Posts tagged Exploits

3 min Exploits

Exploiting a 64-bit browser with Flash CVE-2015-5119

Some weeks ago, on More Flash Exploits in the Framework [/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the flash_exploiter library, which is used by Metasploit to quickly add new Flash exploit modules. If you read that blog entry, then you already know that flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119 [http://www.cvedetails.com/cve/CVE-2015-5119/] , which is o

2 min Phishing

Top 3 Takeaways from the "Storming the Breach, Part 1: Initial Infection Vector" Webcast

In the recent Rapid7 webcast, “Storming the Breach, Part 1: Initial Infection Vector [https://information.rapid7.com/storming-the-breach-part-1-initial-infection-vector.html?CS=blog] ”, Incident Response experts Wade Woolwine [/author/wade-woolwine] and Mike Scutt had a technical discussion on investigation methodologies for the 3 most common breach scenarios: spear phishing, browser exploitation, and web server compromise. Their discussion was packed with details and expert tips for investigati

2 min Patch Tuesday

R7-2015-09: Oracle Java JRE AES Intrinsics Remote Denial of Service (CVE-2015-2659)

Java 8 servers versions prior to u46 are susceptible to a remote unauthenticated denial of service (hard crash) when used with AES intrinsics (AES-NI) CPU extensions on supported processors. AES intrinsics are enabled by default on the Oracle JVM if the the JVM detects that processor capability, which is common for modern processors manufactured after 2010. For more on AES-NI, see the Wikipedia article [http://en.wikipedia.org/wiki/AES_instruction_set]. This issue was tracked in the OpenJDK pu

2 min Exploits

Weekly Metasploit Wrapup: Meterpretersauce

When You Wish Upon A Shell Back in February we ran a survey [/2015/03/26/meterpreter-2015-you-spoke-we-listened] to figure out where you, the savvy penetration tester, would like to see Meterpreter go. As a result, we now have the Meterpreter Wishlist [https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Wishlist], and have been working steadily off of that for the last few months. As of this week, we have a pile of accomplishments taken off the wishlist and committed as working cod

5 min Metasploit

Safely Dumping Domain Hashes, with Meterpreter

UPDATE: It has been pointed out that there is prior work worth noting. This blog post [http://www.dcortesi.com/blog/2005/03/22/using-shadow-copies-to-steal-the-sam/] by Damon Cortesi [https://twitter.com/dacort] talked about using Volume Shadow Copy to get the SAM file back in 2005. As with all things in our Industry, we stand on the shoulders of those who came before us. We would certainly not want to take away from anyone else's previous work and accomplishments. Dumping the stored password

8 min Metasploit

Wassenaar Arrangement - Frequently Asked Questions

The purpose of this post is to help answer questions about the Wassenaar Arrangement.  You can find the US proposal for implementing the Arrangement here [https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf], and an accompanying FAQ from the Bureau of Industry and Security (BIS) here [http://www.bis.doc.gov/index.php/policy-guidance/faqs#subcat200]. For Rapid7's take on Wassenaar, and information on the comments we intend to submit to BIS, please read this companion pie

7 min Metasploit

Response to the US Proposal for Implementing the Wassenaar Arrangement Export Controls for Intrusion Software

On May 20th 2015, the Bureau of Industry and Security (BIS) published its proposal [https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf] for implementing new export controls under the Wassenaar Arrangement. These controls would apply to: * systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; * software specially designed or modified for the development or production of suc

2 min Vulnerability Disclosure

Remote Coverage for MS15-034 HTTP.sys Vulnerability (CVE-2015-1635)

Patch Tuesday last week saw the release of Microsoft security bulletin MS15-034, which addresses CVE-2015-1635, a remote code execution vulnerability in Microsoft Internet Information Services (IIS) running on Windows 7 / Server 2008 R2 and later. This vulnerability can be trivially exploited as a denial of service attack by causing the infamous Blue Screen of Death (BSoD) with a simple HTTP request [https://www.youtube.com/watch?v=BlBXREzsytc]. In order to provide better assessment of your ass

3 min AppSpider

Security Testing Complex Workflows, Not So Complex Anymore

Conducting web application security testing [http://www.rapid7.com/products/appspider/]for complex workflows can be a real pain. In order to find vulnerabilities, valid test data must be passed through exactly as the workflow prescribes. Most web application security testing scanners aren't up for the job, so security testers must supplement their scans with manual testing. If your organization has just a couple applications that aren't changing, then manual testing may not be a big deal, but t

4 min AppSpider

Modernize Your Application Security Scanning in Four Easy Steps

You've built modern mobile and rich internet applications (RIAs) that are sure to improve your business' next major revenue stream. Conscious of security, you've ensured that the native application authenticates to the server, and you've run the app through a web application security scanner to identify weaknesses in the code. Those vulnerabilities have been remediated, and now you're ready to go live. Not so fast. Despite your best intentions, chances are good your mobile and rich internet ap

2 min Vulnerability Disclosure

Breaking down the Logjam (vulnerability)

What is it Disclosed on May 19, 2015, the Logjam vulnerability [https://weakdh.org/imperfect-forward-secrecy.pdf] (CVE-2015-4000 [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000]) is a flaw in common TLS implementations that can be used to intercept secure communications. This TLS protocol vulnerability would allow an active man-in-the-middle (MITM) attacker to silently downgrade a TLS session to export-level Diffie-Hellman keys. The attacker could hijack this downgraded session b

3 min Vulnerability Disclosure

How Poisonous is VENOM (CVE-2015-3456) to your Virtual Environments?

Today CrowdStrike disclosed VENOM [http://venom.crowdstrike.com/] (Virtualized Environment Neglected Operations Manipulation) or CVE-2015-3456 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456], a vulnerability that could allow an attacker with access to one virtual machine to compromise the host system and access the data of other virtual machines. It's been a few months since we've seen a branded and logo'd vulnerability disclosure, and the main question everyone wants to know is wh

3 min Exploits

R7-2015-01: CSRF, Backdoor, and Persistent XSS on ARRIS / Motorola Cable Modems

By combining a number of distinct vulnerabilities, attackers may take control of the web interface for popular cable modems in order to further compromise internal hosts over an external interface. Affected Product ARRIS / Motorola SURFboard SBG6580 Series Wi-Fi Cable Modem The device is described by the vendor as a "fully integrated all-in-one home networking solution that combines the functionality of a DOCSIS/EuroDOCSIS 3.0 cable modem, four-port 10/100/1000 Ethernet switch with advanced fi

1 min Vulnerability Management

March 2015 OpenSSL Security Advisory

Today OpenSSL released a security advisory [https://openssl.org/news/secadv_20150319.txt] listing 14 vulnerabilities affecting various versions of OpenSSL. There are 2 High, 9 Moderate, and 3 Low severity vulnerabilities in the mix. The security community was anxious that there could be another Heartbleed (or worse) in this list. Thankfully, this is NOT the case, even among the High severity vulnerabilities. Many of these vulnerabilities are limited in their scope, impact, and/or prevalence (es

2 min Microsoft

A Closer Look at February 2015's Patch Tuesday

This month's Patch Tuesday covers nine security bulletins from Microsoft, including what seems like a not-very-unusual mix of remote code execution (RCE) vulnerabilities and security feature bypasses. However, two of these bulletins – MS15-011 [https://technet.microsoft.com/en-us/library/security/ms15-011] and MS15-014 [https://technet.microsoft.com/en-us/library/security/ms15-014] – require a closer look, both because of the severity of the vulnerabilities that they address and the changes Mi