2 min
IoT
CVE-2015-7547: Revenge of Glibc Resolvers
If you've been involved in patch frenzies for any reasonable amount of time, you
might remember last year's hullabaloo around GHOST
[/2015/01/27/ghost-in-the-machine-is-cve-2015-0235-another-heartbleed], a
vulnerability in glibc's gethostbyname() function. Well, another year, another
resolver bug.
gethostbyname(), meet getaddrinfo()
This time, it's an exploitable vulnerability in glibc's getaddrinfo(). Like
GHOST, this will affect loads and loads of Linux client and server applications,
and lik
2 min
Vulnerability Disclosure
R7-2015-26: Advantech EKI Dropbear Authentication Bypass (CVE-2015-7938)
While looking into the SSH key issue outlined in the ICS-CERT ISCA-15-309-01
[https://ics-cert.us-cert.gov/advisories/ICSA-15-309-01] advisory, it became
clear that the Dropbear SSH daemon did not enforce authentication, and a
possible backdoor account was discovered in the product. All results are from
analyzing and running firmware version 1322_D1.98, which was released in
response to the ICS-CERT advisory.
This issue was discovered and disclosed as part of research resulting in
Rapid7's dis
4 min
Metasploit
12 Days of HaXmas: Metasploit End of Year Wrapup
This is the seventh post in the series, "The 12 Days of HaXmas."
It's the last day of the year, which means that it's time to take a moment to
reflect on the ongoing development of the Metasploit Framework, that de facto
standard in penetration testing, and my favorite open source project around.
While the acquisition of Metasploit way back in 2009 was met with some healthy
skepticism, I think this year, it's easy to say that Rapid7's involvement with
Metasploit has been an enormously positive
4 min
Metasploit
512 Days of HaXmas: Metasploit's IoT WebApp Login Support
This is the sixth post in the series, "The Twelve Days of HaXmas."
Well, the year is coming to a close, and it's just about time for the annual
breakdown of Metasploit commit action. But before we get to that, I wanted to
take a moment to highlight the excellent work we landed in 2015 in adding new
web application login support to Metasploit. After all, who needs exploits when
your password is "public" or "admin" or "password" or any other of the very few
well-known default passwords? Maybe i
12 min
Vulnerability Disclosure
Multiple Disclosures for Multiple Network Management Systems
Today, Rapid7 is disclosing several vulnerabilities affecting several Network
Management System (NMS) products. These issues were discovered by Deral Heiland
[https://twitter.com/percent_x] of Rapid7 and independent researcher Matthew
Kienow [https://twitter.com/hacksforprofit], and reported to vendors and CERT
for coordinated disclosure per Rapid7's disclosure policy. All together, we're
disclosing six vulnerabilities that affect four NMSs, four of which are expected
to be patched by the time o
10 min
Vulnerability Disclosure
R7-2015-22: ManageEngine Desktop Central 9 FileUploadServlet connectionId Vulnerability (CVE-2015-8249)
ManageEngine Desktop Central 9
[https://www.manageengine.com/products/desktop-central/] suffers from a
vulnerability that allows a remote attacker to upload a malicious file, and
execute it under the context of SYSTEM. Authentication is not required to
exploit this vulnerability.
In addition, the vulnerability is similar to a ZDI advisory released on May 7th,
2015, ZDI-15-180 [http://www.zerodayinitiative.com/advisories/ZDI-15-180/]. This
advisory specifically mentions computerName, and this is
2 min
Authentication
Understanding User Behavior Analytics
Hey everyone! I'm pleased to announce that we've put together another pretty fun
research report here in the not-terribly-secret overground labs here at Rapid7:
Understanding User Behavior Analytics. You can download it over here
[https://information.rapid7.com/understanding-user-behavior-analytics-report.html]
.
Modern enterprise breaches tend to make heavy use of misbehaving user accounts.
Not the users -- the people typing at keyboards or poking at their smartphones
-- but user accounts.
2 min
Exploits
R7-2015-17: HP SiteScope DNS Tool Command Injection
This is a vulnerability advisory for the HP SiteScope DNS Tool Command Injection
vulnerability, made in accordance with Rapid7's disclosure policy.
