Apr 24, 20234.22.0-2023042401

Improved

  • Pro: We added validation on save of global SMTP configuration.

  • Pro: We added workspace level indicators for failed Task Chains that need user interaction to resume execution.

  • PR 17353 - Adds support for persisting pkcs12 credentials in Metasploit, i.e. .pfx/.p12 files. Thethe auxiliary/admin/dcerpc/icpr_cert and auxiliary/admin/dcerpc/cve_2022_26923_certifried modules will now persist requested certificates for future exploitation. The creds command can also directly persist certificates - for example: creds add user:alice pkcs12:/path/to/certificate.pfx.

  • PR 17502 - This PR adds SCTP sessions which Metasploit Framework can utilize for session transports similarly to TCP as it is a stream-wise transport.

  • PR 17804 - Fixes the metadata for multiple modules which had invalid reference names, incorrect rankings, missing notes, etc. Additionally adds automation for verifying module metadata is correct.

  • PR 17809 - Adds caching to Ruby's load path logic to improve the bootup performance of msfconsole on startup, averaging 2-3 seconds faster boot time on the tested hardware.

  • PR 17820 - This PR fixes the nagiosxi authenticated modules to work with even when autocheck is disabled as well as refactors reusable code.

  • PR 17821 - This enables the import of Nuclei scan results using the db_import command. Both JSON and JSONL formats are supported.

  • PR 17862 - Updates msfvenom to require apktools version 2.7.0 or greater when attempting to modify Android apk files, as it includes security improvements and bug fixes.

  • PR 17884 - Adds database migration validation before attempting to run the test suite. Users who have not migrated their local test database will be notified of the steps required to resolve this issue.

  • PR 17892 - Adds additional documentation for the exploit/windows/misc/unified_remote_rce module.

Fixed

  • Pro: We added guards to ensure errors raised in a Bruteforce service attempt are logged and allow the task to complete for other scanners.

  • PR 17851 - N/A

  • PR 17864 - A bug has been fixed in auxiliary/admin/http/trendmicro_dlp_traversal and auxiliary/admin/http/tomcat_utf8_traversal whereby print_good was used when a file was missing instead of print_error.

  • PR 17867 - A bug has been fixed in the modules/auxiliary/scanner/http/surgenews_user_creds.rb module whereby the code did not properly check if there were no users in the nwauth.add file prior to proceeding to operate on it.

  • PR 17872 - Fixes a crash when modules relied on a hash identifying method that wasn't always available. This method is now available as expected and modules will no longer crash.

  • PR 17873 - Updates the scanner/ftp/ftp_login module to ensure that opened connections are correctly closed after attempting to log in. Additionally fixes a bug were the user set FTPTimeout option was being ignored, this is now honored.

  • PR 17882 - A bug has been fixed in the getsystem command whereby getsystem techniques 5 and 6 were crashing sessions on Windows 11 22H2. Additionally Python Windows Meterpreter payloads have been updated to include memory lock/unlock abilities.

  • PR 17883 - Fix crashes a crash when running the modules/auxiliary/scanner/lotus/lotus_domino_hashes module and the database is not active.

  • PR 17888 - Fixes a crash when running the help setg command in msfconsole.

  • PR 17893 - Updates the documentation for the modules/exploit/linux/local/asan_suid_executable_priv_esc module to be in the correct location.

  • PR 17907 - Fixes a crash when running the exploits/linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain.rb module.

  • PR 17909 - Fix Windows7 Meterpreter crash when in debug mode.

Modules

  • PR 17711 - This module exploits a PHP code injection in SPIP. The vulnerability exists in the oubli parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges.

  • PR 17832 - This adds two exploit modules that target UniData versions 8.2.4 (and earlier) on linux. Due to a flaw in the udadmin service implementation, it is possible to get remote command execution as the root user. One module leverages a stack buffer overflow in a "password" field (CVE-2023-28502) and the other is an authentication bypass (CVE-2023-28503).

  • PR 17854 - This PR adds an exploit chaining CVE-2022-22956 and CVE-2022-22957 to gain code execution as the horizon user on VMWare Workspace One Access.The first vulnerability, CVE-2022-22956, is an authentication bypass in OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the authentication mechanism and execute any operation. The second vulnerability, CVE-2022-22957, is a JDBC injection RCE specifically in the DBConnectionCheckController class's dbCheck method which allows an attacker to deserialize arbitrary Java objects which can allow remote code execution.

  • PR 17874 - This PR adds an exploit module targeting CVE-2022-22960, which allows the user to overwrite the permissions of the certproxyService.sh script so that it can be modified by the horizon user. This allows a local attacker with the uid 1001 to escalate their privileges to root access.

Offline Update

Metasploit Framework and Pro Installers