Metasploit Weekly Wrap-Up
Discription

## JBOSS EAP/AS – More Deserializations? Indeed!

![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/07/metasploit-ascii-1-2-1.png)

Community contributor [Heyder Andrade]() added in a new module for a Java deserialization vulnerability in JBOSS EAP/AS Remoting Unified Invoker interface for versions 6.1.0 and prior. As far as we can tell this was first disclosed by [Joao Matos]() in his paper at [AlligatorCon](). Later a PoC from [Marcio Almeida]() came out that [Heyder Andrade]() used as the basis for his Metasploit module. The exploit allows an unauthenticated attacker with network access to JBOSS EAP/AS <= 6.1.0 Remoting Unified Invoker interface to gain RCE as the user `jboss` by sending a crafted serialized object to this interface.

Deserialization attacks have certainly been quite popular as of late but we haven’t seen many in JBOSS lately so we appreciate the efforts of these contributors to provide us with some alternative deserialization attacks 🙂

## More Unauthenticated RCEs – Sourcegraph gitserver sshCommand RCE

One unauthenticated RCE is nice for a weekly wrapup, but we can always do better. Why not make it two this week? Courtesy of [Spencer McIntyre]() and [Altelus1]()’s [PoC](), we now have a Metasploit module for [CVE-2022-23642](), an unauthenticated RCE in Sourcegraph Gitserver prior to 3.37.0 that allows attackers to execute arbitrary OS commands by modifying the `core.sshCommand` value within the git configuration. Successful exploitation will allow an unauthenticated attacker to execute commands in the context of the Sourcegraph Gitserver server.

This is another cool attack, as we don’t often see these types of configuration-related issues leading to unauthenticated RCE; typically when they do crop up, there are limitations on what one can do. However in this case we ended up with a full RCE as an unauthenticated user, which goes to show that even less common or more frequently overlooked issues under the right scenario can be exploited to gain privileged access.

## Decrypting Ya Secrets – Citrix Netscaler Secrets Decrypter

Finally, community contributor [npm-cesium137-io]() added a new module to decrypt Citrix Netscaler appliance configuration files and recover secrets encrypted with the KEK encryption scheme, provided you have the key fragment files.

We have heard both from [npm-cesium137-io]() and others that Citrix Netscaler has been seen on a number of pen testing engagements so hopefully this module should assist those pen testing these environments by allowing them to more easily obtain secrets during their engagements.

## New module content (3)

* [Decrypt Citrix NetScaler Config Secrets]() by [npm-cesium137-io]() – This auxiliary module allows users to decrypt secrets in Citrix NetScaler appliance configuration files.
* [Sourcegraph gitserver sshCommand RCE]() by [Altelus1]() and [Spencer McIntyre](), which exploits [CVE-2022-23642]() – This module leverages an unauthenticated RCE in Sourcegraph’s gitserver component which results in OS command execution in the context of gitserver.
* [JBOSS EAP/AS Remoting Unified Invoker RCE]() by [Heyder Andrade](), [Joao Matos](), and [Marcio Almeida]() – This module exploits a Java deserialization vulnerability in JBOSS EAP/AS Remoting Unified Invoker interface for versions 6.1.0 and prior.

## Enhancements and features (2)

* [#16735]() from [ErikWynter]() – This change sets the MeterpreterTryToFork advanced payload option to true by default for the Linux target in the aerohive_netconfig_lfi_log_poison_rce module to prevent the application from hanging once exploited.
* [#16764]() from [bcoles]() – Adds two new HTTP client evasion options to msfconsole `HTTP::shuffle_get_params`, and `HTTP::shuffle_post_params` that allow users to randomize the order of the POST and GET parameters to evade static signatures.

## Bugs fixed (5)

* [#16617]() from [NikitaKovaljov]() – This fixes a race condition that was present in the `ipv6_neighbor` module that caused hosts to be missed when the scanned range was very short due to an adaptive timeout with an insufficient floor value.
* [#16703]() from [e2002e]() – This fixes compatibility issues with the Censys V2 API and the censys_search.rb module.
* [#16718]() from [cdelafuente-r7]() – This fixes the run_as library and module to work correctly on 64-bit systems.
* [#16727]() from [bcoles]() – Modules that use the `tftp` command stager fail due to a missing `tftphost` option. This ensures that the `tftphost` host is set and valid before proceeding with creating the command stager.
* [#16736]() from [ErikWynter]() – This change fixes a bug in the confluence_widget_connector exploit module to prevent it from crashing when the HTTP response body received in the get_java_property method is empty or does not match expected regex.

## Get it

As always, you can update to the latest Metasploit Framework with `msfupdate`
and you can get more details on the changes since the last blog post from
GitHub:

* [Pull Requests 6.2.6…6.2.7]()
* [Full diff 6.2.6…6.2.7]()

If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the
[binary installers]() (which also include the commercial edition).Read More

Back to Main

Subscribe for the latest news: