This module exploits built-in functionality in OpenNMS Horizon in order
to execute arbitrary commands as the opennms user. For versions 32.0.2
and higher, this module requires valid credentials for a user with
ROLE_FILESYSTEM_EDITOR privileges and either ROLE_ADMIN or ROLE_REST.
For versions 32.0.1 and lower, credentials are required for a user with
ROLE_FILESYSTEM_EDITOR, ROLE_REST, and/or ROLE_ADMIN privileges.
This PR adds support for Debian and number of fixes and improvements for
the runc_cwd_priv_esc. Proir to this fix the module would report
vulnerable for a number of versions that the patch had been back ported
to.
This PR updates the pre-existing apache_ofbiz_deserialization
module to include functionality that will bypass authentication by
using the newly discovered CVE-2023-51467.
Now uses the Rex::Version system to check the user's version of runC.
The old system used to allow runC version 1.1.12 (which is patched).
Now it allows from 1.0.0-rc93->1.1.11 (and I tested that it works as expected).
Support added for Debian as this was tested with both Debian and Ubuntu.
Newer versions of Docker wouldn't delete the built container due to the message format.
I added a new regex to check for the message format which now deletes containers.
Fixed error reporting bug, runC version sanitising
Some runC versions contain the `+` and `~` token. These break
Rex::Version objects. A simple check was added against these symbols
and anything following them is cut off. Another solution may be
to replace these tokens with the `-` symbol to maintain information.
One of the failure cases was unreachable and this was fixed.
Fix runC and docker presence checks
The old runC and docker presence checks wer using `if` instead of `unless`.
executable? also requires a full path to work correctly. Since only the command
names themselves were being passed in, the check was silently failing.
The chosen fix was to instead use the command_exists? function,
which has the added benefit of working on both Windows and Linux.
Before this PR when running asan_suid_executable_priv_esc
if the user did not set the SUID_EXECUTABLE option the
module would fail with an undescriptive error message.
This PR removes the default value of an empty string from
SUID_EXECUTABLE so now if it's not set the user is informed.
This PR adds an exploit module for a number of
different GL.iNet network products. The module combines
an auth by-pass CVE-2023-50919 with an RCE CVE-2023-50445.
This PR adds an exploit module which allows for
a user who has compromised a host acting as a
SaltStack Master to deploy payloads to the Minions
attached to that Master.
This PR adds a way to get the Build ID from ld.so by
using the perf command. Before this the module depended
on file and readelf being installed to get the Build ID.
Jack Heysel