Case 1:18-cv-01519-MN Document 150-1 Filed 06/12/20 Page 1 of 89 PageID #: 6296
`Case 1:18—cv-01519—MN Document 150-1 Filed 06/12/20 Page 1 of 89 PageID #: 6296
`
`EXHIBIT 1
`
`
`
`
`
`EXHIBIT 1
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 1:18-cv-01519-MN Document 150-1 Filed 06/12/20 Page 2 of 89 PageID #: 6297
`
`Recent Releases
`
`6.6.25
`
`Product Update
`2020-06-03
`
`6.6.24
`
`Product Update
`2020-05-28
`
`6.6.23
`
`Product Update
`2020-05-27
`
`Fixes
`
`We xed an issue that occasionally prevented the Security Console from marking
`completed scans with the "Completed" status if the console underwent a restart while the
`scans were in progress.
`We xed an issue that could result in an invalid Google Chrome version being reported if
`the scanned asset had Citrix software installed.
`We xed an issue where an incorrect default service name for PostgreSQL appearing in the
`default-services.properties le was causing authentication errors when using this
`name to assign the service to a custom port in a scan template.
`We updated several Microsoft vulnerability checks to use le versions instead of CBS-
`based registry entries in order to improve their accuracy.
`We updated our vulnerability checks for Microsoft Security Bulletin MS16-122 to improve
`accuracy on Server editions of Windows.
`
`Fixes
`
`We reverted a previous change that we applied to our asset correlation process in product
`version 6.6.14. The strict unique ID enforcement requirement delivered in the previous x
`was causing duplicate assets to appear in some Security Consoles.
`
`New
`
`New vulnerability content: We added remote checks for CVE-2020-11651 and CVE-2020-
`11652, 2 vulnerabilities affecting SaltStack Salt Master servers. For more information on
`these vulnerabilities, see the SaltStack blog.
`New vulnerability content: We added a check that allows you to scan for obsolete
`versions of Arista EOS.
`New AWS asset identication capability: The Scan Engine will now collect AWS EC2
`instance IDs if it can successfully authenticate to the target asset. Implementing this
`collection capability requires some conguration based on the asset type:
`For Unix assets, your authentication user must have sudo or root access and the
`curl command must be available.
`For Windows assets, you must congure the Windows Remote Management
`(WinRM) service on the target asset.
`
`

`

`Case 1:18-cv-01519-MN Document 150-1 Filed 06/12/20 Page 3 of 89 PageID #: 6298
`Improvements
`
`Center for Internet Security (CIS) Policy content: We updated our CIS Microsoft Windows
`10 Enterprise Release 1809 benchmark to version 1.6.1.
`
`Fixes
`
`Our Google Chrome ngerprinting process for Windows now relies on uninstaller keys to
`detect Chrome if registry keys are not available.
`Our CIS Microsoft Windows Server 2019 policy now supports rule customization that is
`similar to what is available in the 2016 edition policy.
`We xed an issue with our CIS Oracle Database 12c benchmark (v2.1.0) where rule 4.5.2
`was missing from some proles.
`We xed an issue with our CIS Red Hat Enterprise Linux 6 benchmark (v2.1.0) where rule
`5.4.1.5 was missing from some proles.
`We updated some Oracle Java vulnerability titles for better readability.
`
`6.6.22
`
`Product Update
`2020-05-20
`
`Improvements
`
`Constraint validation service scheduling: You can now congure the database constraint
`validation and remediation service to run on a schedule.
`
`Fixes
`
`We optimized the Data Warehouse export process to improve performance when
`exporting large amounts of assets.
`Deleting multiple items from the notication center will no longer make the top and left
`menus invisible.
`We xed CVE-2020-7353, a cross site scripting vulnerability affecting the Security Console.
`To exploit this vulnerability, an attacker would either have to execute a dynamic script in an
`attempt to assume control of a user's Security Console session, or modify HTML elements
`in real time in a way that would mislead the user into volunteering credential information.
`This issue affects all Security Console versions up to and including 6.6.20. If your Security
`Console currently falls on or within this affected version range, ensure that you update your
`Security Console to the latest version. Special thanks to Sandi Tehendi for reporting this
`issue.
`We xed an issue that prevented users from checking scan results in policy detail pages if
`the web interface was accessed using a hostname as the URL instead of the Security
`Console's IP address.
`We xed an issue where Security Console users that were congured to use SAML
`authentication could not run any console diagnostics.
`We xed an issue that prevented our Adobe Acrobat and Reader DC 2015 vulnerability
`checks from generating correctly.
`We xed an issue with our unix-user-home-dir-mode vulnerability check that caused the
`proof to display the returned directory permissions incorrectly.
`
`

`

`Case 1:18-cv-01519-MN Document 150-1 Filed 06/12/20 Page 4 of 89 PageID #: 6299
`New
`
`6.6.21
`
`Product Update
`2020-05-13
`
`New vulnerability content: We added new checks for the following vulnerabilities affecting
`Cisco ASA that are part of the larger May 2020 Cisco Event Response Security Advisory
`Bundled Publication (ERP-73830):
`CVE-2020-3187
`CVE-2020-3125
`CVE-2020-3259
`CVE-2020-3254
`CVE-2020-3196
`CVE-2020-3298
`CVE-2020-3191
`CVE-2020-3195
`Microsoft Patch Tuesday coverage: This release includes updated scan coverage for May
`2020.
`New DISA policy content: We added 2 new Defense Information Systems Agency (DISA)
`policies that provide coverage for Apache Server 2.4 UNIX Server and Site, respectively.
`
`Improvements
`
`Standalone constraint validation service: The database constraint validation and
`remediation service that used to be tied exclusively to the backup creation process is now
`available as a standalone feature. Navigate to Administration > Maintenance, Storage,
`and Troubleshooting > Maintenance > Validate Constraints in your Security Console to
`run this service independently.
`General interface improvements: We implemented several interface changes to improve
`your Nexpose product experience:
`The Security Console's top and left menu styles have been updated.
`The notication center in the upper right corner of the interface has been reworked.
`We xed an issue with the left menu that caused the Rapid7 logo to block menu
`items on screens using lower resolutions.
`Improved detail page performance: Asset detail pages now load faster.
`Center for Internet Security (CIS) Policy content: We updated the following existing CIS
`benchmarks:
`CIS Microsoft Windows Server 2008 R2 Benchmark v3.2.0
`CIS Microsoft Windows 7 Workstation Benchmark v3.2.0
`Improved SSH support: The Scan Engine now supports SSH connections with larger
`Die-Hellman key exchange sizes for credentialed scanning.
`
`Fixes
`
`We xed an issue in the APIv3 documentation that caused some semantic and structural
`errors with OpenAPI Specication v2.0.
`We xed an issue that caused some CIS database policies rules to evaluate incorrectly.
`We xed an issue with our Oracle Java ngerprinting process where Java's installation
`location on UNIX targets was not properly recorded.
`
`

`

`Case 1:18-cv-01519-MN Document 150-1 Filed 06/12/20 Page 5 of 89 PageID #: 6300
`We xed an issue that allowed the product to run specic UNIX-based collection processes
`on Windows systems during a scan.
`
`6.6.20
`
`Product Update
`2020-05-07
`
`6.6.19
`
`Product Update
`2020-05-06
`
`Fixes
`
`We xed an issue where scan templates that specied an invalid regular expression in the
`regular expression le lter caused the Security Console to start up in maintenance mode
`after updating to product version 6.6.18.
`
`New
`
`New automated vulnerability content: We now support recurring vulnerability coverage for
`Amazon Linux 2.
`
`Improvements
`
`Defense Information Systems Agency (DISA) Policy content: We updated the following
`existing DISA benchmarks:
`Red Hat Enterprise Linux 7 STIG Benchmark - Ver 2, Rel 7
`Red Hat Enterprise Linux 6 STIG Benchmark - Ver 1, Rel 27
`Mozilla Firefox for RHEL STIG Benchmark - Ver 1, Rel 6
`Windows Defender Antivirus STIG Benchmark - Ver 1, Rel 6
`Microsoft .NET Framework 4 STIG Benchmark - Ver 1, Rel 7
`Updated obsolete version content: We updated our f5-big-ip-obsolete-version check to
`include more unsupported versions.
`Improved credential source labeling: The "Administrative Credential" and "Service
`Credential" labels in scan logs and Source columns of node ngerprint tables have been
`renamed as "Congured Credential" and "Discovered Credential" respectively. These new
`labels will help you easily determine if the source credential that produced the ngerprint
`was congured by a user on the Security Console or discovered automatically during a
`scan.
`Improved Apache Tomcat ngerprinting: Our new ngerprinting technique can now
`identify Apache Tomcat on Windows assets using uninstaller registry keys.
`Improved Linux vulnerability assessment capability: The product will no longer report
`Linux kernel vulnerabilities that have been live-patched by KernelCare.
`
`Fixes
`
`We xed an issue with our msft-cve-2020-0688-unsupported-version vulnerability check
`to resolve potential false positives.
`We xed several end-of-life checks for various Linux distributions that were missing the
`Obsolete Software category.
`
`Improvements
`
`

