4 min
Vulnerability Disclosure
R7-2016-24, OpenNMS Stored XSS via SNMP (CVE-2016-6555, CVE-2016-6556)
Stored server cross-site scripting (XSS) vulnerabilities in the web application
component of OpenNMS [https://www.opennms.org/en] via the Simple Network
Management Protocol (SNMP). Authentication is not required to exploit.
Credit
This issue was discovered by independent researcher Matthew Kienow
[https://twitter.com/hacksforprofit], and reported by Rapid7.
Products Affected
The following versions were tested and successfully exploited:
* OpenNMS version 18.0.0
* OpenNMS version 18.0.1
Ope
7 min
Vulnerability Disclosure
R7-2016-07: Multiple Vulnerabilities in Animas OneTouch Ping Insulin Pump
Today we are announcing three vulnerabilities in the Animas OneTouch Ping
insulin pump system, a popular pump with a blood glucose meter that services as
a remote control via RF communication. Before we get into the technical details,
we want to flag that we believe the risk of wide scale exploitation of these
insulin pump vulnerabilities is relatively low, and we don't believe this is
cause for panic. We recommend that users of the devices consult their healthcare
providers before making major
13 min
Vulnerability Disclosure
Multiple Disclosures for Multiple Network Management Systems, Part 2
As you may recall, back in December Rapid7 disclosed six vulnerabilities
[/2015/12/16/multiple-disclosures-for-multiple-network-management-systems] that
affect four different Network Management System (NMS) products, discovered by
Deral Heiland [https://twitter.com/percent_x] of Rapid7 and independent
researcher Matthew Kienow [https://twitter.com/hacksforprofit]. In March, Deral
followed up with another pair of vulnerabilities
[/2016/03/17/r7-2016-02-multiple-vulnerabilities-in-mangeengine-opu
2 min
Vulnerability Disclosure
R7-2016-08: Seeking Alpha Mobile App Unencrypted Sensitive Information Disclosure
Due to a lack of encryption in communication with the associated web services,
the Seeking Alpha [http://seekingalpha.com] mobile application for Android and
iPhone leaks personally identifiable and confidential information, including the
username and password to the associated account, lists of user-selected stock
ticker symbols and associated positions, and HTTP cookies.
Credit
Discovered by Derek Abdine (@dabdine [https://twitter.com/dabdine]) of Rapid7,
Inc., and disclosed in accordance wit
5 min
Vulnerability Disclosure
R7-2016-06: Remote Code Execution via Swagger Parameter Injection (CVE-2016-5641)
This disclosure will address a class of vulnerabilities in a Swagger Code
Generator [https://github.com/swagger-api/swagger-codegen] in which injectable
parameters in a Swagger JSON or YAML file facilitate remote code execution. This
vulnerability applies to NodeJS [https://nodejs.org/en/], PHP, Ruby
[https://www.ruby-lang.org/en/], and Java [https://java.com/en/download/] and
probably other languages as well. Other code generation tools
[https://apimatic.io/] may also be vulnerable to paramete
4 min
Vulnerability Disclosure
R7-2016-02: Multiple Vulnerabilities in ManageEngine OpUtils
Disclosure Summary
ManageEngine OpUtils is an enterprise switch port and IP address management
system. Rapid7's Deral Heiland discovered a persistent cross-site scripting
(XSS) vulnerability, as well as a number of insecure direct object references.
The vendor and CERT have been notified of these issues. The version tested was
OpUtils 8.0, which was the most recent version at the time of initial
disclosure. As of today, the current version offered by ManageEngine is OpUtils
12.0.
R7-2016-02.1:
5 min
IoT
R7-2016-01: Null Credential on Moxa NPort (CVE-2016-1529)
This advisory was written by the discoverer of the NPort issue, Joakim Kennedy
of Rapid7, Inc.
Securing legacy hardware is a difficult task, especially when the hardware is
being connected in a way that was never initially intended. One way of making
legacy hardware more connectable is to use serial servers. The serial server
acts as a bridge and allows serial devices to communicate over TCP/IP. The
device then appears on the network as a normal network-connected device. This
allows for remote
2 min
Vulnerability Disclosure
R7-2015-26: Advantech EKI Dropbear Authentication Bypass (CVE-2015-7938)
While looking into the SSH key issue outlined in the ICS-CERT ISCA-15-309-01
[https://ics-cert.us-cert.gov/advisories/ICSA-15-309-01] advisory, it became
clear that the Dropbear SSH daemon did not enforce authentication, and a
possible backdoor account was discovered in the product. All results are from
analyzing and running firmware version 1322_D1.98, which was released in
response to the ICS-CERT advisory.
