4 min
Metasploit
Serialization Mischief in Ruby Land (CVE-2013-0156)
This afternoon a particularly scary advisory
[https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion]
was posted to the Ruby on Rails (RoR) security discussion list. The summary is
that the XML processor in RoR can be tricked into decoding the request as a YAML
document or as a Ruby Symbol, both of which can expose the application to remote
code execution or SQL injection. A gentleman by the name of Felix Wilhelm went
into detail [http://www.insinuator.net/2013/01/r
1 min
Metasploit
Introducing Metasploitable 2!
Some folks may already be aware of Metasploitable, an intentionally vulnerable
virtual machine designed for training, exploit testing, and general target
practice. Unlike other vulnerable virtual machines, Metasploitable focuses on
vulnerabilities at the operating system and network services layer instead of
custom, vulnerable applications. I am happy to announce the release of
Metasploitable 2, an even better punching bag for security tools like Metasploit
[http://metasploit.com/downloads/], an
2 min
Metasploit
Scanning for Vulnerable F5 BigIPs with Metasploit
This morning Matta Consulting posted an advisory
[https://www.trustmatta.com/advisories/MATTA-2012-002.txt] for the F5 BigIP
equipment. The advisory states that certain BigIP devices contain a SSH private
key on its filesystem that is trusted for remote root access on every other
BigIP appliance. Although Matta did not provide the private key, they did
provide the public key itself:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvIhC5skTzxyHif/7iy3yhxuK6/OB13hjPqrskogkYFrcW8OK4VJ T+5+Fx7wd4sQCnVn8rNqahw/x
5 min
Vulnerability Disclosure
CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL
Introduction
On Saturday afternoon Sergei Golubchik posted to the oss-sec mailing list about
a recently patched security flaw CVE-2012-2122in the MySQL and MariaDB database
servers. This flaw was rooted in an assumption that the memcmp() function would
always return a value within the range -128 to 127 (signed character). On some
platforms and with certain optimizations enabled, this routine can return values
outside of this range, eventually causing the code that compares a hashed
password to s
1 min
Metasploit
Identifying IPv6 Security Risks in IPv4 Networks: Tools
This post details some of the tools used in my recent IPv6 security testing
webcast [http://information.rapid7.com/WebcastOnDemand_IPv6.html] If you have
any specific questions, please open a Discussion
[https://community.rapid7.com/community/metasploit/content?filterID=content~objecttype~objecttype%5Bthread%5D]
thread.
A minimal IPv6 toolbox:
* A Linux-based operating system [http://www.ubuntu.com/] with IPv6 support
(BSD variants are great too)
* The IPv6 Attack Toolkit [http://www.thc
5 min
Security Research: Video Conferencing Equipment Firewalls
Update: David Maldow of Human Productivity Lab wrote a response to the NYT
article that presented an industry perspective on our findings. Mythical
Videoconferencing Hackers and why we stand behind our claims.
Introduction
Today's issue of the New York Times contains an article
[https://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html]
describing the results of research I conducted over the last three months. In
short, a large portion of vid
2 min
Metasploit
More Fun with BSD-derived Telnet Daemons
In my last post [/2011/12/28/bsd-telnet-daemon-encrypt-key-id-overflow], I
discussed the recent BSD telnetd vulnerability and demonstrated the scanner
module added to the Metasploit Framework. Since then, two new exploit modules
have been released; one for FreeBSD versions 5.3 - 8.2
[https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb]
and another for Red Hat Enterprise Linux 3
[https://github.com/rapid7/metasploit-framework/blob/ma
3 min
Metasploit
Fun with BSD-derived Telnet Daemons
On December 23rd, the FreeBSD security team published an advisory
[http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc] stating
that a previously unknown vulnerability in the Telnet daemon was being exploited
in the wild and that a patch had been issued. This vulnerability was interesting
for three major reasons:
1. The code in question may be over 20 years old and affects most BSD-derived
telnetd services
2. The overflow occurs in a structure with a function pointer store
4 min
Metasploit
Six Ways to Automate Metasploit
Onward
Over the last few weeks the Metasploit team at Rapid7 has engaged in an overhaul
of our development process. Our primary goals were to accelerate community
collaboration and better define the scopes of our open source projects. The
first step was to migrate all open source development to GitHub. This has
resulted in a flood of contributors and lots of greatnew features and content.
One controversial change involved removing old, buggy automation tools that
simply didn't meet the quality
3 min
Nexpose
Introducing Metasploit Community Edition!
The two-year anniversary of the Metasploit acquisition is coming up this week.
Over the last two years we added a ridiculous amount of new code to the open
source project, shipped dozens of new releases, and launched two commercial
products. We could not have done this without the full support of the security
community. In return, we wanted to share some of our commercial work with the
security community at large.
As of version 4.1 [http://www.metasploit.com/], we now include the Metasploit
1 min
Metasploit
Metasploit, Scanners, and DNS
One of the awesome things about the Metasploit Framework (and Ruby in general)
is that there is a strong focus on avoiding code duplication. This underlying
philosophy is why we can manage a million-plus line code base with a relatively
small team. In this post, I want to share a recent change which affects how
hostnames with multiple A records are processed by modules using the Scanner
mixin.
Quite of a few of the web's "major" properties, such as google.com, return
multiple IP addresses when
2 min
Morto: Another reason to secure local user accounts
A worm abusing the Remote Desktop service is making the rounds, currently named
Morto [http://www.f-secure.com/weblog/archives/00002227.html]. This worm gains
access by trying a small number of weak passwords for the local Administrator
account. After compromising the server, the worm propogates using mapped shares
and provides remote access to the worm's creator. Most public reports involve
Morto gaining access to internet-facing servers, however it is likely that once
Morto is behind a firewa
1 min
Metasploit
Metasploit Exploit Bounty - Status Update
A few weeks ago the Metasploit team announced a bounty program
[/2011/06/14/metasploit-exploit-bounty-30-exploits-500000-in-5-weeks] for a list
of 30 vulnerabilities that were still missing Metasploit exploit modules. The
results so far have been extremely positive and I wanted to take a minute to
share some of the statistics.
As of last night, there have been 27 participants in the bounty program
resulting in 10 submissions, with 5 of those already comitted to the open source
repository and t
5 min
Metasploit
Meterpreter HTTP/HTTPS Communication
The Meterpreter payload within the Metasploit Framework (and used by Metasploit
Pro) is an amazing toolkit for penetration testing and security assessments.
Combined with the Ruby API on the Framework side and you have the simplicity of
a scripting language with the power of a remote native process. These are the
things that make scripts and Post modules great and what we showcase in the
advanced post-exploit automation available today. Metasploit as a platform has
always had a concept of an est
1 min
Metasploit
Metasploit Framework Console Output Spooling
Sometimes little things can make a huge difference in usability -- the
Metasploit Framework Console is a great interface for getting things done
quickly, but so far, has been missing the capability to save command and module
output to a file. We have a lot of small hacks that makes this possible for
certain commands, such as the "-o" parameter to db_hosts and friends, but this
didn't solve the issue of module output or general console logs.
As of revision r13028 the console now supports the sp