposed to be public and could result in an increase in phishing related attacks. The vulnerability is tracked under CVE-2023-5612. n00bhaxor was able to write a new module to take advantage of this vulnerability and allow penetration testers to demonstrate the insecurity to their customers.
To view this month’s contributions, check the following links: