Posts tagged Vulnerability Disclosure

R7-2016-06: Remote Code Execution via Swagger Parameter Injection (CVE-2016-5641)

This disclosure will address a class of vulnerabilities in a Swagger Code Generator [https://github.com/swagger-api/swagger-codegen] in which injectable parameters in a Swagger JSON or YAML file facilitate remote code execution. This vulnerability applies to NodeJS [https://nodejs.org/en/], PHP, Ruby [https://www.ruby-lang.org/en/], and Java [https://java.com/en/download/] and probably other languages as well. Other code generation tools [https://apimatic.io/] may also be vulnerable to paramete

4 min Vulnerability Disclosure

R7-2016-02: Multiple Vulnerabilities in ManageEngine OpUtils

Disclosure Summary ManageEngine OpUtils is an enterprise switch port and IP address management system. Rapid7's Deral Heiland discovered a persistent cross-site scripting (XSS) vulnerability, as well as a number of insecure direct object references. The vendor and CERT have been notified of these issues. The version tested was OpUtils 8.0, which was the most recent version at the time of initial disclosure. As of today, the current version offered by ManageEngine is OpUtils 12.0. R7-2016-02.1:

5 min IoT

R7-2016-01: Null Credential on Moxa NPort (CVE-2016-1529)

This advisory was written by the discoverer of the NPort issue, Joakim Kennedy of Rapid7, Inc. Securing legacy hardware is a difficult task, especially when the hardware is being connected in a way that was never initially intended. One way of making legacy hardware more connectable is to use serial servers. The serial server acts as a bridge and allows serial devices to communicate over TCP/IP. The device then appears on the network as a normal network-connected device. This allows for remote

2 min IoT

CVE-2015-7547: Revenge of Glibc Resolvers

If you've been involved in patch frenzies for any reasonable amount of time, you might remember last year's hullabaloo around GHOST [/2015/01/27/ghost-in-the-machine-is-cve-2015-0235-another-heartbleed], a vulnerability in glibc's gethostbyname() function. Well, another year, another resolver bug. gethostbyname(), meet getaddrinfo() This time, it's an exploitable vulnerability in glibc's getaddrinfo(). Like GHOST, this will affect loads and loads of Linux client and server applications, and lik

2 min Vulnerability Disclosure

R7-2015-26: Advantech EKI Dropbear Authentication Bypass (CVE-2015-7938)

While looking into the SSH key issue outlined in the ICS-CERT ISCA-15-309-01 [https://ics-cert.us-cert.gov/advisories/ICSA-15-309-01] advisory, it became clear that the Dropbear SSH daemon did not enforce authentication, and a possible backdoor account was discovered in the product. All results are from analyzing and running firmware version 1322_D1.98, which was released in response to the ICS-CERT advisory. This issue was discovered and disclosed as part of research resulting in Rapid7's dis

5 min Vulnerability Disclosure

CVE-2015-7755: Juniper ScreenOS Authentication Backdoor

On December 18th, 2015 Juniper issued an advisory [https://supportportal.juniper.net/s/article/2015-12-Out-of-Cycle-Security-Bulletin-ScreenOS-Multiple-Security-issues-with-ScreenOS-CVE-2015-7755-CVE-2015-7756?language=en_US] indicating that they had discovered unauthorized code in the ScreenOS software that powers their Netscreen firewalls. This advisory covered two distinct issues; a backdoor in the VPN implementation that allows a passive eavesdropper to decrypt traffic and a second backdoor

12 min Vulnerability Disclosure

Multiple Disclosures for Multiple Network Management Systems

Today, Rapid7 is disclosing several vulnerabilities affecting several Network Management System (NMS) products. These issues were discovered by Deral Heiland [https://twitter.com/percent_x] of Rapid7 and independent researcher Matthew Kienow [https://twitter.com/hacksforprofit], and reported to vendors and CERT for coordinated disclosure per Rapid7's disclosure policy. All together, we're disclosing six vulnerabilities that affect four NMSs, four of which are expected to be patched by the time o