`

`6.6.18
`
`Product Update
`2020-04-29
`
`Case 1:18-cv-01519-MN Document 150-1 Filed 06/12/20 Page 6 of 89 PageID #: 6301
`New APIv3 endpoints: We added new APIv3 endpoints that allow you to append new
`addresses or remove existing ones from both the included and excluded scan target lists
`in a site conguration.
`New backup notications: The notication center in the Security Console now alerts you
`when your most recent database backup completes successfully, is canceled, or fails.
`Updated vulnerability check: Our Weak LAN Manager hashing permitted vulnerability
`check will now return vulnerable if the target asset is congured to accept NTLM
`connections without using version 2 of the protocol.
`
`Fixes
`
`We xed an issue that prevented the PCI Vulnerability Details report from respecting
`vulnerability exceptions that were scoped to an asset group.
`
`6.6.17
`
`Product Update
`2020-04-27
`
`6.6.16
`
`Product Update
`2020-04-22
`
`Fixes
`
`We xed an issue where the Security Console user interface would fail to display values in
`account-related elds when editing a shared scan credential through Administration. This
`issue only affected interface presentation and did not affect the conguration or usability
`of the underlying credential itself.
`
`New
`
`New vulnerability content: We added a remote check for CVE-2020-3952, a sensitive
`information disclosure vulnerability affecting VMware vCenter Server.
`
`Fixes
`
`When you create a CSV export of the "Affects" table from vulnerability detail pages in the
`Security Console, your export now contains the "Key" column as shown in the interface.
`We xed an issue that caused the Manage Site button in site detail pages in the Security
`Console to be unresponsive if the site name contained a trailing \ character.
`We xed an issue with our macOS Firefox ngerprint that prevented it from distinguishing
`between the ESR and standard browser versions.
`
`View Release Archive
`
`

`

`Case 1:18-cv-01519-MN Document 150-1 Filed 06/12/20 Page 7 of 89 PageID #: 6302
`Case 1:18—cv-01519—MN Document 150-1 Filed 06/12/20 Page 7 of 89 PageID #: 6302
`
`EXHIBIT 2
`
`
`
`
`
`EXHIBIT 2
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Case 1:18-cv-01519-MN Document 150-1 Filed 06/12/20 Page 8 of 89 PageID #: 6303
`
`Recent Releases
`
`4.17.1
`
`Product Update
`2020-05-26
`
`Bugs Fixed
`
`PR 13415 - This changes the behavior of payload encoding in Metasploit, so that payloads free of any
`specied bad characters skip the encoding phase altogether. Previously, payloads would be
`unconditionally encoded if any bad chars were specied at all.
`PR 13436 - This xes a regression in the SERVICE_FILENAME and SERVICE_STUB_ENCODER options in
`psexec code.
`PR 13465 - This xes an issue within Meterpreter's packet dispatcher code where under certain
`conditions packets would be processed out of order leading to failed protocol negotiation sequences.
`PR 13499 - This xes a bug in Java meterpreter where the result of the stderr text stream was not
`returned when used with the cmd_exec post-exploitation API.
`
`Enhancements and Features
`
`PR 13262 - This adds a new stager format to allow a python stager to call back and receive a binary
`meterpreter payload similar to the psh-reection format.
`PR 13443 - This adds or updates action descriptions for numerous auxiliary and post modules in order to
`improve the user experience when listing or choosing actions.
`PR 13496 - This adds tests to verify that payloads, when used with the cmd_exec API, return the output
`of the stderr process stream in their results.
`
`New Modules
`
`PR 13445 - This adds a root exploit for Pi-Hole, versions 4.4 and lower. This takes advantage of CVE-
`2020-11108. A new blocklist is added then an update is forced to pull in the blocklist content. Then PHP
`content is written to a le within webroot.
`PR 13463 - Adds a new module for exploiting a deserialization vulnerability in some versions of
`WebLogic This takes advantage of CVE-2020-2555.
`
`Oine Update
`
`https://updates.metasploit.com/packages/70d765542ec0338a13431fe98f2bc10c18dd9d3b.bin
`
`

