3 min
Vulnerability Disclosure
Block the POODLE's bite: How to scan for CVE-2014-3566
A severe vulnerability was disclosed in the SSL 3.0 protocol that significantly
jeopardizes the protocol's ability to secure communications. All versions of SSL
have been deprecated and its use should be avoided wherever possible. POODLE
(Padding Oracle On Downgraded Legacy Encryption) is the attack that exploits
this vulnerability and allows a hacker to potentially steal information by
altering communications between the SSL client and the server (MitM). Learn
more
about CVE-2014-3566
[/2014/10
2 min
Vulnerability Disclosure
UserInsight Gets the All-Clear for ShellShock and Helps Detect Attackers on Your Network
If you're in security, you've likely already heard about the ShellShock
vulnerability [http://www.rapid7.com/resources/bashbug.jsp] (aka Bash Bug,
CVE-2014-6271, and CVE-204-7169). We have reviewed how ShellShock is being
exploited, and the disclosed vectors are not applicable to our UserInsight
deployment, yet we're following the security community's lead around patching
all of our systems.
In case other systems on your network have been compromised, you should be extra
vigilant about suspicio
3 min
Vulnerability Disclosure
Bash the bash bug: Here's how to scan for CVE-2014-6271 (Shellshock)
_[Edited 10:05 AM PDT, October, 2014 for the Nexpose 5.10.13 release]_
[Edited 10:05 AM PDT, September 26, 2014 for the Nexpose 5.10.11 release]
A severe vulnerability was disclosed in bash that is present on most Linux, BSD,
and Unix-like systems, including Mac OS X. The basis of this vulnerability
(nicknamed Shellshock) is that bash does not stop processing after the function
definition, leaving it vulnerable to malicious functions containing trailing
commands. Common Vulnerabilities and Exp
4 min
Exploits
You have no SQL inj--... sorry, NoSQL injections in your application
Everyone knows about SQL injections. They are classic, first widely publicized
by Rain Forest Puppy, and still widely prevalent today (hint: don't interpolate
query string params with SQL).
But who cares? SQL injections are so ten years ago. I want to talk about a
vulnerability I hadn't run into before that I recently had a lot of fun
exploiting. It was a NoSQL injection.
The PHP application was using MongoDB, and MongoDB has a great feature
[http://www.php.net//manual/en/mongocollection.find.
5 min
Exploits
Oracular Spectacular
Nexpose version 5.9.10 includes significant improvements to its Oracle Database
fingerprinting and vulnerability coverage. When configured with appropriate
database credentials, Nexpose scans can accurately identify which patches have
been applied. This post will go through the steps for setting up such a scan, as
well as discuss some of the finer details about Oracle's versioning scheme and
the terminology around their quarterly Critical Patch Update program.
Scanning Oracle Databases with Nex
5 min
Exploits
Exploiting CSRF under NoScript Conditions
CSRFs -- or Cross-Site Request Forgery
[https://www.rapid7.com/fundamentals/cross-site-request-forgery/]
vulnerabilities -- occur when a server accepts requests that can be “spoofed”
from a site running on a different domain. The attack goes something like this:
you, as the victim, are logged in to some web site, like your router
configuration page, and have a valid session token. An attacker gets you to
click on a link that sends commands to that web site on your behalf, without
your knowledge
2 min
Exploits
Sophos Web Appliance Privilege Escalation and Remote Code Execution Vulnerability
Sophos Web Protection Appliance vs 3.8.1.1 and likely prior versions was
vulnerable to both a mass assignment attack which allowed privilege escalation,
as well as a remote command execution vulnerability as root available to admin
users. ZDI details the vuln here
[http://www.zerodayinitiative.com/advisories/ZDI-14-069/].
This Metasploit module exploits both vulnerabilities in order to go from an
otherwise unprivileged authenticated user to root on the box. This is
particularly bad because this
3 min
Exploits
Metasploit's Brand New Heartbleed Scanner Module (CVE-2014-0160)
Is the Internet down? Metasploit publishes module for Heartbleed
If you read this blog at all regularly, you're quite likely the sort of Internet
citizen who has heard about the Heartbleed attack and grasp how serious this bug
is. It's suffice to say that it's a Big Deal -- one of those once-a-year bugs
that kicks everyone in security into action. OpenSSL underpins much of the
security of the Internet, so widespread bugs in these critical libraries affects
everyone.
