4 min
Vulnerability Management
CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server (AS) Java
The new SAP vulnerability (RECON), a critical vulnerability affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard, is a huge deal.
Read Full Post
1 min
Research
A Serial Problem: Exploitation and Exposure of Java Serialized Objects
In our new research report, we take a look at Java Serialized Objects (JSOs), which are a reliable threat vector and present a rising threat to enterprise networks.
Read Full Post
1 min
Metasploit Weekly Wrapup
Weekly Metasploit Wrapup
Welcome to the last Metasploit update of the year! Since January 1st, 2015,
we've had 6364 commits from 176 unique authors, closed 1119 Pull Requests, and
added 323 modules. Thank you all for a great year! We couldn't have done it
without you.
Sounds
The sounds plugin has been around for a long time, notifying hackers of new
shells via their speakers since 2010. Recently, Wei sinn3r Chen gave it a
makeover, replacing the old robotic voice with that of Offensive Security
founder, Kali Linux Core
Read Full Post
2 min
Patch Tuesday
R7-2015-09: Oracle Java JRE AES Intrinsics Remote Denial of Service (CVE-2015-2659)
Java 8 servers versions prior to u46 are susceptible to a remote unauthenticated
denial of service (hard crash) when used with AES intrinsics (AES-NI) CPU
extensions on supported processors. AES intrinsics are enabled by default on the
Oracle JVM if the the JVM detects that processor capability, which is common for
modern processors manufactured after 2010. For more on AES-NI, see the
Wikipedia
article [http://en.wikipedia.org/wiki/AES_instruction_set].
This issue was tracked in the OpenJDK pu
Read Full Post
2 min
Java
Weekly Metasploit Wrapup: Remote Controlling Java Services
Java Remoting: Sign Me Up!
This is a pretty exciting week for advancing the state of the art of penetration
testing with Metasploit, thanks in large part to Juan Vazquez
[https://twitter.com/_juan_vazquez_]'s work on the new protocol-level support
for Java Remote Method Invocation (RMI). If you've never heard of it before,
it's probably because, like me, you haven't done much (or any) Java programming
since school. Java RMI is essentially a network-exposed API, usually listening
on 1617/TCP, and
Read Full Post
2 min
Java
Oracle CPU: July 2014
Oracle's Quarterly Critical Patch Update (CPU) is never a minor event. In April
we saw 104 security issues addressed, in January it was 144. This time around
we are faced with 113 updates. These updates span the entire portfolio of
Oracle software, including the JRE, Solaris, Oracle Database, MySQL, and
numerous web and middleware products.
What stands out is the belated fix for Heartbleed in MySQL Enterprise Server,
coming fully 3 months after Oracle fixed that issue in their other products
Read Full Post
2 min
Flash
Weekly Metasploit Update: More Meterpreters!
Meterpreter for All The Platforms
This week is pretty exciting for us, since it's not every day we give out
commit
rights [https://github.com/rapid7/metasploit-framework/wiki/Committer-Keys] to
the Rapid7 Metasploit repo. I'm very happy to report that Tim Wright
[https://github.com/timwr] has agreed to step up and help out with moving
Meterpreter research and development forward, focusing mainly on the Java and
Android implementations.
Many Metasploit users are familiar with Meterpreter for Wi
Read Full Post
1 min
Java
Oracle October 2013 CPU roundup
The story here is that Oracle has synced up their Java patching with the rest of
their patching cycle and, when it comes to vulnerabilities, Java always steals
the show. The CPU includes fixes for 127 vulnerabilities in Oracle products, but
aside from Java, it's mostly ho-hum, low impact stuff. There's a CVSS 8.5
vulnerability in MySQL's Enterprise Service manager, but besides the Java
patches, nothing else jumps out as particularly interesting.
The Java patches include 51 of the 127 addresse
Read Full Post
2 min
Product Updates
Weekly Update: Sport Fishing for Exploits and Improved Java Hackery
Java Payload Cleanup
If you've been watching the Metasploit source repository
[https://github.com/rapid7/metasploit-framework/], you will have noticed some
movement in Java Payload land -- specifically, PR#1217
[https://github.com/rapid7/metasploit-framework/pull/1217], which landed this
week. Thanks to the refactoring efforts of Michael @mihi42
[https://twitter.com/mihi42] Schriel, testing by @Meatballs
[https://github.com/Meatballs1], and integration from James @egyp7
[https://twitter.com/egyp
Read Full Post
2 min
Java
Oracle April 2013 CPU - 42 Java vulns!
Oracle Security had a busy day yesterday. They released two of their Cumulative
Patch Updates, one for Java and one for everything else that they patch. The
Java CPU contains 19 CVEs with CVSS base score of 10 (the highest you can go)
indicating that exploiting the vulnerability is not particularly challenging and
could give complete control of compromised systems. For all of these
vulnerabilities, the browser is the vector of exploit. For one of those
(CVE-2013-1537)some Java server configurat
Read Full Post
3 min
Java
Java 7 Exploit for CVE-2013-0431 in the Wild
According to the latest news
[http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html]
, exploit kits such as Cool EK and Popads are integrating a new exploit for
Java, targeting Java 7u11. An exploit for CVE-2013-0431 has been analyzed and
shared by SecurityObscurity
[http://security-obscurity.blogspot.com/2013/01/about-new-java-0-day-vulnerability.html]
, and is also now available as a Metasploit module with some improvements for
testability. We would like to use this b
Read Full Post
2 min
Product Updates
Weekly Update: Hollywood Hacking and More Java Exploits
Hollywood Hacking: Tapping Webcams and Mics
This week's update has two new post modules for Metasploit, which enables the
creative pen-tester to hit that creeper vibe so often missing on a typical
engagement, both by Metasploit exploit dev Wei @_sinn3r
[https://twitter.com/_sinn3r] Chen. They're both post-exploitation modules, so
they presume you already have a session on the target via some other exploit.
First up is a webcam control module, which can take a snapshot using the
target's webcam.
Read Full Post
10 min
Exploits
New Java Modules in Metasploit... No 0 days this time
Last year Security Explorations published some awesome research
[http://www.security-explorations.com/en/SE-2012-01.html], exploring the
security state of the Java SE from Oracle, and disclosing different
vulnerabilities and exploit vectors in this software. In fact, some of the last
Java exploits found in the wild have been using techniques from the mentioned
research. Today we're publishing two new modules exploiting some of the
documented issues. In this blog post we would like to share somet
Read Full Post
2 min
Microsoft
January is not over yet
Seems like a lot of activity already this year in the security world by way of
high profile, already being exploited vulnerabilities. First the Adobe Flash
and Acrobat/Reader fixes [/2013/01/08/adobe-joins-the-january-patching-fun],
then the Ruby on Rails exploit
[/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156] and now
Oracle turning around a fast fix and Microsoft delivering an out-of-band patch
for Internet Explorer.
Oracle has moved quickly to release a fix for the vuln
Read Full Post
5 min
Metasploit
Exploit Trends: Top 10 Searches for Metasploit Modules in October
Time for your monthly dose of Metasploit exploit trends! Each month we gather
this list of the most searched exploit and auxiliary modules from the Metasploit
database. To protect users' privacy, the statistics come from analyzing
webserver logs of searches, not from monitoring Metasploit usage.
October was a quiet month for exploit headlines, so not a whole lot of action on
the list. The high traffic to Java and IE modules from their respective 0-days
settled down, so you'll see some shuffli
Read Full Post
2 min
Nexpose
Multi-tenant User Provisioning
Introduction
Performing bulk operations can be time consuming in Nexpose. A good example is
user provisioning, which can take a long time. To save time, using the Nexpose
APIs is an effective way to save you time and eliminate the error-prone process
of doing everything manually. For this blog post, I want to demonstrate how you
can manage users using the Nexpose API. I will be using an open source Java API
client, which is available on clee-r7/nexpose_java_api · GitHub
[https://github.com/clee-
Read Full Post
5 min
Metasploit
Exploit Trends: Java and IE 0days
Each month we report the top ten searched exploit and auxiliary modules on
metasploit.com. The statistics are drawn from our exploit database by analyzing
webserver logs of searches, not through Metasploit usage which is not tracked to
preserve privacy.
With the Java and Internet Explorer 0-days in August and September, this month's
exploit trends from Metasploit really shook-up the status quo. And, just to make
things more interesting, there are a couple exploits from April that came back
fo
Read Full Post
1 min
Nexpose
Nexpose Site Creation - Now with More Scheduling
Got Sites? Well now you can!
One of everyone's favorite tasks in Nexpose is creating new sites. But what if
you could do it all with an interactive, menu-driven, standalone java
application that leveraged the awesome Nexpose Java API client. I know what you
are thinking, "That would be too cool."
Well wait no longer! We here at Rapid7 have created just such a tool for you to
use. So go ahead, download it and give it a try. All source code is included
so you can easily modify or extend it
Read Full Post
1 min
Nexpose
Nexpose Reporting with the Java API Client
Nexpose reporting just got easier!
Now you can manage and generate Nexpose reports though an interactive
application that leverages the Nexpose Java API client.
Here is a list of the options that are currently supported.
1. List Reports
2. Generate Reports
3. Delete Reports
4. Delete Report Configurations (and all associated reports)
5. View Report Configuration
6. View Report History
Attached is a copy of the application and the source code so you can easily
modify and extend its func
Read Full Post
5 min
Java
Creating a bunch of users at once using the Nexpose API
I would like to take the time to share an example of how you can use the Nexpose
API to create a batch of users at one time with the use of a CSV file. Sounds
too good to be true right?
I swear to you that this is not a mirage. In fact I am prepared to put my money
where my mouth is and post a code example with Rapid7's very own Open Source
Java API client. This will allow you to do the following:
* Interactively specify a CSV file to Create Update and even remove existing
users * Please s
Read Full Post
4 min
Exploits
Exploit Trends: August Java 0-day
Coming from August's Java 0-day release, there are three new Java exploits among
the top 10 most searched Metasploit exploits and auxiliary modules in this
month's trend list. The monthly statistics are drawn from our exploit database
[http://www.metasploit.com/modules/] by analyzing webserver logs of searches on
metasploit.com, not through Metasploit usage which is not tracked for privacy.
Check out the top searched exploits and modules below, annotated with Tod
Beardley's excellent comments
Read Full Post
2 min
Java
Weekly Metasploit Update: Java 0-Day, Meterpreter Network Commands, and More!
Time to chalk up one more victory for the forces of goodness and light in our
struggle against secret 0-day.
Java 0-Day Exploit Shipped
If you pay any attention at all to the usual security news, you will have
certainly already heard about how Accuvant's Josh "jduck" Drake and the
Metasploit dev community pounced on the Java 0-Day
[http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/],
aka CVE-2012-4681, aka the Java 7 Applet RCE
[http://metasploit.com/modules/exploit/m
Read Full Post
1 min
Metasploit
Let's start the week with a new Java 0-day in Metasploit
On late Sunday night, the Metasploit Exploit team was looking for kicks, and
heard the word on the street that someone was passing around a reliable Java
0-day exploit. Big thanks to Joshua J. Drake (jduck), we got our hands on that
PoC [https://twitter.com/jduck1337/status/239875285913317376], and then once
again, started our voodoo ritual. Within a couple of hours, we have a working
exploit. Download Metasploit here
[http://www.rapid7.com/downloads/metasploit.jsp], and apply the latest update
Read Full Post
1 min
Exploits
Oracle Issues Java Security Fixes
Oracle released Java Release 7 Update 5 and Java Release 6 Update 33 in order to
patch several security vulnerabilities. I expect older versions to have public
exploit code available soon. IsJavaExploitable.com
[http://isjavaexploitable.com/] has been updated to assist everyone in detecting
if they need to upgrade. Apple has also made patches available for OS X, which
is a testament to Apple improving their consumer security. In the last couple of
months Apple has made drastic improvements on re
Read Full Post
1 min
Apple
Apple OS X Java Woes
Oracle recently announced that they would provide stand alone updates in the
future for Java Runtime Environment for Mac users. Many people including myself
were excited when we heard the news, but..... so far this hasn't happened. Mac
OS X users including yours truly are once again behind Oracle's recommended
version.
Apple last patched Java on OS X when they released Java 6 Update 31 on April
3rd, which had critical bug fixes on related to Flashback malware. Oracle then
released Java 6 Update
Read Full Post
2 min
Release Notes
Getting the Most from Customizable CSV Exports - Part 6
Hi, my name is Eden Martinez, and I'm a Federal Sales Engineer with Rapid7.
Larger environments often list scalability as one of their top problems;
specifically, too much data. With current tools, it's not hard to generate large
data sets. Most tools are comprehensive with a focus on the largest list of
results wins. While you can turn all the knobs on Nexpose up to 11, I've found
many enterprise environments prefer to focus on prioritization of
vulnerabilities and trending of the results. M
Read Full Post
1 min
Metasploit
Is [Your] Java Exploitable?
There were too big news stories in the Java Exploitation landscape this week:
1. Blackhole Exploit Kit added an exploit for CVE-2012-0507
[http://krebsonsecurity.com/2012/03/new-java-attack-rolled-into-exploit-packs/]
2. Metasploit added exploit for CVE-2012-0507
[/2012/03/29/cve-2012-0507-java-strikes-again]
In order to help users and organization's do a quick field test to see if they
are exploitable to these attacks, I crafted a Java version check now available
at IsJavaExploitabl
Read Full Post
2 min
Nexpose
Automating Nexpose Discovery Connections through the Java API
Nexpose has long offered APIs allowing for automated workflow operations. The
following examples are intended to help Nexpose users automate the discovery
mechanisms feature through the API. The following code shows how to leverage the
Java API client [https://github.com/clee-r7/nexpose_java_api] to create, list,
update and delete discovery mechanisms in Nexpose.
Nexpose supports Discovery connection API starting on version 5.2. The
supported operations on the API with regards to discovery ar
Read Full Post
4 min
Java
Java API client - How to augment it and share with the community
The prerequisite is that you get the client: clee-r7/nexpose_java_api · GitHub
[https://github.com/clee-r7/nexpose_java_api]
This blog post will show you how to augment the java api client and use it in 4
easy steps.
The Java API client uses XML templates to generate requests. Browse to the
src/org/rapid7/nexpose/api folder within the API source code, you will see the
templates for the currently supported API client requests. i.e:
AssetGroupSaveRequest.xml.
There are currently 2 versions of
Read Full Post
1 min
Nexpose
Nexpose Java API
We are really excited to see the Nexpose community coming up with all sorts of
cool and useful ways to automate Nexpose via our APIs. Since we have published
our Ruby [https://github.com/rapid7/nexpose-client] and .Net
[https://github.com/brandonprry/nexpose-sharp] API client libraries, we have had
some requests for a Java library as well. And now we have open sourced a Java
[https://github.com/clee-r7/nexpose_java_api] based library for accessing the
Nexpose API. This library is BSD licensed s
Read Full Post
3 min
Release Notes
Exploit for critical Java vulnerability added to Metasploit
@_sinn3r [http://twitter.com/_sinn3r] and Juan Vasquez
[https://twitter.com/#!/_juan_vazquez_] recently released a module which
exploits the Java vulnerability detailed here
[http://schierlm.users.sourceforge.net/CVE-2011-3544.html] by mihi and by Brian
Krebs here
[http://krebsonsecurity.com/2011/11/new-java-attack-rolled-into-exploit-kits].
This is a big one. To quote Krebs: "A new exploit that takes advantage of a
recently-patched critical security flaw in Java is making the rounds in the
cri
Read Full Post
5 min
Exploits
Recent Developments in Java Signed Applets
The best exploits are often not exploits at all -- they are code execution by
design. One of my favorite examples of this is a signed java applet. If an
applet is signed, the jvm allows it to run outside the normal security sandbox,
giving it full access to do anything the user can do.
Metasploit has supported using signed applets as a browser exploit for quite
awhile, but over the last week there have been a couple of improvements that
might help you get more shells. The first of these improve
Read Full Post