`

`Case 1:18-cv-01519-MN Document 150-1 Filed 06/12/20 Page 9 of 89 PageID #: 6304
`Metasploit Framework and Pro Installers
`
`https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version
`
`4.17.1
`
`Product Update
`2020-05-14
`
`Bugs Fixed
`
`PR 13358 - This ensures that we correctly handle out-of-order packets on pivoted sessions.
`PR 13360 - The msfconsole will no longer output ActiveRecord warning messages on start up when
`using Ruby 2.7.x
`PR 13363 - This xes a deprecation error that was occurring when generating the HTTP and HTTPS
`Meterpreter shells using Ruby 2.7.x by replacing a URI.decode call with a CGI.unescape call.
`PR 13406 - We updated the DNS enumeration to ignore unhandled resource records safely, and patches
`bugs within the internal implementation of Rex::Proto::DNS::Resolver.
`
`Enhancements and Features
`
`Pro: MS-3169 - Payload generation wizard now logs events in the database.
`Pro: MS-5092 - We did an overhaul of the JavaScript in Metasploit Pro to modernize XSS protections,
`including xes for CVE-2020-7354 and CVE-2020-7355 (XSSes in host ID and notes elds). Many thanks
`to Andrea Valenza (AvalZ) with the University of Genoa who reported this to Rapid7.
`Pro: MS-5537 - The 2020 custom survey banner was removed. Thank you for your response!.
`Pro: MS-5626 - A certicate installed on all Pro customer systems expired on May 14th, 2020. We
`updated the certicate and some related logic to provide a path forward. Pro customers should update to
`release 4.17.1-2020051401 (or later) as soon as possible.
`PR 12234 - This adds an auxiliary module that attempts multiple techniques to ngerprint IP addresses
`that can be used for directly connecting to web servers that are supposed to be protected by cloud based
`solutions. This helps to identify a common class of misconguration vulnerabilities in these scenarios.
`PR 13100 - This updates the OSX stager to add support for cases where the dyld macho might not be
`loaded into the expected location. It also adds MeterpreterDebugLevel support to the OSX stager to allow
`users to view debug output coming from the payload.
`PR 13257 - This improves the .NET deserialization library by adding two new chains,
`TypeConfuseDelegate and WindowsIdentity. A new formatter, SoapFormatter, and updating the
`applicable modules to use them.
`PR 13281 - This xes an issue with Meterpreter's screenshot command on Windows. When the
`Meterpreter session is opened as a service the screenshot command will cause Explorer to crash due
`to restricted desktops. This checks that desktops are available to avoid that condition and prevents the
`user from accidentally triggering the crash.
`PR 13313 - Adds improvements to msfconsole to warn the user that changing the current SSL options
`value with set ssl true or set ssl false may require changing the RPORT value as well.
`PR 13315 - The GatherProof advanced option is now set to true by default for the
`auxiliary/scanner/ssh/ssh_login and auxiliary/scanner/ssh/ssh_login_pubkey modules in
`order to address the common case when scanning SSH servers.
`PR 13316 - RemoteHttpDataService can now manage tags.
`PR 13321 - This enhances the GatherProof advanced option in SSH login scanners to handle Windows
`and unknown platforms better
`
`

