Posts tagged Exploits

5 min Exploits

Exploit for new Vulnerability on Honeywell EBI ActiveX (CVE-2013-0108)

Today, we present to you a new vulnerability, CVE-2013-0108 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0108], discovered in Honeywell Enterprise Buildings Integrator (EBI) [https://buildingsolutions.honeywell.com/Cultures/en-US/ServicesSolutions/BuildingManagementSystems/EnterpriseBuildingsIntegrator/] R310 - R410.2. This platform is used to integrate different systems and devices such as heating, ventilation, and air conditioning (HVAC) controls; security; access control; life sa

2 min Compliance

Malicious SSIDs And Web Apps

On February 13th 2013, Cisco released a security notice related to CVE-2013-1131 [http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1131] . According to Cisco, the vulnerability is due to improper validation of the Service Set Identifier (SSID) when performing a "site survey" to discover other wireless networks. On the face of it, this vulnerability seems to be low-risk. Indeed, site surveys are not often performed and an adversary would need to either be incredibly luc

4 min Exploits

Ray Sharp CCTV DVR Password Retrieval & Remote Root

On January 22, 2013, a researcher going by the name someLuser [http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html] detailed a number of security flaws in the Ray Sharp DVR platform [http://www.raysharp.cn/en/prodNetWork.aspx?Id=62]. These DVRs are often used for closed-circuit TV (CCTV) systems and security cameras. In addition to Ray Sharp, the exposures seem to affect rebranded DVR products by Swann [http://www.swann.com/s/products/swannview], Lorex, URMET, KGuard, Def

5 min Exploits

Exploiting Ruby on Rails with Metasploit (CVE-2013-0156)

Background Earlier this week, a critical security flaw [/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156] in Ruby on Rails (RoR) was identified that could expose an application to remote code execution, SQL injection, and denial of service attacks. Ruby on Rails is a popular web application framework that is used by both web sites and web-enabled products and this flaw is by far the worst security problem to surface in this framework to date. If you are interested in the details of

4 min Metasploit

Serialization Mischief in Ruby Land (CVE-2013-0156)

This afternoon a particularly scary advisory [https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion] was posted to the Ruby on Rails (RoR) security discussion list. The summary is that the XML processor in RoR can be tricked into decoding the request as a YAML document or as a Ruby Symbol, both of which can expose the application to remote code execution or SQL injection. A gentleman by the name of Felix Wilhelm went into detail [http://www.insinuator.net/2013/01/r

5 min Exploits

Security Death Match: Open Source vs. Pay-for-Play Exploit Packs

In the blue corner: an open-source exploit pack. In the red corner: a pay-for-play incumbent. As a security professional trying to defend your enterprise against attacks, which corner do you bet on for your penetration tests? What's the goal of the game? Okay, this is a loaded question, because it really depends on what your goal is. If you are like 99% of enterprises, you'll want to protect against the biggest and most likely risks. If you are the 1% that comprise defense contractors and the

3 min Metasploit

How Metasploit's 3-Step Quality Assurance Process Gives You Peace Of Mind

Metasploit exploits undergo a rigorous 3-step quality assurance process so you have the peace of mind that exploits will work correctly and not affect production systems on your next assignment. Step 1: Rapid7 Code Review Many of the Metasploit exploits are contributed by Metasploit's community of over 175,000 users, making Metasploit the de-facto standard for exploit development. This is a unique ecosystem that benefits all members of the community because every Metasploit user is a “sensor

8 min Metasploit

New Metasploit Exploit: Crystal Reports Viewer CVE-2010-2590

In this blog post we would like to share some details about the exploit for CVE-2010-2590 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2590], which we released in the last Metasploit update [/2012/12/19/weekly-metasploit-update]. This module exploits a heap-based buffer overflow, discovered by Dmitriy Pletnev, in the CrystalReports12.CrystalPrintControl.1 ActiveX control included in PrintControl.dll. This control is shipped with the Crystal Reports Viewer, as installed by default wi

3 min Exploits

5 Tips to Ensure Safe Penetration Tests with Metasploit

Experienced penetration testers know what to look out for when testing production systems so they don't disrupt operations. Here's our guide to ensure smooth sailing. Vulnerabilities are unintentional APIs In my warped view of the world, vulnerabilities are APIs that weren't entirely intended by the developer. They hey are also undocumented and unsupported. Some of these vulnerabilities are exploited more reliably than others, and there are essentially three vectors to rank them: * Exploit s

4 min Exploits

November Exploit Trends: Apache Killer Exploit New to List

This month was a quiet one on the Metasploit Top Ten List. Each month we compile a list of the most searched exploit and auxiliary modules from our exploit database [http://www.metasploit.com/modules/]. To protect user's privacy, the statistics come from analyzing webserver logs of searches, not from monitoring Metasploit usage. The only new addition to the list this month is an old Apache Killer exploit. Read on for the rest of November's exploit and auxiliary modules with commentary by Meta

6 min Metasploit

Abusing Windows Remote Management (WinRM) with Metasploit

Late one night at Derbycon [https://www.derbycon.com/], Mubix [https://twitter.com/mubix] and I were discussing various techniques of mass ownage. When Mubix told me about the WinRM service, I wondered: "Why don't we have any Metasploit modules for this yet?" After I got back , I began digging. WinRM/WinRS WinRM is a remote management service for Windows that is installed but not enabled by default in Windows XP and higher versions, but you can install it on older operating systems as well. Win

8 min Exploits

New 0day Exploit: Novell ZENworks CVE-2012-4933 Vulnerability

Today, we present to you a flashy new vulnerability with a color-matching exploit straight from our super secret R&D safe house here in Metasploit Country. Known as CVE-2012-4933 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4933], it applies to Novell ZENworks Asset Management 7.5, which "integrates asset inventory, software usage, software management and contract management to provide the most complete software asset management tool available". Following our standard disclosure poli

1 min Nexpose

Moving from HML (High, Medium, Low) Hell to Security Heaven – Whiteboard Wednesdays

At last check there are about 22 new vulnerabilities being published and categorized every single day (see National Vulnerability Database web site - http://nvd.nist.gov/). In total, the National Vulnerability Database now contains more than 53,000 vulnerabilities. No wonder security professionals are overwhelmed with the sheer volume of vulnerabilities in their daily practices. At the same time, the prioritization schema that many organizations use are quite basic and are either proprietary or

2 min Authentication

Free Scanner for MySQL Authentication Bypass CVE-2012-2122

The MySQL authentication bypass vulnerability (CVE-2012-2122) - explained in detail in HD Moore's blog post [/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql] - was the cause for much concern when it was first discovered. In response, we've created a new vulnerability scanner for CVE-2012-2122 called ScanNow [http://www.rapid7.com/free-security-software-downloads/MySQL-vulnerability-scanner-CVE-2012-2122.jsp] , which enables you to check your network for vulnerability to thi

4 min Exploits

Exploit Trends: New Microsoft and MySQL Exploits Make the Top 10

The new Metasploit exploit trends are out, where we give you a list of the top 10 most searched Metasploit exploit and auxiliary modules from our exploit database (DB) [http://www.metasploit.com/modules/]. These stats are collected by analyzing searches on metasploit.com in our webserver logs, not through usage of Metasploit, which we do not track for privacy reasons. In June 2012, we also have three new entries on the list, and seven existing contenders. Here they are, annotated with Tod Bea