This issue was discovered and disclosed as part of research resulting in
Rapid7's dis
12 min
Vulnerability Disclosure
Multiple Disclosures for Multiple Network Management Systems
Today, Rapid7 is disclosing several vulnerabilities affecting several Network
Management System (NMS) products. These issues were discovered by Deral Heiland
[https://twitter.com/percent_x] of Rapid7 and independent researcher Matthew
Kienow [https://twitter.com/hacksforprofit], and reported to vendors and CERT
for coordinated disclosure per Rapid7's disclosure policy. All together, we're
disclosing six vulnerabilities that affect four NMSs, four of which are expected
to be patched by the time o
10 min
Vulnerability Disclosure
R7-2015-22: ManageEngine Desktop Central 9 FileUploadServlet connectionId Vulnerability (CVE-2015-8249)
ManageEngine Desktop Central 9
[https://www.manageengine.com/products/desktop-central/] suffers from a
vulnerability that allows a remote attacker to upload a malicious file, and
execute it under the context of SYSTEM. Authentication is not required to
exploit this vulnerability.
In addition, the vulnerability is similar to a ZDI advisory released on May 7th,
2015, ZDI-15-180 [http://www.zerodayinitiative.com/advisories/ZDI-15-180/]. This
advisory specifically mentions computerName, and this is
2 min
Exploits
R7-2015-17: HP SiteScope DNS Tool Command Injection
This is a vulnerability advisory for the HP SiteScope DNS Tool Command Injection
vulnerability, made in accordance with Rapid7's disclosure policy.
Summary
Due to a problem with sanitizing user input, authenticated users of HP SiteScope
running on Windows can execute arbitrary commands on affected platforms as the
local SYSTEM account. While it is possible to set a password for the SiteScope
application administrator, this is not enforced upon installation. Therefore, in
default deployments, an
6 min
Vulnerability Disclosure
Multiple Insecure Installation and Update Procedures for RStudio (R7-2015-10) (FIXED)
Prior to RStudio version 0.99.473, the RStudio integrated toolset for Windows is
installed and updated in an insecure manner. A remote attacker could leverage
these flaws to run arbitrary code in the context of the system Administrator by
leveraging two particular flaws in the update process, and as the RStudio user
via the third update process flaw. This advisory will discuss all three issues.
Since reporting these issues, RStudio version 0.99.473 has been released. This
version addresses all
4 min
Vulnerability Disclosure
R7-2015-08: Accellion File Transfer Appliance Vulnerabilities (CVE-2015-2856, CVE-2015-2857)
This disclosure covers two issues discovered with the Accellion
[https://www.accellion.com/] File Transfer Appliance, a device used for secure
enterprise file transfers. Issue R7-2015-08.1 is a remote file disclosure
vulnerability, and issue R7-2015-08.2 is remote command execution vulnerability.
Metasploit modules have been released for both issues, as of Pull Request 5694
[https://github.com/rapid7/metasploit-framework/pull/5694].
According to the vendor, both issues were addressed in version
2 min
Android
R7-2015-02: Google Play Store X-Frame-Options (XFO) Gaps Enable Android Remote Code Execution (RCE)
Vulnerability Summary
Due to a lack of complete coverage for X-Frame-Options
[https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options] (XFO)
support on Google's Play Store [https://play.google.com/] web application
domain, a malicious user can leverage either a Cross-Site Scripting (XSS)
vulnerability in a particular area of the Google Play Store web application, or
a Universal XSS (UXSS) targeting affected browsers, to remotely install and
launch the main intent of an arbitrary Play S
3 min
Vulnerability Disclosure
R7-2014-15: GNU Wget FTP Symlink Arbitrary Filesystem Access
Introduction
GNU Wget is a command-line utility designed to download files via HTTP, HTTPS,
and FTP. Wget versions prior to 1.16 are vulnerable a symlink attack
(CVE-2014-4877) when running in recursive mode with a FTP target. This
vulnerability allows an attacker operating a malicious FTP server to create
arbitrary files, directories, and symlinks on the user's filesystem. The symlink
attack allows file contents to be overwritten, including binary files, and
access to the entire filesystem wit