nDepth Employee Contributions to Open Source Security Software, December 2024 EditionnDepth Employee Contributions to Open Source Security Software, December 2024 Edition
nDepth Security > Security > Team > nDepth Employee Contributions to Open Source Security Software, December 2024 Edition

nDepth Employee Contributions to Open Source Security Software, December 2024 Edition

Added: February 26, 2025

METASPLOIT PROJECT

The Metasploit Project, owned by Rapid 7, is a computer security program which is the world’s most used penetration testing framework. This Free and Open Source Software (FOSS) is used by nearly all penetration testers, and is extremely common in training courses from SANS, EC-Council, and many others.

The Metasploit Project, being Open Source Software, flourishes from the contributions of the community. nDepth’s own Mike Cyr (h00die) is a frequent contributor to the project and has continued to spend their personal time conducting security research and providing enhancements to Metasploit for the benefit of the security community. This month, h00die contributed the following enhancements:

VMWARE VCENTER PRIVILEGE ESCALATION VIA SUDO

A vulnerability was discovered within VMWare’s vCenter product which allows a low privileged user to become an administrator. vCenter is is a centralized management platform for VMware vSphere virtual environments. It allows users to manage virtual machines, ESXi hosts, and other components from one location.  The vulnerability is tracked as CVE-2024-37081, and covers how the built-in user ‘pod’, any user in the Operator group such as ‘mal’, and any user in the Admin group (which doesn’t have full administrator privileges) can abuse the sudo command combined with other commands to gain full administrator privileges. h00dies module takes advantage of these vulnerabilities to allow for penetration testers to validate if this vulnerability exists on a system or not.

ASTERISK AMI PROTOCOL COMMAND EXECUTION

Asterisk is a software implementation of a private branch exchange. In simpler terms, it helps implement phone systems for corporate environments and is often included in other systems such as FreePBX. CVE-2024-42365 disclosed a vulnerability where an authenticated user with a specific permission can use the AMI protocol to change certain configuration files to contain arbitrary code.  The user is then able force Asterisk to reload the configuration file which causes the arbitrary code previously put there to execute. The Metasploit module developed by h00die implements this exploit to allow a penetration testers to test if a system is vulnerable or not.

PRIMEFACES REMOTE COMMAND EXECUTION

PrimeFaces is an open-source user interface component library for JavaServer Faces-based applications. Back in 2017, CVE-2017-1000486 was discovered which allows for remote code execution due to a default and known encryption password and salt. A module for this vulnerability was submitted to Metasploit Framework as an ‘issue’ and not as code which could be added. After encouraging the original author to submit the code correctly went unanswered for 8 months, h00die helped get this code included in Metasploit by creating documentation, testing the module, and updating it to adhere to the coding standards.

UPDATED ORACLE LIBRARIES INSTRUCTION

Metasploit Framework has some modules to interact with Oracle databases. However, due to licensing, Metasploit and most Operating Systems like Kali Linux are unable to include the Oracle libraries and they must be installed separately. Unfortunately, the instructions for installing these libraries can be complicated for many users. Moreover, the libraries update fairly often, invalidating the previous installation instructions due to new links and file names. When a Metasploit user noted the instructions weren’t working, h00die went and updated them to the newest version of the Oracle libraries making it easier for users to enable this portion of Metasploit Framework.

UPDATED WORDPRESS AND JOOMLA DATA

WordPress and Joomla are two website/blog platforms popular with developers and website content creators. Both platforms implement plugins or extensions to allow users additional capabilities to expand and customize their website. Metasploit has modules which can identify these plugins, but they have to be kept up to date to find new and vulnerable versions. Unfortunately, that is a manual process (spoiler alert, an automation is coming) so h00die submitted an update for Metasploit which contains updated lists of plugins for Joomla and WordPress.

OBSIDIAN COMMUNITY PLUGIN PERSISTENCE MODULE

Obsidian is a popular personal note-taking software application. It was developed so that plugins can be added to expand its capabilities with user developed code. There are two types of plugins, ones submitted to Obsidian which are officially supported, and community developed ones. Community developed plugins have to be enabled by the user since they could be considered dangerous as Obsidian has not reviewed them. While this seems like an unlikely behavior by a user, it is actually commonplace due to the number of community plugins which implement very useful features. h00die developed a Metasploit module which can be used to create a community plugin on a user’s computer. When the user opens Obsidian, the plugin executes and allows a penetration tester to maintain access to the user’s computer.

To view this month’s contributions, check the following links: