Posts tagged Exploits

4 min Metasploit

Metasploit Wrap-Up

Now I Control Your Resource Planning Servers Sage X3 is a resource planning product designed by Sage Group which is designed to help established businesses plan out their business operations. But what if you wanted to do more than just manage resources? What if you wanted to hijack the resource server itself? Well wait no more, as thanks to the work of Aaron Herndon [https://www.linkedin.com/in/aaron-herndon-54079b5a/], Jonathan Peterson [https://www.linkedin.com/in/jonathan-p-004b76a1/], Will

3 min Metasploit

Metasploit Wrap-Up

New Emby version scanner, IPFire authenticated RCE, HashiCorp Nomad RCE, Microsoft SharePoint unsafe control and ViewState RCE.

3 min Metasploit

Metasploit Wrap-Up

NSClient++ Community contributor Yann Castel has contributed an exploit module for NSClient++ which targets an authenticated command execution vulnerability. Users that are able to authenticate to the service as admin can leverage the external scripts feature to execute commands with SYSTEM level privileges. This allows the underlying server to be compromised. Castel is also working on another exploit module for NSClient++ which happens to be a local privilege escalation so stay tuned for more N

3 min Vulnerability Management

BlueKeep Exploits May Be Coming: Our Observations and Recommendations

Rapid7 Labs has observed a significant uptick in malicious RDP activity since the release of CVE-2019-0708 (aka “BlueKeep”).

12 min Exploits

Stack-Based Buffer Overflow Attacks: Explained and Examples

Stack-based buffer overflow exploits are likely the shiniest and most common form of exploit for remotely taking over the code execution of a process.

5 min Exploits

macOS Keychain Security : What You Need To Know

If you follow the infosec twitterverse or have been keeping an eye on macOS news sites, you’ve likely seen a tweet [https://twitter.com/patrickwardle/status/912254053849079808] (with accompanying video) from Patrick Wardle (@patrickwardle [https://twitter.com/patrickwardle]) that purports to demonstrate dumping and exfiltration of something called the “keychain” without an associated privilege escalation prompt. Patrick also has a more in-depth Q&A blog post [https://www.patreon.com/posts/14556

3 min Vulnerability Disclosure

R7-2017-06 | CVE-2017-5241: Biscom SFT XSS (FIXED)

Summary The Workspaces component of Biscom Secure File Transfer (SFT) version 5.1.1015 is vulnerable to stored cross-site scripting in two fields. An attacker would need to have the ability to create a Workspace and entice a victim to visit the malicious page in order to run malicious Javascript in the context of the victim's browser. Since the victim is necessarily authenticated, this can allow the attacker to perform actions on the Biscom Secure File Transfer instance on the victim's behalf.

4 min Linux

Patching CVE-2017-7494 in Samba: It's the Circle of Life

With the scent of scorched internet still lingering in the air from the WannaCry Ransomworm [http://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained] , today we see a new scary-and-potentially-incendiary bug hitting the twitter news. The vulnerability - CVE-2017-7494 [https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2017-7494] - affects versions 3.5 (released March 1, 2010) and onwards of Samba, the defacto standard for providing Wind

2 min Nexpose

Samba CVE-2017-7494: Scanning and Remediating in InsightVM and Nexpose

Just when you'd finished wiping away your WannaCry [/2017/05/12/wanna-decryptor-wncry-ransomware-explained] tears, the interwebs dropped another bombshell: a nasty Samba vulnerability, CVE-2017-7494 [https://www.rapid7.com/db/vulnerabilities/samba-cve-2017-7494] (no snazzy name as of the publishing of this blog, but hopefully something with a Lion King reference will be created soon). As with WannaCry, we wanted to keep this simple. First, check out Jen Ellis's overview of the Samba vulnerabil

1 min Vulnerability Disclosure

On the lookout for Intel AMT CVE-2017-5689

We've had some inquiries about checks for CVE-2017-5689, a vulnerability affecting Intel AMT devices. On May 5th, 2017, we released a potential vulnerability check that can help identify assets that may be vulnerable. We initially ran into issues with trying to determine the exact version of the firmware remotely, and so a potential check was released so that you would still be able to identify devices that may be impacted by this. We didn't stop there though. As part of yesterday's Nexpose rel

1 min Microsoft

Cisco Enable / Privileged Exec Support

In Nexpose [https://rapid7.com/products/nexpose/] version 6.4.28, we are adding support for privileged elevation on Cisco devices through enable command for those that are running SSH version 2. A fully privileged policy scan provides more accurate information on the target's compliance status, and the ability to do so through enable password, while keeping the actual user privilege low, adds an additional layer of security for your devices. This allows our users to run fully privileged policy

3 min Microsoft

Introducing Interactive Guides

Recently, Rapid7 took a step forward to deliver insight to our customers: our vulnerability management solutions now include the ability to deliver interactive guides. Guides are step-by-step workflows, built to deliver assistance to users at the right time. Guides are concise and may be absorbed with just a few clicks. They are available anytime on-demand within the user interface, so you can quickly and easily find the information you need, as you need it, where you will be applying it. Here'

1 min Application Security

Apache Struts Vulnerability (CVE-2017-5638) Protection: Scanning with Nexpose

On March 9th, 2017 we highlighted the availability of a vulnerability check in Nexpose for CVE-2017-5638 [https://rapid7.com/db/modules/exploit/multi/http/struts2_content_type_ognl] – see the full blog post describing the Apache Struts vulnerability here [/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild]. This check would be performed against the root URI of any HTTP/S endpoints discovered during a scan. On March 10th, 2017 we added an additional check that would work in conjunctio

4 min Microsoft

Attacking Microsoft Office - OpenOffice with Metasploit Macro Exploits

It is fair to say that Microsoft Office and OpenOffice are some of the most popular applications in the world. We use them for writing papers, making slides for presentations, analyzing sales or financial data, and more. This software is so important to businesses that, even in developing countries, workers that are proficient in an Office suite can make a decent living based on this skill alone. Unfortunately, high popularity for software also means more high-value targets in the eyes of an at

2 min Government

Wikileaks Releases Vault7: Our First Impressions

What follows are some first impressions on the contents of the WikiLeaks Vault7 [https://wikileaks.org/ciav7p1/] dump. I won't be addressing the legal or ethical concerns about posting classified data that can endanger the missions and goals of American intelligence organizations. I also won't be talking about whether or not the CIA should be involved in developing cyber capabilities in the first place as we have previously written [/2016/04/01/security-vs-security-rapid7-supports-strong-encrypt