Original Post from Rapid7
Author: Jacob Robles
tiyeuse submitted a Metasploit module for an authenticated remote code execution vulnerability in WordPress, which was described in a blog post by RIPS Technology. After authenticating as a user with at least author privileges, the module starts by uploading an image file with PHP code that will be used later. Then the image metadata that references the file location on disk is overwritten with an image update request. The updated reference will contain a location within a WordPress theme directory. By using the crop image functionality, the image file will be saved to the updated location in the metadata entry. Finally, a new post is created and uses the image file as a page template, which is allowed since the image has been saved within the theme directory. When the new post is requested, the PHP code in the image file will be executed on the WordPress server.
In the blog post A Saga of Code Executions on Zimbra by An Trinh, a vulnerability chain is described that would allow an unauthenticated user to get remote code execution on vulnerable versions of Zimbra. jrobles-r7 submitted a Metasploit module that follows the exploit path in the “Breaking Zimbra part 1” section of the post. The exploit starts by retrieving a password in a Zimbra configuration file using an XXE vulnerability in the AutodiscoverServlet. The credentials are used to get a user cookie, which is needed in the SSRF exploit to get an admin cookie by proxying an AuthRequest to the admin port. After getting an admin cookie, the exploit finishes by uploading and executing a webshell.
New modules (4)
- Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF by An Trinh, Khanh Viet Pham, and Jacob Robles, which exploits CVE-2019-9670 and CVE-2019-9621
- Horde Form File Upload Vulnerability by Ratiosec, which exploits CVE-2019-9858
- WordPress Crop-image Shell Upload by RIPSTECH Technology and Wilfried Becard, which exploits CVE-2019-8943 and CVE-2019-8942
- Microsoft Windows Contact File Format Arbitrary Code Execution by Brenner Little and John Page (aka hyp3rlinx), which exploits ZDI-19-013
Enhancements and features
- PR #11702 by jmartin-r7 updates to metasm 1.0.4, which includes fixes for shellcode generation when Ruby 2.5+ runs on Windows.
- PR #11704 by jrobles-r7 fixes an issue where a host header can be emitted twice if the Host header is specified directly in the headers list with the HTTP client.
- PR #11660 by wvu-r7 ensures modules aren’t attempting to create PowerShell payloads with the no-longer-supported
use_single_quotesoption in favor of the supported
- PR #11699 by busterb resolves an issue reported by Gwerb where exceptions were not correctly handled when there is a failure to use psexec against a target.
- PR #11682 by JavanXD updates the apache_range_dos module to properly target hosts for checking vulnerability.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).
Go to Source
Author: Jacob Robles