Posts tagged Exploits

2 min Java

Oracle CPU: July 2014

Oracle's Quarterly Critical Patch Update (CPU) is never a minor event.  In April we saw 104 security issues addressed, in January it was 144.  This time around we are faced with 113 updates.  These updates span the entire portfolio of Oracle software, including the JRE, Solaris, Oracle Database, MySQL, and numerous web and middleware products. What stands out is the belated fix for Heartbleed in MySQL Enterprise Server, coming fully 3 months after Oracle fixed that issue in their other products

4 min Exploits

You have no SQL inj--... sorry, NoSQL injections in your application

Everyone knows about SQL injections. They are classic, first widely publicized by Rain Forest Puppy, and still widely prevalent today (hint: don't interpolate query string params with SQL). But who cares? SQL injections are so ten years ago. I want to talk about a vulnerability I hadn't run into before that I recently had a lot of fun exploiting. It was a NoSQL injection. The PHP application was using MongoDB, and MongoDB has a great feature [http://www.php.net//manual/en/mongocollection.find.

3 min Metasploit

Security Advisory: OpenSSL Vulnerabilities CVE-2014-0224 and CVE-2014-0221 in Metasploit (Updated 6/6/14, 2pm EST)

Metasploit 4.9.2 and earlier vulnerable to OpenSSL vulnerabilities The OpenSSL team today published a security advisory [http://www.openssl.org/news/secadv_20140605.txt] containing several critical vulnerabilities. The Metasploit editions Metasploit Pro, Metasploit Express, Metasploit Community and Metasploit Framework in versions 4.9.2 or earlier are vulnerable to these OpenSSL vulnerabilities, most notably CVE-2014-0224 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224] and CVE-2014

5 min Exploits

Oracular Spectacular

Nexpose version 5.9.10 includes significant improvements to its Oracle Database fingerprinting and vulnerability coverage. When configured with appropriate database credentials, Nexpose scans can accurately identify which patches have been applied. This post will go through the steps for setting up such a scan, as well as discuss some of the finer details about Oracle's versioning scheme and the terminology around their quarterly Critical Patch Update program. Scanning Oracle Databases with Nex

3 min Vulnerability Disclosure

R7-2013-19.2 Disclosure: Yokogawa CENTUM CS 3000 BKESimmgr.exe Buffer Overflow (CVE-2014-0782)

Last March 8th, @julianvilas [https://twitter.com/julianvilas] and I spoke at RootedCON [https://www.rootedcon.es/?lang=en] about our work with the Yokogawa CENTUM CS3000 product, and disclosed three of the vulnerabilities we found on March 10 [/2014/03/10/yokogawa-centum-cs3000-vulnerabilities] on this blog. As noted in the talk, we intended to release information about all of the vulnerabilities we found in the product at the time. Today, after some negotiation with Yokogawa and ICS-CERT, we'

3 min Exploits

If you lived here, you'd be home now - thoughts on an IE 0-day

Growing up around Boston, I remember seeing the famous billboards for the Charles River Park apartments: "If You Lived Here, You'd Be Home Now".  These signs were placed strategically, almost sadistically, on Storrow Drive where they were seen every day by the thousands of motorists trapped in rush hour gridlock. This morning, as IT departments scrambled to react to the Internet Explorer 0day vulnerability, I couldn't help but think about that devilish piece of advertising. This critical vuln

5 min Exploits

Exploiting CSRF under NoScript Conditions

CSRFs -- or Cross-Site Request Forgery [https://www.owasp.org/index.php/CSRF] vulnerabilities -- occur when a server accepts requests that can be “spoofed” from a site running on a different domain. The attack goes something like this: you, as the victim, are logged in to some web site, like your router configuration page, and have a valid session token. An attacker gets you to click on a link that sends commands to that web site on your behalf, without your knowledge. These vulnerabilities ca

2 min Exploits

Sophos Web Appliance Privilege Escalation and Remote Code Execution Vulnerability

