## Spring Cloud Gateway RCE


This week, a new [module]() that exploits a code injection vulnerability in Spring Cloud Gateway ([CVE-2022-22947]()) has been added by [@Ayantaker](). Versions 3.1.0 and 3.0.0 to 3.0.6 are vulnerable if the Gateway Actuator endpoint is enabled, exposed and unsecured. The module sends a specially crafted SpEL expression to this endpoint and gets command execution as the user running Spring Cloud Gateway. A first request is sent to create a route with a filter including the SpEL expression which will be parsed with a [StandardEvaluationContext](). A second request is sent to reload the route and trigger code execution.

## pfSense pfBlockNG plugin unauthenticated RCE

Our very own [@jheysel-r7]() added a [module]() that exploits an OS command injection vulnerability in pfSense’s pfBlockerNG plugin versions 2.1.4_26 and below and identified as [CVE-2022-31814](). The module sends an HTTP request with a payload in the `Host:` header, which will be executed by the PHP’s `exec()` function. This leads to unauthenticated remote command execution as root. Note that this pfSense module is not installed by default but is commonly used to block inbound connections from countries or IP ranges.

## New module content (2)

* [Spring Cloud Gateway Remote Code Execution]() by Ayan Saha, which exploits [CVE-2022-22947]() – A new module has been added in for CVE-2022-22947, an unauthenticated RCE in Spring Cloud Gateway versions 3.1.0 and 3.0.0 to 3.0.6 when the Gateway Actuator endpoint is enabled, exposed and unsecured. Successful exploitation results in arbitrary code execution as the user running Spring Cloud Gateway.
* [pfSense plugin pfBlockerNG unauthenticated RCE as root]() by IHTeam and [jheysel-r7](), which exploits [CVE-2022-31814]() – A module has been added for CVE-2022-31814, an unauthenticated RCE in the pfSense plugin within pfBlockerNG that allows remote unauthenticated attackers to execute execute arbitrary OS commands as root via shell metacharacters in the HTTP Host header. Versions <= 2.1.4_26 are vulnerable. Note that version 3.X is unaffected.

## Enhancements and features (2)

* [#17123]() from [h00die]() – The `netrc` and `fetchmail` modules have been updated to include documentation on how to use the modules.
* [#17092]() from [bcoles]() – This PR updates the `netlm_downgrade` module, providing documentation, extending it to support more session types, and fixing some bugs that were present which caused false-positive warnings to appear.

## Bugs fixed (3)

* [#16987]() from [jmartin-r7]() – Improves `scanner/smb/smb_login` to gracefully handle additional error conditions when connecting to target services.
* [#17075]() from [cdelafuente-r7]() – The Windows secrets dump module was failing early for non-administrative users. This fixes the issue so the module now throws warnings where it was previously failing early. Now the module can complete the DOMAIN action whereas before it was failing prior to reaching this point.

## Get it

As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:

* [Pull Requests 6.2.21…6.2.22]()
* [Full diff 6.2.21…6.2.22]()

If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the [binary installers]() (which also include the commercial edition).Read More