2 min
Exploits
R7-2015-17: HP SiteScope DNS Tool Command Injection
This is a vulnerability advisory for the HP SiteScope DNS Tool Command Injection
vulnerability, made in accordance with Rapid7's disclosure policy.
Summary
Due to a problem with sanitizing user input, authenticated users of HP SiteScope
running on Windows can execute arbitrary commands on affected platforms as the
local SYSTEM account. While it is possible to set a password for the SiteScope
application administrator, this is not enforced upon installation. Therefore, in
default deployments, an
5 min
Exploits
Revisiting an Info Leak
Today an interesting tweet
[https://twitter.com/Laughing_Mantis/status/631170614720462848] from Greg
Linares [https://twitter.com/Laughing_Mantis] (who has been posting awesome
analysis on twitter lately!) came to our attention, concerning the MS15-080
[https://technet.microsoft.com/en-us/library/security/ms15-080.aspx] patch:
This patch (included in MS15-080) may have been intended stop one of the Window
kernel bugs exploited by Hacking Team. But, after our analysis, it appears that
there is
11 min
Exploits
Exploiting a 64-bit browser with Flash CVE-2015-5119 (Part 2)
This post is a continuation of Exploiting a 64-bit browser with Flash
CVE-2015-5119 [/2015/07/31/supporting-a-64-bits-renderer-on-flash-cve-2015-5119]
, where we explained how to achieve arbitrary memory read/write on a 64-bit IE
renderer. As a reminder, we are targeting Windows 8.1 / IE11 (64 bits) with
Flash 15.0.0.189. Of course, this write-up may contain a few errors, so your
mileage may vary =)
Where we left off before, we had created an interface to work with memory by
using a corrupted
3 min
Exploits
Exploiting a 64-bit browser with Flash CVE-2015-5119
Some weeks ago, on More Flash Exploits in the Framework
[/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the
flash_exploiter library, which is used by Metasploit to quickly add new Flash
exploit modules. If you read that blog entry, then you already know that
flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we
will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119
[http://www.cvedetails.com/cve/CVE-2015-5119/] , which is o
1 min
Patch Tuesday
Oracle Java JRE AES Intrinsics Remote Denial of Service (CVE-2015-2659)
Java 8 servers versions prior to u46 are susceptible to a remote unauthenticated
denial of service (hard crash) when used with AES intrinsics (AES-NI) CPU
extensions on supported processors. AES intrinsics are enabled by default on the
Oracle JVM if the the JVM detects that processor capability, which is common for
modern processors manufactured after 2010. For more on AES-NI, see the
Wikipedia
article [https://en.wikipedia.org/wiki/AES_instruction_set].
This issue was tracked in the OpenJDK p
8 min
Metasploit
Wassenaar Arrangement - Frequently Asked Questions
The purpose of this post is to help answer questions about the Wassenaar
Arrangement. You can find the US proposal for implementing the Arrangement here
[https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf],
and an accompanying FAQ from the Bureau of Industry and Security (BIS) here
[http://www.bis.doc.gov/index.php/policy-guidance/faqs#subcat200]. For Rapid7's
take on Wassenaar, and information on the comments we intend to submit to BIS,
please read this companion pie
2 min
Vulnerability Disclosure
Remote Coverage for MS15-034 HTTP.sys Vulnerability (CVE-2015-1635)
Patch Tuesday last week saw the release of Microsoft security bulletin MS15-034,
which addresses CVE-2015-1635, a remote code execution vulnerability in
Microsoft Internet Information Services (IIS) running on Windows 7 / Server 2008
R2 and later. This vulnerability can be trivially exploited as a denial of
service attack by causing the infamous Blue Screen of Death (BSoD) with a
simple
HTTP request [https://www.youtube.com/watch?v=BlBXREzsytc].
In order to provide better assessment of your ass
2 min
Vulnerability Disclosure
Breaking down the Logjam (vulnerability)
What is it
Disclosed on May 19, 2015, the Logjam vulnerability
[https://weakdh.org/imperfect-forward-secrecy.pdf] (CVE-2015-4000
[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000]) is a flaw in
common TLS implementations that can be used to intercept secure communications.
