nDepth Employee Contributions to Open Source Security Software, May 2024 EditionnDepth Employee Contributions to Open Source Security Software, May 2024 Edition

nDepth Employee Contributions to Open Source Security Software, May 2024 Edition


METASPLOIT PROJECT

The Metasploit Project, owned by Rapid 7, is a computer security program which is the world’s most used penetration testing framework. This Free and Open Source Software (FOSS) is used by nearly all penetration testers, and is extremely common in training courses from SANS, EC-Council, and many others.

The Metasploit Project, being Open Source Software, flourishes from the contributions of the community. nDepth’s own Mike Cyr (h00die) is a frequent contributor to the project and has continued to spend their personal time conducting security research and providing enhancements to Metasploit for the benefit of the security community. This month, h00die contributed the following enhancements:

CHAOS RAT XSS TO RCE

CHAOS is a nefarious Remote Administration Tool utilized by hackers to take control of victim machines.  The tool itself contains two vulnerabilities, the most important being the ability to send operating system commands through the website to take over the website (CVE-2024-30850). This can only be done by an authenticated user however, so the second vulnerability can be used to take over an account. A Cross Site Scripting vulnerability (XSS) was discovered in the viewing of commands on a victim’s computer (CVE-2024-30850). Using this vulnerability, an attacker can send a malicious command to the server, take over the account of the nefarious actor, then take over the server.

NORTHSTAR C2 STORED XSS TO AGENT RCE

Northstar C2 is similar to CHAOS, in that it is a nefarious Remote Administration Tool utilized by hackers to take control of victim machines.  The tool itself contains one vulnerability, a Cross Site Scripting vulnerability (XSS) was discovered in the logging functionality (CVE-2024-28741). Using this vulnerability, an attacker can send a malicious command to the server, take over the nefarious actor’s account, then send commands to all victims.

JASMIN RANSOMWARE SQL INJECTION AND DIRECTORY TRAVERSAL MODULES

Jasmin is a ransomware control web panel. Just like the previous two modules, it is a nefarious tool utilized by hackers to take control of victim machines, but in this case, track encrypting their files and storing the decryption keys.  The tool itself contains two vulnerabilities, a SQL Injection vulnerability which allows an unauthenticated user access to data in the database, and a directory traversal vulnerability which allows an unauthenticated user the ability to read files from the computer the website is hosted on (CVE-2024-30851). Using either of these vulnerabilities, it is possible to get information from the malicious server and retrieve decryption keys for the victims.

PACU

Pacu, owned by Rhino Security Labs, is a computer security program which focuses on Amazon Web Services (AWS). This Free and Open Source Software (FOSS) is incredibly useful for managing credentials, performing discovery, and exploiting common weaknesses in implementation for AWS.

Pacu, being Open Source Software, flourishes from the contributions of the community. This month, h00die contributed the following enhancements:

VALIDATE TARGET-INSTANCES FOR SYSTEMSMANAGER__RCE_EC2 MODULE

While learning how to use Pacu during an AWS class, h00die discovered that the systemsmanager__rce_ec2 module could exploit a vulnerability in the lesson. However, after using an incorrectly formatted piece of information, Pacu’s module crashed unexpectedly. This update fixes the crash and provides helpful feedback to the user on how to correctly format the information.

ADD ERROR HANDLING TO GET_POLICY IN SYSTEMSMANAGER__RCE_EC2

While learning how to use Pacu during an AWS class, h00die discovered that the systemsmanager__rce_ec2 module could exploit a vulnerability in the lesson. However, during the lesson it is discovered that the user does not have all the permissions required. Pacu did not handle this gracefully and crashed. h00die was able to submit a patch to prevent the module from crashing and handle the missing permissions gracefully.

ENHANCE IAM__ENUM_PERMISSIONS WITH UNCONFIRMED PERMISSIONS AND PERMISSION COUNTS

While learning how to use Pacu during an AWS class, h00die discovered that the iam__enum_permissions module would gather the permissions but was not clear that it had performed the task and found any information. If permissions were unconfirmed, a 0 count of permissions was displayed to the user even though permissions had been found just not confirmed. This was confusing as when the user ran the whoami command, they saw permissions. This enhancement gathers unconfirmed permissions and prints out their count, so the user has more information about what was performed.

NEW MODULES: SNS TOPIC SUBSCRIPTIONS VIA EMAIL, AND SNS ENUMERATOR

While learning how to use Pacu during an AWS class, h00die discovered that Pacu did not have any capabilities against the Simple Notification Service (SNS).  This enhancement created a new module which can discover SNS topics. A second module was also created so that the user can easily subscribe to a topic (or several) with an email. Automating these two tasks adds a new exploit vector to Pacu, saving security professionals time during penetration tests.

FIX MODULE LIST GENERATION FOR AUTOCOMPLETE

While learning how to use Pacu during an AWS class, h00die discovered that the auto complete functionality was broken when attempting to list modules. When a user would type ‘run iam__<tab>`, Pacu was supposed to list all modules starting with iam__, however nothing happened. h00die found a bug which prevented Pacu from generating its list of modules for this functionality. After fixing it, Pacu now correctly generates auto completion and displays it to the user.

ETC

Several other small fixes in spelling, categories, and module naming were fixed.

nDepth’s own Joel Garcia (6a6f656c) submitted their first contribution to the Pacu project. We are incredibly proud of their contribution and the community contributions they are making. 6a6f656c contributed the following enhancements:

NEW MODULE: MQ__ENUM

While learning how to use Pacu during an AWS class, 6a6f656c discovered that Pacu was unable to interact with the Message Broker (MQ). With this enhancement, the user is now able to enumerate all MQ instances, quickly gather important information about them, and store them in Pacu’s database for analysis.

To view this month’s contributions, check the following links: