Posts tagged Exploits

2 min Exploits

R7-2015-17: HP SiteScope DNS Tool Command Injection

This is a vulnerability advisory for the HP SiteScope DNS Tool Command Injection vulnerability, made in accordance with Rapid7's disclosure policy. Summary Due to a problem with sanitizing user input, authenticated users of HP SiteScope running on Windows can execute arbitrary commands on affected platforms as the local SYSTEM account. While it is possible to set a password for the SiteScope application administrator, this is not enforced upon installation. Therefore, in default deployments, an

5 min Exploits

Revisiting an Info Leak

Today an interesting tweet [https://twitter.com/Laughing_Mantis/status/631170614720462848] from Greg Linares [https://twitter.com/Laughing_Mantis] (who has been posting awesome analysis on twitter lately!) came to our attention, concerning the MS15-080 [https://technet.microsoft.com/en-us/library/security/ms15-080.aspx] patch: This patch (included in MS15-080) may have been intended stop one of the Window kernel bugs exploited by Hacking Team. But, after our analysis, it appears that there is

11 min Exploits

Exploiting a 64-bit browser with Flash CVE-2015-5119 (Part 2)

This post is a continuation of Exploiting a 64-bit browser with Flash CVE-2015-5119 [/2015/07/31/supporting-a-64-bits-renderer-on-flash-cve-2015-5119] , where we explained how to achieve arbitrary memory read/write on a 64-bit IE renderer. As a reminder, we are targeting Windows 8.1 / IE11 (64 bits) with Flash 15.0.0.189. Of course, this write-up may contain a few errors, so your mileage may vary =) Where we left off before, we had created an interface to work with memory by using a corrupted

3 min Exploits

Exploiting a 64-bit browser with Flash CVE-2015-5119

Some weeks ago, on More Flash Exploits in the Framework [/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the flash_exploiter library, which is used by Metasploit to quickly add new Flash exploit modules. If you read that blog entry, then you already know that flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119 [http://www.cvedetails.com/cve/CVE-2015-5119/] , which is o

1 min Patch Tuesday

Oracle Java JRE AES Intrinsics Remote Denial of Service (CVE-2015-2659)

Java 8 servers versions prior to u46 are susceptible to a remote unauthenticated denial of service (hard crash) when used with AES intrinsics (AES-NI) CPU extensions on supported processors. AES intrinsics are enabled by default on the Oracle JVM if the the JVM detects that processor capability, which is common for modern processors manufactured after 2010. For more on AES-NI, see the Wikipedia article [https://en.wikipedia.org/wiki/AES_instruction_set]. This issue was tracked in the OpenJDK p

8 min Metasploit

Wassenaar Arrangement - Frequently Asked Questions

The purpose of this post is to help answer questions about the Wassenaar Arrangement.  You can find the US proposal for implementing the Arrangement here [https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf], and an accompanying FAQ from the Bureau of Industry and Security (BIS) here [http://www.bis.doc.gov/index.php/policy-guidance/faqs#subcat200]. For Rapid7's take on Wassenaar, and information on the comments we intend to submit to BIS, please read this companion pie

2 min Vulnerability Disclosure

Remote Coverage for MS15-034 HTTP.sys Vulnerability (CVE-2015-1635)

Patch Tuesday last week saw the release of Microsoft security bulletin MS15-034, which addresses CVE-2015-1635, a remote code execution vulnerability in Microsoft Internet Information Services (IIS) running on Windows 7 / Server 2008 R2 and later. This vulnerability can be trivially exploited as a denial of service attack by causing the infamous Blue Screen of Death (BSoD) with a simple HTTP request [https://www.youtube.com/watch?v=BlBXREzsytc]. In order to provide better assessment of your ass

2 min Vulnerability Disclosure

Breaking down the Logjam (vulnerability)

What is it Disclosed on May 19, 2015, the Logjam vulnerability [https://weakdh.org/imperfect-forward-secrecy.pdf] (CVE-2015-4000 [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000]) is a flaw in common TLS implementations that can be used to intercept secure communications. This TLS protocol vulnerability would allow an active man-in-the-middle (MITM) attacker to silently downgrade a TLS session to export-level Diffie-Hellman keys. The attacker could hijack this downgraded session b

3 min Vulnerability Disclosure

How Poisonous is VENOM (CVE-2015-3456) to your Virtual Environments?