10 min Vulnerability Disclosure

R7-2015-22: ManageEngine Desktop Central 9 FileUploadServlet connectionId Vulnerability (CVE-2015-8249)

ManageEngine Desktop Central 9 [https://www.manageengine.com/products/desktop-central/] suffers from a vulnerability that allows a remote attacker to upload a malicious file, and execute it under the context of SYSTEM. Authentication is not required to exploit this vulnerability. In addition, the vulnerability is similar to a ZDI advisory released on May 7th, 2015, ZDI-15-180 [http://www.zerodayinitiative.com/advisories/ZDI-15-180/]. This advisory specifically mentions computerName, and this is

2 min Exploits

R7-2015-17: HP SiteScope DNS Tool Command Injection

This is a vulnerability advisory for the HP SiteScope DNS Tool Command Injection vulnerability, made in accordance with Rapid7's disclosure policy. Summary Due to a problem with sanitizing user input, authenticated users of HP SiteScope running on Windows can execute arbitrary commands on affected platforms as the local SYSTEM account. While it is possible to set a password for the SiteScope application administrator, this is not enforced upon installation. Therefore, in default deployments, an

6 min Vulnerability Disclosure

Multiple Insecure Installation and Update Procedures for RStudio (R7-2015-10) (FIXED)

Prior to RStudio version 0.99.473, the RStudio integrated toolset for Windows is installed and updated in an insecure manner. A remote attacker could leverage these flaws to run arbitrary code in the context of the system Administrator by leveraging two particular flaws in the update process, and as the RStudio user via the third update process flaw. This advisory will discuss all three issues. Since reporting these issues, RStudio version 0.99.473 has been released. This version addresses all

13 min Metasploit

Using Reflective DLL Injection to exploit IE Elevation Policies

As you are probably aware, sandbox bypasses are becoming a MUST when exploiting desktop applications such as Internet Explorer. One interesting class of sandbox bypasses abuse IE's Elevation Policies. An example of this type of sandbox bypass is CVE-2015-0016 [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0016]. The vulnerability has already been analyzed by Henry Li, who published a complete description in this blog entry [http://blog.trendmicro.com/trendlabs-security-intelligence/

11 min Exploits

Exploiting a 64-bit browser with Flash CVE-2015-5119 (Part 2)

This post is a continuation of Exploiting a 64-bit browser with Flash CVE-2015-5119 [/2015/07/31/supporting-a-64-bits-renderer-on-flash-cve-2015-5119] , where we explained how to achieve arbitrary memory read/write on a 64-bit IE renderer. As a reminder, we are targeting Windows 8.1 / IE11 (64 bits) with Flash 15.0.0.189. Of course, this write-up may contain a few errors, so your mileage may vary =) Where we left off before, we had created an interface to work with memory by using a corrupted

3 min Exploits

Exploiting a 64-bit browser with Flash CVE-2015-5119

Some weeks ago, on More Flash Exploits in the Framework [/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the flash_exploiter library, which is used by Metasploit to quickly add new Flash exploit modules. If you read that blog entry, then you already know that flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119 [http://www.cvedetails.com/cve/CVE-2015-5119/] , which is o

4 min Vulnerability Disclosure

R7-2015-08: Accellion File Transfer Appliance Vulnerabilities (CVE-2015-2856, CVE-2015-2857)

This disclosure covers two issues discovered with the Accellion [https://www.accellion.com/] File Transfer Appliance, a device used for secure enterprise file transfers. Issue R7-2015-08.1 is a remote file disclosure vulnerability, and issue R7-2015-08.2 is remote command execution vulnerability. Metasploit modules have been released for both issues, as of Pull Request 5694 [https://github.com/rapid7/metasploit-framework/pull/5694]. According to the vendor, both issues were addressed in version