-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
post/osx/gather/enum_osx: permits remote command execution on Metasploit host #14008
Comments
Closing this issue since it has been fixed now. |
Presumably this also affects Metasploit Pro. @todb-r7 please request a CVE. |
Sure thing! Take CVE-2020-7376. @bcoles if you could be so kind, can you pick your favorite CWE vuln class and write a brief description of the issue? I can use that to populate the CVE ID. |
CWE-23: Relative Path Traversal The In terms of affected versions, this probably affects the module since the get_keychains method was introduced in 2011, to versions before 6.0.2. This probably affects Metasploit running on any supported platform. Tested with Metasploit running on Linux. |
Coveres the issues discussed at rapid7/metasploit-framework#14008 and rapid7/metasploit-framework#14015
On the victim-soon-to-be-attacker host - create some fun executables :
On the attacker-soon-to-be-the-victim host - start a multi handler like any other day:
On the victim-soon-to-be-attacker host - give the "attacker" a shell in a root user namespace:
On the attacker-soon-to-be-the-victim host - enjoy the new shell and enumerate some host info with
post/osx/gather/enum_osx
(also check there's no funny cron jobs or anything listening on31337
, because that would be bad) :On the victim-soon-to-be-the-attacker host:
After patch (#14007):
The text was updated successfully, but these errors were encountered: