5 min
GKsu and VirtualBox Root Command Execution by Filename (CVE-2014-2943)
Poisoning VirtualBox via Crafted Filenames
When I began researching this, I believed the vulnerability laid within
Virtualbox, but I realized this was not true after a bit. The vulnerability
being hit is actually within gksu itself. In fact, virtual box did everything
right (sort of). I do take advantage of a weakness in the way they validate
their extension packs, but the reason the vulnerability results in a root shell
is because the vulnerability is hit after gksu escalates privs to root. You
Read Full Post
4 min
Exploits
You have no SQL inj--... sorry, NoSQL injections in your application
Everyone knows about SQL injections. They are classic, first widely publicized
by Rain Forest Puppy, and still widely prevalent today (hint: don't interpolate
query string params with SQL).
But who cares? SQL injections are so ten years ago. I want to talk about a
vulnerability I hadn't run into before that I recently had a lot of fun
exploiting. It was a NoSQL injection.
The PHP application was using MongoDB, and MongoDB has a great feature
[http://www.php.net//manual/en/mongocollection.find.
Read Full Post
2 min
Exploits
Sophos Web Appliance Privilege Escalation and Remote Code Execution Vulnerability
Sophos Web Protection Appliance vs 3.8.1.1 and likely prior versions was
vulnerable to both a mass assignment attack which allowed privilege escalation,
as well as a remote command execution vulnerability as root available to admin
users. ZDI details the vuln here
[http://www.zerodayinitiative.com/advisories/ZDI-14-069/].
This Metasploit module exploits both vulnerabilities in order to go from an
otherwise unprivileged authenticated user to root on the box. This is
particularly bad because this
Read Full Post
9 min
Vulnerability Disclosure
Seven FOSS Tricks and Treats (Part Two)
Adventures in FOSS Exploitation, Part Two: Exploitation
This is part two of a pair of articles about disclosing vulnerabilities in a set
of FOSS projects, see part one [/2013/10/30/seven-foss-disclosures-part-one] for
some background on these vulnerabilities in particular, and some general advice
for FOSS developers and maintainers.
A while back, I started a project to go over some of the top Sourceforge web
applications and try to write some Metasploit modules for them. In the end, I
was able
Read Full Post
2 min
Government
GestioIP Authenticated Remote Command Execution module
GestioIP is an open-source IPAM (IP Address Management) solution available on
Sourceforge, written in Perl.
There is a vulnerability in the way the ip_checkhost.cgi deals with pinging IPv6
hosts passed to it. If you pass an IPv4 address, the CGI uses a Perl library to
perform the ping and return the results to the user.
However, this library doesn't seem to support IPv6 hosts, so the developer uses
the ping6 utility to perform the ping of an IPv6 machine. The developer did
perform some validat
Read Full Post
2 min
Metasploit
Communicating and integrating with Metasploit from your Mono/.NET applications
I recently checked into github a C# library
[https://github.com/brandonprry/metasploit-sharp/] that helps allow easy
communication and integration from your Mono/.NET applications.
The library follows the same Session/Manager pattern as the Nexpose library
[https://github.com/brandonprry/nexpose-sharp] I mentioned
[/2012/01/13/communicating-and-integrating-with-nexpose-from-your-netmono-applications]
previously in the Nexpose blog. It has support for both the core Metasploit RPC
and for the Me
Read Full Post
6 min
Nexpose
Integrating Nexpose Community and Metasploit Community in Backtrack 5 R2
I recently packaged up the new Nexpose release so that Backtrack users can have
an up-to-date version of Nexpose, straight from the Backtrack repos. This seemed
like a great time to also go over installing Nexpose Community and integrating
it with the already-installed Metasploit Community.
1. Getting Started
Before we get started, I would recommend grabbing a copy of Backtrack 5 R2
64-bit. The machine you want to use will need to have at a minimum 2GB of RAM
and at least 5GB space on the hard
Read Full Post
5 min
Metasploit
Adventures in the Windows NT Registry: A step into the world of Forensics and Information Gathering
As of a few days ago [https://github.com/rapid7/metasploit-framework/pull/98],
the Metasploit Framework has full read-only access to offline registry hives.
Within Rex you will now find a Rex::Registry namespace that will allow you to
load and parse offline NT registry hives (includes Windows 2000 and up),
implemented in pure Ruby. This is a great addition to the framework because it
allows you to be sneakier and more stealthy while gathering information on a
remote computer. You no longer need
Read Full Post
2 min
Nexpose
Communicating and integrating with Nexpose from your .NET/Mono applications
Tuesday, the 17th, will be my first day with the Rapid7 crew. In the past, I
have worked a lot with C#/.NET technologies, so Chad Loder asked me to get a C#
library written for the Nexpose API. You may find the relevant code here
[https://github.com/brandonprry/nexpose-sharp].
Within the repository, you have a nexpose-sharp folder and a nexpose-client
folder. The nexpose-client folder contains a small application that consumes the
Nexpose XML API via the C# library that I have written, which re
Read Full Post