Today CrowdStrike disclosed VENOM [http://venom.crowdstrike.com/] (Virtualized Environment Neglected Operations Manipulation) or CVE-2015-3456 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456], a vulnerability that could allow an attacker with access to one virtual machine to compromise the host system and access the data of other virtual machines. It's been a few months since we've seen a branded and logo'd vulnerability disclosure, and the main question everyone wants to know is wh

2 min Microsoft

A Closer Look at February 2015's Patch Tuesday

This month's Patch Tuesday covers nine security bulletins from Microsoft, including what seems like a not-very-unusual mix of remote code execution (RCE) vulnerabilities and security feature bypasses. However, two of these bulletins – MS15-011 [https://technet.microsoft.com/en-us/library/security/ms15-011] and MS15-014 [https://technet.microsoft.com/en-us/library/security/ms15-014] – require a closer look, both because of the severity of the vulnerabilities that they address and the changes Mi

4 min Nexpose

GHOSTbuster: How to scan just for CVE-2015-0235 and keep your historical site data

A recently discovered severe vulnerability, nicknamed GHOST, can result in remote code execution exploits on vulnerable systems. Affected systems should be patched and rebooted immediately. Learn more about [/2015/01/27/ghost-in-the-machine-is-cve-2015-0235-another-heartbleed] CVE-2015-0235 and its risks [/2015/01/27/ghost-in-the-machine-is-cve-2015-0235-another-heartbleed]. The Nexpose 5.12.0 content update provides coverage for the GHOST vulnerability. Once the Nexpose 5.12.0 content update

2 min Linux

GHOST in the Machine - Is CVE-2015-0235 another Heartbleed?

CVE-2015-0235 is a remote code execution vulnerability affecting Linux systems using older versions of the GNU C Library (glibc versions less than 2.18). The bug was discovered by researchers at Qualys and named GHOST in reference to the _gethostbyname function (and possibly because it makes for some nice puns). To be clear, this is NOT the end of the Internet as we know, nor is it further evidence (after Stormaggedon) that the end of the world is nigh. It's also not another Heartbleed. But it

3 min Vulnerability Disclosure

POODLE Jr.: The Revenge - How to scan for CVE-2014-8730

A severe vulnerability was disclosed in the F5 implementation of TLS 1.x that allows incorrect padding and therefore jeopardizes the protocol's ability to secure communications in a way similar to the POODLE vulnerability [/2014/10/14/poodle-unleashed-understanding-the-ssl-30-vulnerability]. The Nexpose 5.11.10 update provides coverage for this vulnerability, which has been given the identifier CVE-2014-8730 [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730]. Learn more about CVE-2

3 min Authentication

Patch CVE-2014-6324 To Avoid A Complete Domain Rebuild When UserInsight Detects Its Exploit

On Tuesday, November 18th, Microsoft released an out-of-band security patch affecting any Windows domain controllers that are not running in Azure. I have not yet seen any cute graphics or buzzword names for it, so it will likely be known as MS14-068, CVE-2014-6324, or "that Kerberos vulnerability that is being exploited in the wild to completely take over Windows domains" because it rolls off the tongue a little better. There is a very informative description of the vulnerability, impact, and

5 min Metasploit

R7-2014-18: Hikvision DVR Devices - Multiple Vulnerabilities

Rapid7 Labs has found multiple vulnerabilities in Hikvision [https://www.hikvision.com/us-en/] DVR (Digital Video Recorder) devices such as the DS-7204 and other models in the same product series that allow a remote attacker to gain full control of the device. More specifically, three typical buffer overflow vulnerabilities were discovered in Hikvision's RTSP request handling code: CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880. This blog post serves as disclosure of the technical details for th