Connect the dots from authentication bypass to remote code execution
This week, our very own sfewer-r7 added a new exploit module that leverages an authentication bypass vulnerability in ConnectWise ScreenConnect to achieve remote code execution. This vulnerability, CVE-2024-1709, affects all versions of ConnectWise ScreenConnect up to and including 23.9.7.The module creates a new administrator user account on the server, which is used it to upload a malicious extension (.ashx file) and get code execution as the NT AUTHORITYSYSTEM user on Windows or root user on Linux, depending on the target platform.
New module content (1)
ConnectWise ScreenConnect Unauthenticated Remote Code Execution
Authors: WatchTowr and sfewer-r7
Type: Exploit
Pull request: #18870 contributed by sfewer-r7
Path: multi/http/connectwise_screenconnect_rce_cve_2024_1709
Description: This PR adds an unauthenticated RCE exploit for ConnectWise ScreenConnect (CVE-2024-1709).
Enhancements and features (8)
#18830 from sjanusz-r7 - Aligns the behavior of the MSSQL, PostgreSQL, and MySQL sessions. This functionality is currently behind a feature flag enabled with the features command.
#18833 from zeroSteiner - This catches an exception when updating a non-existing session. Prior to this PR, trying to run 'sessions -k' after running 'workspace -D' would result in a stack trace being printed to the console. This resolves issue #18561.
#18849 from adfoster-r7
Support the originator by clicking the read the rest link below.
