Posts tagged Exploits

1 min Microsoft

Cisco Enable / Privileged Exec Support

In Nexpose [https://rapid7.com/products/nexpose/] version 6.4.28, we are adding support for privileged elevation on Cisco devices through enable command for those that are running SSH version 2. A fully privileged policy scan provides more accurate information on the target's compliance status, and the ability to do so through enable password, while keeping the actual user privilege low, adds an additional layer of security for your devices. This allows our users to run fully privileged policy

3 min Microsoft

Introducing Interactive Guides

Recently, Rapid7 took a step forward to deliver insight to our customers: our vulnerability management solutions now include the ability to deliver interactive guides. Guides are step-by-step workflows, built to deliver assistance to users at the right time. Guides are concise and may be absorbed with just a few clicks. They are available anytime on-demand within the user interface, so you can quickly and easily find the information you need, as you need it, where you will be applying it. Here'

1 min Application Security

Apache Struts Vulnerability (CVE-2017-5638) Protection: Scanning with Nexpose

On March 9th, 2017 we highlighted the availability of a vulnerability check in Nexpose for CVE-2017-5638 [https://rapid7.com/db/modules/exploit/multi/http/struts2_content_type_ognl] – see the full blog post describing the Apache Struts vulnerability here [/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild]. This check would be performed against the root URI of any HTTP/S endpoints discovered during a scan. On March 10th, 2017 we added an additional check that would work in conjunctio

4 min Microsoft

Attacking Microsoft Office - OpenOffice with Metasploit Macro Exploits

It is fair to say that Microsoft Office and OpenOffice are some of the most popular applications in the world. We use them for writing papers, making slides for presentations, analyzing sales or financial data, and more. This software is so important to businesses that, even in developing countries, workers that are proficient in an Office suite can make a decent living based on this skill alone. Unfortunately, high popularity for software also means more high-value targets in the eyes of an at

2 min Government

Wikileaks Releases Vault7: Our First Impressions

What follows are some first impressions on the contents of the WikiLeaks Vault7 [https://wikileaks.org/ciav7p1/] dump. I won't be addressing the legal or ethical concerns about posting classified data that can endanger the missions and goals of American intelligence organizations. I also won't be talking about whether or not the CIA should be involved in developing cyber capabilities in the first place as we have previously written [/2016/04/01/security-vs-security-rapid7-supports-strong-encrypt

9 min Exploits

12 Days of HaXmas: A Fireside Foray into a Firefox Fracas

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas [/tag/haxmas/] with 12 blog posts on hacking-related topics and roundups from the year. This year, we're highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them. Towards the end of November, the Tor community was shaken up by the revelation of an previously unknown vulnerability being actively exploited against pedo^H^H^H^H Tor Browser user

3 min Nexpose

Nexpose Dimensional Data Warehouse and Reporting Data Model: What's the Difference?

The Data Warehouse Export recently [/2016/11/24/dimensional-data-warehouse-export-part-of-nexpose-646] added support for a Dimensional Model for its export schema. This provides a much more comprehensive, accessible, and scalable model of data than the previous (now referred to as "Legacy") model. The foundation for this dimensional model is the same as the Reporting Data Model, which backs the built-in reporting for SQL Query Export. So what exactly is the difference between the Reporting Data

4 min Vulnerability Disclosure

R7-2016-24, OpenNMS Stored XSS via SNMP (CVE-2016-6555, CVE-2016-6556)

Stored server cross-site scripting (XSS) vulnerabilities in the web application component of OpenNMS [https://www.opennms.org/en] via the Simple Network Management Protocol (SNMP). Authentication is not required to exploit. Credit This issue was discovered by independent researcher Matthew Kienow [https://twitter.com/hacksforprofit], and reported by Rapid7. Products Affected The following versions were tested and successfully exploited: * OpenNMS version 18.0.0 * OpenNMS version 18.0.1 Ope

13 min Vulnerability Disclosure

Multiple Disclosures for Multiple Network Management Systems, Part 2

As you may recall, back in December Rapid7 disclosed six vulnerabilities [/2015/12/16/multiple-disclosures-for-multiple-network-management-systems] that affect four different Network Management System (NMS) products, discovered by Deral Heiland [https://twitter.com/percent_x] of Rapid7 and independent researcher Matthew Kienow [https://twitter.com/hacksforprofit]. In March, Deral followed up with another pair of vulnerabilities [/2016/03/17/r7-2016-02-multiple-vulnerabilities-in-mangeengine-opu

7 min Exploits

Bringing Home The EXTRABACON [Exploit]

by Derek Abdine & Bob Rudis [/author/bob-rudis/] (photo CC-BY-SA Kalle Gustafsson) Astute readers will no doubt remember the Shadow Brokers leak of the Equation Group exploit kits and hacking tools back in mid-August. More recently, security researchers at SilentSignal noted [https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/] that it was possible to modify the EXTRABACON exploit from the initial dump to work on newer Cisco ASA (Adaptive Security Appliance) devices, meaning that

2 min Exploits

R7-2016-19: Persistent XSS via Unescaped Parameters in Swagger-UI (CVE-2016-5682)

Parameters within a Swagger document are insecurely loaded into a browser based documentation. Persistent XSS occurs when this documentation is then hosted together on a public site. This issue was resolved in Swagger-UI 2.2.1 [https://github.com/swagger-api/swagger-ui/releases/tag/v2.2.1]. Summary One of the components used to build the interactive documentation portion of the swagger ecosystem is the Swagger-UI [https://github.com/swagger-api/swagger-ui]. This interface generates dynamic docu

1 min Public Policy

NIST 800-53 Control Mappings in SQL Query Export

In July, we added National Institute of Standards and Technology (NIST) Special Publication 800-53r4 controls mappings to version 2.0.2 of the reporting data model for SQL Query Export reports. NIST 800-53 is a publication that develops a set of security controls standards that are designed to aid organizations in protecting themselves from an array of threats. What does this mean for you? Well, now you can measure your compliance against these controls by writing SQL queries. For example, say

8 min Vulnerability Disclosure

R7-2016-10: Multiple OSRAM SYLVANIA Osram Lightify Vulnerabilities (CVE-2016-5051 through 5059)

Nine issues affecting the Home or Pro versions of Osram LIGHTIFY were discovered, with the practical exploitation effects ranging from the accidental disclosure of sensitive network configuration information, to persistent cross-site scripting (XSS) on the web management console, to operational command execution on the devices themselves without authentication. The issues are designated in the table below. At the time of this disclosure's publication, the vendor has indicated that all but the la

1 min Exploits

Adobe Flash CVE-2016-4171 Patch Tomorrow

Tomorrow, Adobe is expected [http://arstechnica.com/security/2016/06/critical-adobe-flash-bug-under-active-attack-currently-has-no-patch/] to release a patch for CVE-2016-4171 [https://helpx.adobe.com/security/products/flash-player/apsa16-03.html], which fixes a critical vulnerability in Flash 21.0.0.242 that Kaspersky reports is being used in active, targeted campaigns. Generally speaking, these sorts of pre-patch, zero day exploits don't see a lot of widespread use; they're too valuable to bu

2 min Exploits

Social Attacks in Web App Hacking - Investigating Findings of the DBIR

This is a guest post from Shay Chen [https://twitter.com/sectooladdict], an Information Security Researcher, Analyst, Tool Author and Speaker. The guy behind TECAPI [http://tecapi.com/public/relative-vulnerability-rating-gui.jsp] , WAVSEP [https://github.com/sectooladdict/wavsep] and WAFEP [https://sourceforge.net/projects/wafep/] benchmarks. Are social attacks that much easier to use, or is it the technology gap of exploitation engines that make social attacks more appealing? While reading t