This TLS protocol vulnerability would allow an active man-in-the-middle (MITM)
attacker to silently downgrade a TLS session to export-level Diffie-Hellman
keys. The attacker could hijack this downgraded session b
3 min
Vulnerability Disclosure
How Poisonous is VENOM (CVE-2015-3456) to your Virtual Environments?
Today CrowdStrike disclosed VENOM [http://venom.crowdstrike.com/] (Virtualized
Environment Neglected Operations Manipulation) or CVE-2015-3456
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456], a vulnerability
that could allow an attacker with access to one virtual machine to compromise
the host system and access the data of other virtual machines. It's been a few
months since we've seen a branded and logo'd vulnerability disclosure, and the
main question everyone wants to know is wh
2 min
Microsoft
A Closer Look at February 2015's Patch Tuesday
This month's Patch Tuesday covers nine security bulletins from Microsoft,
including what seems like a not-very-unusual mix of remote code execution (RCE)
vulnerabilities and security feature bypasses. However, two of these bulletins –
MS15-011 [https://technet.microsoft.com/en-us/library/security/ms15-011] and
MS15-014 [https://technet.microsoft.com/en-us/library/security/ms15-014] –
require a closer look, both because of the severity of the vulnerabilities that
they address and the changes Mi
4 min
Nexpose
GHOSTbuster: How to scan just for CVE-2015-0235 and keep your historical site data
A recently discovered severe vulnerability, nicknamed GHOST, can result in
remote code execution exploits on vulnerable systems. Affected systems should be
patched and rebooted immediately. Learn more about
[/2015/01/27/ghost-in-the-machine-is-cve-2015-0235-another-heartbleed]
CVE-2015-0235 and its risks
[/2015/01/27/ghost-in-the-machine-is-cve-2015-0235-another-heartbleed].
The Nexpose 5.12.0 content update provides coverage for the GHOST vulnerability.
Once the Nexpose 5.12.0 content update
2 min
Linux
GHOST in the Machine - Is CVE-2015-0235 another Heartbleed?
CVE-2015-0235 is a remote code execution vulnerability affecting Linux systems
using older versions of the GNU C Library (glibc versions less than 2.18). The
bug was discovered by researchers at Qualys and named GHOST in reference to the
_gethostbyname function (and possibly because it makes for some nice puns).
To be clear, this is NOT the end of the Internet as we know, nor is it further
evidence (after Stormaggedon) that the end of the world is nigh. It's also not
another Heartbleed. But it
3 min
Vulnerability Disclosure
POODLE Jr.: The Revenge - How to scan for CVE-2014-8730
A severe vulnerability was disclosed in the F5 implementation of TLS 1.x that
allows incorrect padding and therefore jeopardizes the protocol's ability to
secure communications in a way similar to the POODLE vulnerability
[/2014/10/14/poodle-unleashed-understanding-the-ssl-30-vulnerability].
The Nexpose 5.11.10 update provides coverage for this vulnerability, which has
been given the identifier CVE-2014-8730
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730]. Learn more
about CVE-2
3 min
Authentication
Patch CVE-2014-6324 To Avoid A Complete Domain Rebuild When UserInsight Detects Its Exploit
On Tuesday, November 18th, Microsoft released an out-of-band security patch
affecting any Windows domain controllers that are not running in Azure. I have
not yet seen any cute graphics or buzzword names for it, so it will likely be
known as MS14-068, CVE-2014-6324, or "that Kerberos vulnerability that is being
exploited in the wild to completely take over Windows domains" because it rolls
off the tongue a little better.
There is a very informative description of the vulnerability, impact, and
5 min
Metasploit
R7-2014-18: Hikvision DVR Devices - Multiple Vulnerabilities
Rapid7 Labs has found multiple vulnerabilities in Hikvision
[https://www.hikvision.com/us-en/] DVR (Digital Video Recorder) devices such as
the DS-7204 and other models in the same product series that allow a remote
attacker to gain full control of the device. More specifically, three typical
buffer overflow vulnerabilities were discovered in Hikvision's RTSP request
handling code: CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880. This blog post
serves as disclosure of the technical details for th