`

`Case 1:18-cv-01519-MN Document 150-1 Filed 06/12/20 Page 10 of 89 PageID #: 6305
`PR 13325 - This updates the behavior of Meterpreter's ls command to expand environment variables in
`the path argument on Windows systems.
`PR 13330 - We updated the version of the Meterpreter payloads gem to 1.4.1. This pulls in the changes
`made in rapid7/metasploit-payloads#388 and rapid7/metasploit-payloads#389 to Windows Meterpeter
`payloads and helps to reduce the complexity of extension building and loading as well as remove some
`ngerprint artifacts. The new versions of these Windows Meterpreter payloads should now be smaller.
`PR 13340 - This xes up the PKS link used by import-dev-keys.sh to use the Ubuntu PKS (public key
`server) rather than MIT's key server.
`PR 13342 - Updates Msf::Post::Linux::Kernel.pax_installed? to use /proc/self/status
`rather than /sbin/paxctl, and adds checks for paxctld, paxtest, firejail, auditd to the
`post/linux/gather/enum_protections module.
`PR 13364 - A new tool, tools/payloads/ysoserial/dot_net.rb was added. It is a command-line tool
`to generate ysoserial.net payloads for .NET deserialization attacks.
`PR 13367 - Adds enhancements to ensure that developer provided error messages are properly surfaced
`to users, which should allow users to better debug why errors are occurring.
`PR 13375 - This adds a x to the encoder/x86/unicode_mixed and encoder/x86/unicode_upper
`encoders to ensure that the mandatory option BufferRegister is always set. This xes #13372 that
`was preventing users from being able to Unicode encode payloads.
`PR 13380 - This xes a typo in the description of lib/msf/core/encoder/alphanum.rb, and applies
`RuboCop xes to alphanum.rb, unicode_upper.rb and unicode_mixed.rb.
`PR 13388 - This updates the sap_icm_urlscan module to use more up-to-date URLs from newer versions
`of SAP. Thanks to Joris van de Vis (@kloris) for providing many of the newer SICF URL’s.
`PR 13401 - This adds an auxiliary and exploit module to leverage a root key disclosure in SaltStack Salt
`and an unauthenticated RCE, CVE-2020-11651. A basic ZeroMQ library that future modules can use was
`added.
`PR 13402 - This adds the service_exists?() method to the Post::Windows::Services mixin.
`PR 13405 - This converts the SRVHOST option from type OptAddress to OptAddressLocal, allowing a
`user to specify a network interface for Metasploit servers to listen on.
`PR 13416 - This adds an Reectively Loaded Dynamic-link library (RDLL) Visual Studio project template
`that allows users to more easily create RDLLs for use in their exploits. This also adds more
`documentation regarding where RDLLs are meant to be placed once compiled and how to set up
`Rapid7's fork of Stephan Fewer's (@stephenfewer) ReectiveDLLInjection project so that the RDLLs can
`be compiled successfully.
`PR 13422 - Updates the Linux Polkit pkexec helper PTRACE_TRACEME local root exploit module to prefer
`automatic targeting of useful Polkit helpers before falling back to a hard-coded list of helpers.
`PR 13433 - This updates msf-json-rpc to work when run from any path.
`
`New Modules
`
`PR 11359 - This adds an exploit targeting an unauthenticated RCE in vulnerable Apache Shiro instances
`where the rememberMe cookie is insecurely treated as a Java serialized object. This vulnerability is
`identied as CVE-2016-4437.
`PR 13107 - This adds an exploit module for an unauthenticated RCE in the Kentico CMS platform
`versions 12.0.14 and earlier. An attacker can leverage a deserialization vulnerability in the Staging Service
`to execute arbitrary commands in the context of the target server process.
`PR 13200 - A new exploit for CVE-2019-0808 was added. This targets versions of Windows 7 x86 SP0
`and SP1. Successful exploitation will result in SYSTEM level privileges. Some minor screen effects may
`occur when exploiting this vulnerability, however these effects will go away when the session is closed.
`PR 13260 - This adds a local exploit module for Docker Community Edition for Windows versions <=
`v2.1.0.0. When executing the login functionality for Docker, Docker attempts to execute docker-
`credential-wincred.exe in a directory readable/writeable to low-privileged users. Given this, prior to
`executing the login functionality the docker-credential-wincred.exe le can be overwritten with a
`
`

