Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation
Title: Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation
Advisory ID: ZSL-2020-5587
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 06.09.2020
Microsoft Windows Server 2016 Standard, x64-based PC
[07.08.2020] Vendor contacted.
[10.08.2020] Vendor answered and started investigating the issue.
[26.08.2020] Vendor communicated that they are actively working on solving the issue.
[02.09.2020] Vendor releases version 6.6.40 to address this issue.
[03.09.2020] Vendor communicated that the patch has been released and that the CVE-2020-7382 was reserved.
[06.09.2020] Coordinated public security advisory released.
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7382
[3] https://nvd.nist.gov/vuln/detail/CVE-2020-7382
[4] https://packetstormsecurity.com/files/159167
[5] https://www.exploit-db.com/exploits/48808
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/188245
[7] https://cxsecurity.com/issue/WLB-2020090039
[8] https://packetstormsecurity.com/files/159078
[19.09.2020] - Added reference [4], [5], [6], [7] and [8]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2020-5587
Type: Local
Impact: Privilege Escalation
Risk: (2/5)
Release Date: 06.09.2020
Summary
Rapid7 Nexpose is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. It integrates with Rapid7's Metasploit for vulnerability exploitation.Description
Rapid7 Nexpose installer version prior to 6.6.40 uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path, allowing local privilege escalation.Vendor
Rapid7 - https://www.rapid7.comAffected Version
<=6.6.39Tested On
Microsoft Windows 10 Enterprise, x64-based PCMicrosoft Windows Server 2016 Standard, x64-based PC
Vendor Status
[07.08.2020] Vulnerability discovered.[07.08.2020] Vendor contacted.
[10.08.2020] Vendor answered and started investigating the issue.
[26.08.2020] Vendor communicated that they are actively working on solving the issue.
[02.09.2020] Vendor releases version 6.6.40 to address this issue.
[03.09.2020] Vendor communicated that the patch has been released and that the CVE-2020-7382 was reserved.
[06.09.2020] Coordinated public security advisory released.
PoC
nexpose_eop.txtCredits
Vulnerability discovered by Angelo D'Amato - <angelo@zeroscience.mk>References
[1] https://help.rapid7.com/insightvm/en-us/release-notes/index.html?pid=6.6.40[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7382
[3] https://nvd.nist.gov/vuln/detail/CVE-2020-7382
[4] https://packetstormsecurity.com/files/159167
[5] https://www.exploit-db.com/exploits/48808
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/188245
[7] https://cxsecurity.com/issue/WLB-2020090039
[8] https://packetstormsecurity.com/files/159078
Changelog
[06.09.2020] - Initial release[19.09.2020] - Added reference [4], [5], [6], [7] and [8]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk