4 min
Metasploit
Serialization Mischief in Ruby Land (CVE-2013-0156)
This afternoon a particularly scary advisory
[https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion]
was posted to the Ruby on Rails (RoR) security discussion list. The summary is
that the XML processor in RoR can be tricked into decoding the request as a YAML
document or as a Ruby Symbol, both of which can expose the application to remote
code execution or SQL injection. A gentleman by the name of Felix Wilhelm went
into detail [http://www.insinuator.net/2013/01/r
5 min
Exploits
Security Death Match: Open Source vs. Pay-for-Play Exploit Packs
In the blue corner: an open-source exploit pack. In the red corner: a
pay-for-play incumbent. As a security professional trying to defend your
enterprise against attacks, which corner do you bet on for your penetration
tests?
What's the goal of the game?
Okay, this is a loaded question, because it really depends on what your goal is.
If you are like 99% of enterprises, you'll want to protect against the biggest
and most likely risks. If you are the 1% that comprise defense contractors and
the
2 min
Metasploit
How Metasploit's 3-Step Quality Assurance Process Gives You Peace Of Mind
Metasploit exploits undergo a rigorous 3-step quality assurance process so you
have the peace of mind that exploits will work correctly and not affect
production systems on your next assignment.
Step 1: Rapid7 Code Review
Many of the Metasploit exploits are contributed by Metasploit's community of
over 175,000 users, making Metasploit the de-facto standard for exploit
development. This is a unique ecosystem that benefits all members of the
community because every Metasploit user is a “sensor”
8 min
Metasploit
New Metasploit Exploit: Crystal Reports Viewer CVE-2010-2590
In this blog post we would like to share some details about the exploit for
CVE-2010-2590 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2590],
which we released in the last Metasploit update
[/2012/12/19/weekly-metasploit-update]. This module exploits a heap-based buffer
overflow, discovered by Dmitriy Pletnev, in the
CrystalReports12.CrystalPrintControl.1 ActiveX control included in
PrintControl.dll. This control is shipped with the Crystal Reports Viewer, as
installed by default wi
3 min
Exploits
5 Tips to Ensure Safe Penetration Tests with Metasploit
Experienced penetration testers know what to look out for when testing
production systems so they don't disrupt operations. Here's our guide to ensure
smooth sailing.
Vulnerabilities are unintentional APIs
In my warped view of the world, vulnerabilities are APIs that weren't entirely
intended by the developer. They hey are also undocumented and unsupported. Some
of these vulnerabilities are exploited more reliably than others, and there are
essentially three vectors to rank them:
* Exploit s
4 min
Exploits
November Exploit Trends: Apache Killer Exploit New to List
This month was a quiet one on the Metasploit Top Ten List. Each month we compile
a list of the most searched exploit and auxiliary modules from our exploit
database [http://www.metasploit.com/modules/]. To protect user's privacy, the
statistics come from analyzing webserver logs of searches, not from monitoring
Metasploit usage.
The only new addition to the list this month is an old Apache Killer exploit.
Read on for the rest of November's exploit and auxiliary modules with commentary
by Meta
6 min
Metasploit
Abusing Windows Remote Management (WinRM) with Metasploit
Late one night at Derbycon [https://www.derbycon.com/], Mubix
[https://twitter.com/mubix] and I were discussing various techniques of mass
ownage. When Mubix told me about the WinRM service, I wondered: "Why don't we
have any Metasploit modules for this yet?" After I got back , I began digging.
WinRM/WinRS
WinRM is a remote management service for Windows that is installed but not
enabled by default in Windows XP and higher versions, but you can install it on
older operating systems as well. Win
7 min
Exploits
New 0day Exploit: Novell ZENworks CVE-2012-4933 Vulnerability
Today, we present to you a flashy new vulnerability with a color-matching
exploit straight from our super secret R&D safe house here in Metasploit
Country. Known as CVE-2012-4933
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4933], it applies to
Novell ZENworks Asset Management 7.5, which "integrates asset inventory,
software usage, software management and contract management to provide the most
complete software asset management tool available". Following our standard
disclosure polic
1 min
Nexpose
Moving from HML (High, Medium, Low) Hell to Security Heaven – Whiteboard Wednesdays
At last check there are about 22 new vulnerabilities being published and
categorized every single day (see National Vulnerability Database web site -
http://nvd.nist.gov/). In total, the National Vulnerability Database now
contains more than 53,000 vulnerabilities. No wonder security professionals are
overwhelmed with the sheer volume of vulnerabilities in their daily practices.
At the same time, the prioritization schema that many organizations use are
quite basic and are either proprietary or
2 min
Authentication
Free Scanner for MySQL Authentication Bypass CVE-2012-2122
The MySQL authentication bypass vulnerability (CVE-2012-2122) - explained in
detail in HD Moore's blog post
[/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql] - was
the cause for much concern when it was first discovered. In response, we've
created a new vulnerability scanner for CVE-2012-2122 called ScanNow
[http://www.rapid7.com/free-security-software-downloads/MySQL-vulnerability-scanner-CVE-2012-2122.jsp]
, which enables you to check your network for vulnerability to thi
4 min
Exploits
Exploit Trends: New Microsoft and MySQL Exploits Make the Top 10
The new Metasploit exploit trends are out, where we give you a list of the top
10 most searched Metasploit exploit and auxiliary modules from our exploit
database (DB) [http://www.metasploit.com/modules/]. These stats are collected by
analyzing searches on metasploit.com in our webserver logs, not through usage of
Metasploit, which we do not track for privacy reasons.
In June 2012, we also have three new entries on the list, and seven existing
contenders. Here they are, annotated with Tod Bea
3 min
Exploits
Press F5 for root shell
As HD mentioned [/2012/06/11/scanning-for-vulnerable-f5-bigips-with-metasploit],
F5 has been inadvertently shipping a static ssh key that can be used to
authenticate as root on many of their BigIP devices. Shortly after the advisory,
an anonymous contributor hooked us up with the private key.
Getting down to business, here it is in action:
18:42:35 0 exploit(f5_bigip_known_privkey) > exploit
[ ] Successful login
[*] Found shell.
[*] Command shell session 3 opened ([redacted]
3 min
Metasploit
New Critical Microsoft IE Zero-Day Exploits in Metasploit
We've been noticing a lot of exploit activities against Microsoft
vulnerabilities lately. We decided to look into some of these attacks, and
released two modules for CVE-2012-1889
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1889] and CVE-2012-1875
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1875] within a week of
the vulnerabilities' publication for our users to test their systems. Please
note that both are very important to any organization using Windows, because one
of
5 min
Vulnerability Disclosure
CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL
Introduction
On Saturday afternoon Sergei Golubchik posted to the oss-sec mailing list about
a recently patched security flaw CVE-2012-2122in the MySQL and MariaDB database
servers. This flaw was rooted in an assumption that the memcmp() function would
always return a value within the range -128 to 127 (signed character). On some
platforms and with certain optimizations enabled, this routine can return values
outside of this range, eventually causing the code that compares a hashed
password to s
4 min
Exploits
Exploit Trends: CCTV DVR Login Scanning and PHP CGI Argument Injection
Last month, we gave you a list of the top 10 most searched Metasploit exploit
and auxiliary modules from our exploit database (DB)
[https://www.rapid7.com/db/]. These stats are collected by analyzing searches on
metasploit.com in our webserver logs, not through usage of Metasploit, which we
do not track for privacy reasons.
We were curious how the list changed month over month, and now we have the first
results for May 2012. As expected, most exploits only moved around a little but
we also ha