`

`Case 1:18-cv-01519-MN Document 150-1 Filed 06/12/20 Page 11 of 89 PageID #: 6306
`malicious le, giving the potential for privilege escalation. This vulnerability is identied as CVE-2019-
`15752.
`PR 13290 - A privilege escalation module leveraging CVE-2014-2630. The vulnerability takes advantage
`of inxglance-bin based on its loading of user-accessible .so les.
`PR 13300 - This adds a remote root exploit for IBM Data Risk Manager versions 2.0.3 and below. Version
`2.0.6 might also be vulnerable. The exploit covers:
`CVE-2020-4427
`CVE-2020-4428
`CVE-2020-4429
`PR 13301 - This adds an arbitrary le download module for IBM Data Risk Manager versions 2.0.2 and
`2.0.3. Version 2.0.6 might also be vulnerable. The exploit covers CVE-2020-4427 and CVE-2020-4429.
`PR 13304 - This adds an SSH remote exploit with privilege escalation to root for IBM Data Risk Manager
`versions 2.0.3 and below. Version 2.0.6 might also be vulnerable. This exploits CVE-2020-4429.
`PR 13322 - This adds an exploit for CVE-2020-0668, which is a privileged le write operation. The written
`le is then loaded by the Service Orchestrator as NT AUTHORITY\SYSTEM, resulting in a privileged
`session.
`PR 13327 - This adds an exploit module for an unauthenticated RCE in the Veeam ONE Agent due to the
`use of insecure methods of deserializing .NET objects received over the network. This also adds a brand
`new CMD stager which uses Powershell to download and execute a binary. This module exploits CVE-
`2020-10915 also known as ZDI-20-546.
`PR 13353 - This adds in a module for CVE-2020-7351, an authenticated RCE in the
`endpoint_devicemap.php page of Trixbox CE devices running version 1.2.0 to 2.8.0.4 inclusive.
`Successful exploitation results in RCE as the asterisk user, however users can easily elevate their
`privileges to the root user by utilizing an outdated version of Nmap that comes installed by default on
`these devices.
`PR 13370 - This adds an exploit module for the Druva inSync client for Windows which exposes a
`network service on TCP port 6064 on the local network interface. inSync versions 6.5.2 and prior do not
`validate user-supplied program paths in RPC type 5 messages, allowing execution of arbitrary
`commands as SYSTEM.
`PR 13429 - This adds a module to exploit a Python code injection in the Netsweeper WebAdmin
`component's unixlogin.php script, for versions 6.4.4 and prior, to execute code as the root user.
`
`Oine Update
`
`https://updates.metasploit.com/packages/a04d26f7594ba0d87ba15d7786c351bcd9ec5013.bin
`
`Metasploit Framework and Pro Installers
`
`https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version
`
`4.17.1
`
`Product Update
`2020-04-27
`
`Bugs Fixed
`
`Pro: MS-4920 - File imports now redirect properly to the new task when using Google Chrome browser.
`PR 13266 - Rapid7 Metasploit Framework version 5.0.85 and prior suffers from an instance of CWE-78:
`OS Command Injection, where the libnotify plugin accepts untrusted user-supplied data via a computer's
`hostname or service name. An attacker can create a specially crafted hostname or service name to be
`
`

`

`Case 1:18-cv-01519-MN Document 150-1 Filed 06/12/20 Page 12 of 89 PageID #: 6307
`imported by Metasploit from a variety of sources and trigger a command injection on the operator's
`terminal. Only the Metasploit Framework and products that expose the plugin system is susceptible to
`this issue.
`This does not include Rapid7 Metasploit Pro. This vulnerability cannot be triggered through a normal
`scan operation, the attacker would have to supply a le that is processed with the db_import command.
`PR 13277 - The payload gem was bumped to bring in a x for a race condition that existed in the
`lesystem library in the Java meterpreter.
`PR 13282 - Unicode support was added to the search command to allow users to nd entries containing
`Unicode characters. This xes bug issues reported in #13150.
`PR 13298 - The to_handler command for payloads and evasion modules now correctly sets
`ExitOnSession to false.
`
`Enhancements and Features
`
`PR 11967 - The modules/post/multi/manage/screenshare.rb module was updated to allow it to
`interact with a remote target desktop using a web browser to control the keyboard and mouse.
`PR 13049 - A new exploit for CVE-2020-7350 was addded. metasploit_libnotify_cmd_injection is
`a command execution vulnerability through a malicious le in Rapid7's Metasploit Framework versions
`prior to 5.0.86.
`PR 13140 - Payload completion support for the existing msfvenom zsh completion denition was added.
`PR 13154 - Windows Meterpreter's window enumeration capabilities were enhanced to support Unicode,
`display the window class, and to extract the values from password elds. It also updates the Teamviewer
`password extraction module to support this technique for obtaining credentials.
`PR 13193 - The module modules/exploits/windows/local/unquoted_service_path was updated
`to allow you try multiple paths, attempt longest to shortest and leave the payload on the disk.
`PR 13227 - This cleans up the Ubiquiti, Cisco and Brocade cong le ingestion libraries. Additionally, the
`Cisco library no longer stores redundant information on disk.
`PR 13252 - A new payload type, reverse_tcp_uuid for OSX x64 systems was added. It adds support
`for displaying UUID information. This PR also updates the existing reverse_tcp stager to print out UUID
`information if requested.
`PR 13253 - Two new auxiliary modules were added. These modules exploit CVE-2020-3952. The PR also
`adds a new LDAP library which allows Metasploit to act as an LDAP client.
`modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass - Bypasses LDAP
`authentication in VMware vCenter Server's vmdir service to add an arbitrary administrator user.
`modules/auxiliary/gather/vmware_vcenter_vmdir_ldap - Allow users to both dump the
`full contents of an LDAP directory from vulnerable VMware vCenter Server machines.
`PR 13256 - Recent Ruby vulns were addressed by bumping suggested versions to the latest release.
`PR 13263 - The library which generates the Python payload stager to remove whitespace was updated.
`PR 13267 - The tip command was deprecated in favor of tips, which now returns a list of all
`productivity tips.
`PR 13268 - Two new productivity tips were added to the tip command to help you be more ecient.
`sessions -1 - Use sessions -1 to interact with the last opened session.
`show missing - Use show missing to view missing module options.
`PR 13311 - msftidy can now handle expected ZDI references.
`
`New Modules
`
`PR 12145 - The module modules/auxiliary/admin/http/grafana_auth_bypass was added to
`exploit a vulnerability in Grafana versions 2-5.2.2 that allows attackers to generate authentication cookies
`
`