The subsequently published
14 min
Exploits
"Hack Away at the Unessential" with ExpLib2 in Metasploit
This blog post was jointly written by Wei sinn3r [https://twitter.com/_sinn3r]
Chen and Juan Vazquez [https://twitter.com/_juan_vazquez_]
Memory corruption exploitation is not how it used to be. With modern mitigations
in place, such as GS, SafeSEH, SEHOP, DEP, ASLR/FASLR, EAF+, ASR, VTable guards,
memory randomization, and sealed optimization, etc, exploit development has
become much more complicated. It definitely shows when you see researchers
jumping through hoops like reverse-engineering
3 min
Apple
Metasploit Weekly Update: There's a Bug In Your Brain
Running Malicious Code in Safari
The most fun module this week, in my humble opinion, is from Rapid7's own
Javascript Dementor, Joe Vennix [https://twitter.com/joevennix]. Joe wrote up
this crafty implementation of a Safari User-Assisted Download and Run Attack
[http://www.metasploit.com/modules/exploit/osx/browser/safari_user_assisted_download_launch]
, which is not technically a vulnerability or a bug or anything -- it's a
feature that ends up being a kind of a huge risk. Here's how it goes:
4 min
Exploits
Metasploit Weekly Update: Video Chat, Meterpreter Building, and a Fresh MediaWiki Exploit
"It's Like Chat Roulette for Hackers"
The coolest thing this week... wait, let me start again.
The coolest thing this year is Wei sinn3r [https://twitter.com/_sinn3r] Chen's
brand new amazesauce, humbly named webcam_chat. I know he just posted all about
it [/2014/02/18/lets-talk-about-your-security-breach-with-metasploit-literally]
yesterday, but I just want to reiterate how useful and hilarious this piece of
post-exploit kit really is.
First off, it's entirely peer-to-peer. The communicati
4 min
Exploits
Weekly Metasploit Update: Feb. 13, 2014
Android WebView Exploit, 70% Devices Vulnerable
This week, the biggest news I think we have is the release this week of Joe
Vennix and Josh @jduck Drake's hot new/old Android WebView exploit. I've been
running it for the last day or so out on the Internet, with attractive posters
around the Rapid7 offices (as seen here) in an attempt to pwn something good.
I've popped a couple shells, I guess I didn't make my QR Code attractive enough.
Seriously, though, this vulnerability is kind of a huge d
2 min
Exploits
Weekly Metasploit Update: Arbitrary Driver Loading & Win a WiFi Pineapple
Wow, I don't know about you, kind reader, but I'm just about blogged out after
that 12 Days of HaXmas sprint. I'll try to keep this update short and sweet.
Arbitrary Driver Loading
This week's update include a delightful new post module for managing a
compromised target, the Windows Manage Driver Loader by longtime Metasploit
community contributor, Borja Merino. If you, as a penetration tester, pops a box
get gains administrator rights (or elevate yourself there using any of the
several strateg
4 min
Metasploit
Bypassing Adobe Reader Sandbox with Methods Used In The Wild
Recently, FireEye identified and shared information
[http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html]
about two vulnerabilities used in the wild to exploit Adobe Reader on Windows XP
SP3 systems. The vulnerabilities are:
* CVE-2013-3346 [http://cvedetails.com/cve/CVE-2013-3346]: An Use After Free on
Adobe Reader. Specifically in the handling of a ToolButton object, which can
be exploited through document's Java
3 min
Exploits
Metasploit Weekly Update: Adobe Reader Exploit and Post-Exploitation YouTube Broadcasting
New Adobe Reader ROP Gadgets
This week, Juan Vazquez [https://twitter.com/_juan_vazquez_] put together a neat
one-two exploit punch that involves a somewhat recent Adobe Reader vulnerability
(disclosed back in mid-May) and a sandbox escape via a OS privilege escalation
bug. I won't give away the surprise there -- he'll have a blog post about it up
in a few hours. Part of the work, though, resulted in some new entries in
Metasploit's RopDB; specifically, for Adobe Reader versions 9, 10, and 11.