Summary
Due to a problem with sanitizing user input, authenticated users of HP SiteScope
running on Windows can execute arbitrary commands on affected platforms as the
local SYSTEM account. While it is possible to set a password for the SiteScope
application administrator, this is not enforced upon installation. Therefore, in
default deployments, an
2 min
Bugzilla Privileged Bug Disclosure (CVE-2015-4499)
Yesterday, PerimeterX disclosed an issue
[https://blog.perimeterx.com/bugzilla-cve-2015-4499/] in the venerable Bugzilla
bug tracker, which can allow an untrusted attacker to gain access to privileged
bug reports. This includes, of course, privately reported, but still unfixed,
security vulnerabilities. Operators of Bugzilla bug trackers which use e-mail
based permisisons are strongly advised to patch today. This would be a good
place to insert a "yo dawg" joke about bugs in bugs, but I trust yo
6 min
Vulnerability Disclosure
Multiple Insecure Installation and Update Procedures for RStudio (R7-2015-10) (FIXED)
Prior to RStudio version 0.99.473, the RStudio integrated toolset for Windows is
installed and updated in an insecure manner. A remote attacker could leverage
these flaws to run arbitrary code in the context of the system Administrator by
leveraging two particular flaws in the update process, and as the RStudio user
via the third update process flaw. This advisory will discuss all three issues.
Since reporting these issues, RStudio version 0.99.473 has been released. This
version addresses all
2 min
Metasploit Weekly Wrapup
Weekly Metasploit Wrapup: Hackers of Might and Magic
Vegas: That's a Wrap
Well, another trek out to the Nevada desert is behind us. I actually love
heading out there every year, since it gives me a chance to connect with a
sizable chunk of the Metasploit contributor community in a corporeal way. That
just fills me with warm fuzzies, so thanks to all of you who made the
pilgrimage. You, the open source security research community, is what makes
Vegas feel a lot homier than it ought to.
Speaking of community, now that we're past the Vegas Singulari
3 min
Metasploit Weekly Wrapup
Weekly Metasploit Wrapup: T-Shirts, T-Shirts, & Some Modules
Black Hat T-Shirts!
Well, it's a week or so until DEF CON 23, and since you're all busy prepping all
your demos and presentations and panels and things, I figured I should remind
you that among all your gear, you should probably toss some clothes in your bag
before you head out the door. In case this slips your mind, though, don't sweat,
we have you covered.
Pictured at right is the winning design from the annual Metasploit T-Shirt
contest, submitted by LewisFX
[https://99designs.com/t-shirt-
3 min
Metasploit Weekly Wrapup
Weekly Metasploit WrapUp: A Wild Committer Appears!
Browser Autopwn Version 2
Hey all! If you haven't been following the Metasploit development over the last
few weeks, you know that we've been pretty busy getting Browser Autopwn Version
2 (BAPv2) out the door and into Metasploit Framework. This project was, and is,
driven by our own beloved Wei _sinn3r [https://twitter.com/_sinn3r] Chen, and
it's one of those projects around here that I'm really personally very excited
about.
If you want to jump into all the implementation details and history,
1 min
Patch Tuesday
Oracle Java JRE AES Intrinsics Remote Denial of Service (CVE-2015-2659)
Java 8 servers versions prior to u46 are susceptible to a remote unauthenticated
denial of service (hard crash) when used with AES intrinsics (AES-NI) CPU
extensions on supported processors. AES intrinsics are enabled by default on the
Oracle JVM if the the JVM detects that processor capability, which is common for
modern processors manufactured after 2010. For more on AES-NI, see the
Wikipedia
article [https://en.wikipedia.org/wiki/AES_instruction_set].
This issue was tracked in the OpenJDK p
4 min
Vulnerability Disclosure
R7-2015-08: Accellion File Transfer Appliance Vulnerabilities (CVE-2015-2856, CVE-2015-2857)
This disclosure covers two issues discovered with the Accellion
[https://www.accellion.com/] File Transfer Appliance, a device used for secure
enterprise file transfers. Issue R7-2015-08.1 is a remote file disclosure
vulnerability, and issue R7-2015-08.2 is remote command execution vulnerability.
Metasploit modules have been released for both issues, as of Pull Request 5694
[https://github.com/rapid7/metasploit-framework/pull/5694].
According to the vendor, both issues were addressed in version