`

`Case 1:18-cv-01519-MN Document 150-1 Filed 06/12/20 Page 13 of 89 PageID #: 6308
`for users whose accounts are backed by LDAP or OAuth. This vulnerability is identied as CVE-2018-
`15727.
`PR 12405 - A new module, modules/post/windows/manage/execute_dotnet_assembly was added
`that allows a user to load and run a dotnet executable in memory on the remote target.
`PR 13094 - A new module, modules/exploits/linux/http/vestacp_exec was added that exploits
`CVE-2020-10808, an authenticated command injection vulnerability within the v-list-user-backups
`script of Vesta Control Panel 0.9.8-26 and prior. Successful exploitation results in remote code execution
`as the root user.
`PR 13102 - A new module, modules/exploits/linux/http/unraid_auth_bypass_exec was added
`that exploits CVE-2020-5847 and CVE-2020-5849. This exploits an authentication bypass vulnerability
`caused by an insecure whitelisting mechanism in auth_request.php and then performs remote code
`execution as root by abusing the extract function used in the template.php le.
`PR 13195 - A new module, modules/exploits/linux/http/nexus_repo_manager_el_injection
`was added that exploits CVE-2020-10199, an authenticated Java EL Injection RCE in Nexus Repository
`Manager 3.x for versions 3.21.1 and prior. Successful exploitation results in RCE as the user nexus.
`PR 13208 - A new module, modules/exploits/linux/misc/tplink_archer_a7_c7_lan_rce was
`added that exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer)
`running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, rmware
`version 190726. This module exploits CVE's:
`CVE-2020-10882
`CVE-2020-10883
`CVE-2020-10884
`PR 13213 - A new module, modules/exploits/multi/http/liferay_java_unmarshalling was
`added that exploits CVE-2020-7961, a unauthenticated unmarshalling RCE in LifeRay Portal versions
`prior to 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2. Successful exploitation results in remote code
`execution as the liferay user.
`PR 13215 - A new auxiliary module ,
`modules/auxiliary/scanner/http/limesurvey_zip_traversals that exploits two separate
`authenticated directory traversal vulnerabilities in LimeSurvey, CVE-2019-9960 and CVE-2020-11455. For
`versions between v4.0 and v4.1.11, the getZipFile() function allows for the download of arbitrary les
`due to insucient sanitization of the path parameter. For versions v3.15.9 and lower the
`downloadZip() function enables arbitrary le downloads via the unsanitized szip parameter.
`PR 13235 - A new auxiliary module,
`modules/auxiliary/scanner/http/zenload_balancer_traversal was added that exploits a
`directory traversal vulnerability in Zen Load Balancer v3.10.1. Local les can be downloaded by
`requesting les through the filelog parameter in a GET request to index.cgi.
`PR 13240 - A new exploit module, modules/exploits/unix/webapp/thinkphp_rce was added to
`leverage two unauthenticated RCEs in the ThinkPHP web application identied as CVE-2018-20062 and
`CVE-2019-9082. The module will automatically select the appropriate vulnerability to exploit at runtime.
`
`Oine Update
`
`https://updates.metasploit.com/packages/8d4a118253d7684f8c9b391b7da91ddd0be75d20.bin
`
`Metasploit Framework and Pro Installers
`
`https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version
`
`

`

`Case 1:18-cv-01519-MN Document 150-1 Filed 06/12/20 Page 14 of 89 PageID #: 6309
`Bugs Fixed
`
`4.17.1
`
`Product Update
`2020-04-13
`
`PR 13105 - The pattern_create, pattern_offset, and makeiplist tools now load much faster. The
`pattern tools in particular are down from 6-7 seconds to 0-1 seconds.
`PR 13176 - The issue_finder.py used for nding modules without documentation, no longer lists
`.pyc les or les beginning with _.
`PR 13212 - This xes several Meterpreter bugs, including a crash with stageless Windows meterpreter, a
`crash handling Android wakelocks, and implements proper lesystem wildcard handling with Java
`meterpreter.
`
`Enhancements and Features
`
`PR 12594 - This adds a new mixin for importing useful information from Ubiquiti UniFi backup les. The
`new mixin is then also used by a new auxiliary le that can ingest les collected through arbitrary means.
`PR 13093 - This adds an alias of ftp_connect to connect within Exploit::Remote::Ftp. This addition
`helps solves name collisions when Msf::Exploit::Remote::HttpClient and
`Msf::Exploit::Remote::Ftp are included in the same module.
`PR 13141 - This adds a reverse shell payload for tclsh, a simple shell containing Tcl interpreter.
`PR 13148 - This reduces unknown commands handling from 1 second to 0.5 seconds for Android
`payloads.
`PR 13155 - Updates the Metasploit Proling tools with two new methods
`Metasploit::Framework::Profiler.record_cpu and
`Metasploit::Framework::Profiler.record_memory to allow for specic code sections to be
`proled
`PR 13172 - This PR updates metasploit_payloads-mettle gem version to 0.5.21 to add OSX Catalina
`support.
`PR 13188 - This adds additional checks to the tools/dev/msftidy_docs.rb module documentation
`linter.
`
`New Modules
`
`PR 10579 - This adds a post module for executing SharpHound ingester and gathering the resulting les
`for consumption by BloodHound. It also adds a script for checking and up