Posts tagged Exploits

On the lookout for Intel AMT CVE-2017-5689

We've had some inquiries about checks for CVE-2017-5689, a vulnerability affecting Intel AMT devices. On May 5th, 2017, we released a potential vulnerability check that can help identify assets that may be vulnerable. We initially ran into issues with trying to determine the exact version of the firmware remotely, and so a potential check was released so that you would still be able to identify devices that may be impacted by this. We didn't stop there though. As part of yesterday's Nexpose rel

1 min Microsoft

Cisco Enable / Privileged Exec Support

In Nexpose [https://www.rapid7.com/products/nexpose/] version 6.4.28, we are adding support for privileged elevation on Cisco devices through enable command for those that are running SSH version 2. A fully privileged policy scan provides more accurate information on the target's compliance status, and the ability to do so through enable password, while keeping the actual user privilege low, adds an additional layer of security for your devices. This allows our users to run fully privileged po

1 min Application Security

Apache Struts Vulnerability (CVE-2017-5638) Protection: Scanning with Nexpose

On March 9th, 2017 we highlighted the availability of a vulnerability check in Nexpose for CVE-2017-5638 [https://rapid7.com/db/modules/exploit/multi/http/struts2_content_type_ognl] – see the full blog post describing the Apache Struts vulnerability here [/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild]. This check would be performed against the root URI of any HTTP/S endpoints discovered during a scan. On March 10th, 2017 we added an additional check that would work in conjunctio

4 min Microsoft

Attacking Microsoft Office - OpenOffice with Metasploit Macro Exploits

It is fair to say that Microsoft Office and OpenOffice are some of the most popular applications in the world. We use them for writing papers, making slides for presentations, analyzing sales or financial data, and more. This software is so important to businesses that, even in developing countries, workers that are proficient in an Office suite can make a decent living based on this skill alone. Unfortunately, high popularity for software also means more high-value targets in the eyes of an

3 min Nexpose

Nexpose Dimensional Data Warehouse and Reporting Data Model: What's the Difference?

The Data Warehouse Export recently [/2016/11/24/dimensional-data-warehouse-export-part-of-nexpose-646] added support for a Dimensional Model for its export schema. This provides a much more comprehensive, accessible, and scalable model of data than the previous (now referred to as "Legacy") model. The foundation for this dimensional model is the same as the Reporting Data Model, which backs the built-in reporting for SQL Query Export. So what exactly is the difference between the Reporting Data

4 min Vulnerability Disclosure

R7-2016-24, OpenNMS Stored XSS via SNMP (CVE-2016-6555, CVE-2016-6556)

Stored server cross-site scripting (XSS) vulnerabilities in the web application component of OpenNMS [https://www.opennms.org/en] via the Simple Network Management Protocol (SNMP). Authentication is not required to exploit. Credit This issue was discovered by independent researcher Matthew Kienow [https://twitter.com/hacksforprofit], and reported by Rapid7. Products Affected The following versions were tested and successfully exploited: * OpenNMS version 18.0.0 * OpenNMS version 18.0.1 Ope

13 min Vulnerability Disclosure

Multiple Disclosures for Multiple Network Management Systems, Part 2

As you may recall, back in December Rapid7 disclosed six vulnerabilities [/2015/12/16/multiple-disclosures-for-multiple-network-management-systems] that affect four different Network Management System (NMS) products, discovered by Deral Heiland [https://twitter.com/percent_x] of Rapid7 and independent researcher Matthew Kienow [https://twitter.com/hacksforprofit]. In March, Deral followed up with another pair of vulnerabilities [/2016/03/17/r7-2016-02-multiple-vulnerabilities-in-mangeengine-opu

1 min Public Policy

NIST 800-53 Control Mappings in SQL Query Export

In July, we added National Institute of Standards and Technology (NIST) Special Publication 800-53r4 controls mappings to version 2.0.2 of the reporting data model for SQL Query Export reports. NIST 800-53 is a publication that develops a set of security controls standards that are designed to aid organizations in protecting themselves from an array of threats. What does this mean for you? Well, now you can measure your compliance against these controls by writing SQL queries. For example, say

8 min Vulnerability Disclosure

R7-2016-10: Multiple OSRAM SYLVANIA Osram Lightify Vulnerabilities (CVE-2016-5051 through 5059)

Nine issues affecting the Home or Pro versions of Osram LIGHTIFY were discovered, with the practical exploitation effects ranging from the accidental disclosure of sensitive network configuration information, to persistent cross-site scripting (XSS) on the web management console, to operational command execution on the devices themselves without authentication. The issues are designated in the table below. At the time of this disclosure's publication, the vendor has indicated that all but the la

2 min Microsoft

On Badlock for Samba (CVE-2016-2118) and Windows (CVE-2016-0128)

Today is Badlock Day You may recall that the folks over at badlock.org [http://badlock.org/] stated about 20 days ago that April 12 would see patches for "Badlock," a serious vulnerability in the SMB/CIFS protocol that affects both Microsoft Windows and any server running Samba, an open source workalike for SMB/CIFS services. We talked about it back in our Getting Ahead of Badlock [/2016/03/30/getting-ahead-of-badlock] post, and hopefully, IT administrators have taken advantage of the pre-releas

4 min Metasploit

12 Days of HaXmas: Metasploit End of Year Wrapup

This is the seventh post in the series, "The 12 Days of HaXmas." It's the last day of the year, which means that it's time to take a moment to reflect on the ongoing development of the Metasploit Framework, that de facto standard in penetration testing, and my favorite open source project around. While the acquisition of Metasploit way back in 2009 was met with some healthy skepticism, I think this year, it's easy to say that Rapid7's involvement with Metasploit has been an enormously positive

5 min Vulnerability Disclosure

CVE-2015-7755: Juniper ScreenOS Authentication Backdoor

On December 18th, 2015 Juniper issued an advisory [https://supportportal.juniper.net/s/article/2015-12-Out-of-Cycle-Security-Bulletin-ScreenOS-Multiple-Security-issues-with-ScreenOS-CVE-2015-7755-CVE-2015-7756?language=en_US] indicating that they had discovered unauthorized code in the ScreenOS software that powers their Netscreen firewalls. This advisory covered two distinct issues; a backdoor in the VPN implementation that allows a passive eavesdropper to decrypt traffic and a second backdoor

3 min Exploits

What is SQL Injection?

The SQL Injection [https://www.rapid7.com/fundamentals/sql-injection-attacks/] is one of the oldest and most embarrassing vulnerabilities web enabled code faces. It is so old that there really is no excuse for only a niche of people (namely web security professionals) to understand how it works. Every time I think we've beat this topic to death, SQL Injection finds its way back into the news. This post is my attempt to help anyone and everyone understand how it works and why it's such a persist

2 min Exploits

8 Reasons Why SQL Injection Vulnerabilities Still Exist

Knowing how to prevent a SQL injection vulnerability [https://www.rapid7.com/fundamentals/sql-injection-attacks/] is only half the web application security battle. A multitude of factors come into play when it comes to writing secure code, many of which are out of the developers' direct control. That's why common vulnerabilities like SQL injection continue to plague today's applications, and why application security testing software is so important. These problems can be overcome – with a little