Sophos Web Protection Appliance vs 3.8.1.1 and likely prior versions was vulnerable to both a mass assignment attack which allowed privilege escalation, as well as a remote command execution vulnerability as root available to admin users. ZDI details the vuln here [http://www.zerodayinitiative.com/advisories/ZDI-14-069/]. This Metasploit module exploits both vulnerabilities in order to go from an otherwise unprivileged authenticated user to root on the box. This is particularly bad because this

3 min Exploits

Metasploit's Brand New Heartbleed Scanner Module (CVE-2014-0160)

Is the Internet down? Metasploit publishes module for Heartbleed If you read this blog at all regularly, you're quite likely the sort of Internet citizen who has heard about the Heartbleed attack [/2014/04/08/gaping-ssl-my-heartbleeds] and grasp how serious this bug is. It's suffice to say that it's a Big Deal -- one of those once-a-year bugs that kicks everyone in security into action. OpenSSL underpins much of the security of the Internet, so widespread bugs in these critical libraries affects

14 min Exploits

"Hack Away at the Unessential" with ExpLib2 in Metasploit

This blog post was jointly written by Wei sinn3r [https://twitter.com/_sinn3r] Chen and Juan Vazquez [https://twitter.com/_juan_vazquez_] Memory corruption exploitation is not how it used to be. With modern mitigations in place, such as GS, SafeSEH, SEHOP, DEP, ASLR/FASLR, EAF+, ASR, VTable guards, memory randomization, and sealed optimization, etc, exploit development has become much more complicated. It definitely shows when you see researchers jumping through hoops like reverse-engineering

3 min Apple

Metasploit Weekly Update: There's a Bug In Your Brain

Running Malicious Code in Safari The most fun module this week, in my humble opinion, is from Rapid7's own Javascript Dementor, Joe Vennix [https://twitter.com/joevennix]. Joe wrote up this crafty implementation of a Safari User-Assisted Download and Run Attack [http://www.metasploit.com/modules/exploit/osx/browser/safari_user_assisted_download_launch] , which is not technically a vulnerability or a bug or anything -- it's a feature that ends up being a kind of a huge risk. Here's how it goes:

1 min Exploits

Metasploit at RootedCON 2014 in Madrid

First of all let me share with all you, I'm really excited to write this blog post! This week RootedCON [https://www.rootedcon.es/?lang=en] 2014 will be happening in Spain and we got a talk accepted with @julianvilas [https://twitter.com/julianvilas]! The talk's title is not very self-explanatory: "Kicking SCADA Around." So, in case you are interested in attending here is a little more information about the presentation. We plan to share with the audience our experience while dissecting a widel

4 min Exploits

Metasploit Weekly Update: Video Chat, Meterpreter Building, and a Fresh MediaWiki Exploit

"It's Like Chat Roulette for Hackers" The coolest thing this week... wait, let me start again. The coolest thing this year is Wei sinn3r [https://twitter.com/_sinn3r] Chen's brand new amazesauce, humbly named webcam_chat. I know he just posted all about it [/2014/02/18/lets-talk-about-your-security-breach-with-metasploit-literally] yesterday, but I just want to reiterate how useful and hilarious this piece of post-exploit kit really is. First off, it's entirely peer-to-peer. The communicati

5 min Exploits

Weekly Metasploit Update: Android WebView Exploit, Clipboard Monitor, and Mass Checks

Android WebView Exploit, 70% Devices Vulnerable This week, the biggest news I think we have is the release this week of Joe Vennix [https://twitter.com/joevennix] and Josh @jduck [https://twitter.com/jduck] Drake's hot new/old Android WebView exploit. I've been running it for the last day or so out on the Internet, with attractive posters around the Rapid7 offices (as seen here) in an attempt to pwn something good. I've popped a couple shells, I guess I didn't make my QR Code attractive enough

2 min Exploits

New Metasploit Payloads for Firefox Javascript Exploits

Those of you with a keen eye on metasploit-framework/master [https://github.com/rapid7/metasploit-framework] will notice the addition of three new payloads: * firefox/shell_reverse_tcp * firefox/shell_bind_tcp * firefox/exec These are Javascript payloads meant for executing in a privileged Javascript context inside of Firefox. By calling certain native functions not meant to be exposed to ordinary web content, a classic TCP command shell can be opened. To a pentester, these payloads are use