Posts tagged Vulnerability Disclosure

2 min Vulnerability Disclosure

R7-2015-26: Advantech EKI Dropbear Authentication Bypass (CVE-2015-7938)

While looking into the SSH key issue outlined in the ICS-CERT ISCA-15-309-01 [https://ics-cert.us-cert.gov/advisories/ICSA-15-309-01] advisory, it became clear that the Dropbear SSH daemon did not enforce authentication, and a possible backdoor account was discovered in the product.  All results are from analyzing and running firmware version 1322_D1.98, which was released in response to the ICS-CERT advisory. This issue was discovered and disclosed as part of research resulting in Rapid7's dis

Read Full Post

5 min Vulnerability Disclosure

CVE-2015-7755: Juniper ScreenOS Authentication Backdoor

On December 18th, 2015 Juniper issued an advisory [https://supportportal.juniper.net/s/article/2015-12-Out-of-Cycle-Security-Bulletin-ScreenOS-Multiple-Security-issues-with-ScreenOS-CVE-2015-7755-CVE-2015-7756?language=en_US] indicating that they had discovered unauthorized code in the ScreenOS software that powers their Netscreen firewalls. This advisory covered two distinct issues; a backdoor in the VPN implementation that allows a passive eavesdropper to decrypt traffic and a second backdoor

Read Full Post

12 min Vulnerability Disclosure

Multiple Disclosures for Multiple Network Management Systems

Today, Rapid7 is disclosing several vulnerabilities affecting several Network Management System (NMS) products. These issues were discovered by Deral Heiland [https://twitter.com/percent_x] of Rapid7 and independent researcher Matthew Kienow [https://twitter.com/hacksforprofit], and reported to vendors and CERT for coordinated disclosure per Rapid7's disclosure policy. All together, we're disclosing six vulnerabilities that affect four NMSs, four of which are expected to be patched by the time o

Read Full Post

10 min Vulnerability Disclosure

R7-2015-22: ManageEngine Desktop Central 9 FileUploadServlet connectionId Vulnerability (CVE-2015-8249)

ManageEngine Desktop Central 9 [https://www.manageengine.com/products/desktop-central/] suffers from a vulnerability that allows a remote attacker to upload a malicious file, and execute it under the context of SYSTEM. Authentication is not required to exploit this vulnerability. In addition, the vulnerability is similar to a ZDI advisory released on May 7th, 2015, ZDI-15-180 [http://www.zerodayinitiative.com/advisories/ZDI-15-180/]. This advisory specifically mentions computerName, and this is

Read Full Post

2 min Exploits

R7-2015-17: HP SiteScope DNS Tool Command Injection

This is a vulnerability advisory for the HP SiteScope DNS Tool Command Injection vulnerability, made in accordance with Rapid7's disclosure policy. Summary Due to a problem with sanitizing user input, authenticated users of HP SiteScope running on Windows can execute arbitrary commands on affected platforms as the local SYSTEM account. While it is possible to set a password for the SiteScope application administrator, this is not enforced upon installation. Therefore, in default deployments, an

Read Full Post

6 min Vulnerability Disclosure

Multiple Insecure Installation and Update Procedures for RStudio (R7-2015-10) (FIXED)

Prior to RStudio version 0.99.473, the RStudio integrated toolset for Windows is installed and updated in an insecure manner. A remote attacker could leverage these flaws to run arbitrary code in the context of the system Administrator by leveraging two particular flaws in the update process, and as the RStudio user via the third update process flaw. This advisory will discuss all three issues. Since reporting these issues, RStudio version 0.99.473 has been released. This version addresses all

Read Full Post

13 min Metasploit

Using Reflective DLL Injection to exploit IE Elevation Policies

As you are probably aware, sandbox bypasses are becoming a MUST when exploiting desktop applications such as Internet Explorer. One interesting class of sandbox bypasses abuse IE's Elevation Policies. An example of this type of sandbox bypass is CVE-2015-0016 [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0016]. The vulnerability has already been analyzed by Henry Li, who published a complete description in this blog entry [http://blog.trendmicro.com/trendlabs-security-intelligence/

Read Full Post

11 min Exploits

Exploiting a 64-bit browser with Flash CVE-2015-5119 (Part 2)

This post is a continuation of Exploiting a 64-bit browser with Flash CVE-2015-5119 [/2015/07/31/supporting-a-64-bits-renderer-on-flash-cve-2015-5119] , where we explained how to achieve arbitrary memory read/write on a 64-bit IE renderer. As a reminder, we are targeting Windows 8.1 / IE11 (64 bits) with Flash 15.0.0.189. Of course, this write-up may contain a few errors, so your mileage may vary =) Where we left off before, we had created an interface to work with memory by using a corrupted

Read Full Post

3 min Exploits

Exploiting a 64-bit browser with Flash CVE-2015-5119

Some weeks ago, on More Flash Exploits in the Framework [/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the flash_exploiter library, which is used by Metasploit to quickly add new Flash exploit modules. If you read that blog entry, then you already know that flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119 [http://www.cvedetails.com/cve/CVE-2015-5119/] , which is o

Read Full Post

4 min Vulnerability Disclosure

R7-2015-08: Accellion File Transfer Appliance Vulnerabilities (CVE-2015-2856, CVE-2015-2857)

This disclosure covers two issues discovered with the Accellion [https://www.accellion.com/] File Transfer Appliance, a device used for secure enterprise file transfers. Issue R7-2015-08.1 is a remote file disclosure vulnerability, and issue R7-2015-08.2 is remote command execution vulnerability. Metasploit modules have been released for both issues, as of Pull Request 5694 [https://github.com/rapid7/metasploit-framework/pull/5694]. According to the vendor, both issues were addressed in version

Read Full Post

2 min Vulnerability Disclosure

Remote Coverage for MS15-034 HTTP.sys Vulnerability (CVE-2015-1635)

Patch Tuesday last week saw the release of Microsoft security bulletin MS15-034, which addresses CVE-2015-1635, a remote code execution vulnerability in Microsoft Internet Information Services (IIS) running on Windows 7 / Server 2008 R2 and later. This vulnerability can be trivially exploited as a denial of service attack by causing the infamous Blue Screen of Death (BSoD) with a simple HTTP request [https://www.youtube.com/watch?v=BlBXREzsytc]. In order to provide better assessment of your ass

Read Full Post

2 min Vulnerability Disclosure

Breaking down the Logjam (vulnerability)

What is it Disclosed on May 19, 2015, the Logjam vulnerability [https://weakdh.org/imperfect-forward-secrecy.pdf] (CVE-2015-4000 [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000]) is a flaw in common TLS implementations that can be used to intercept secure communications. This TLS protocol vulnerability would allow an active man-in-the-middle (MITM) attacker to silently downgrade a TLS session to export-level Diffie-Hellman keys. The attacker could hijack this downgraded session b

Read Full Post

3 min Vulnerability Disclosure

How Poisonous is VENOM (CVE-2015-3456) to your Virtual Environments?

Today CrowdStrike disclosed VENOM [http://venom.crowdstrike.com/] (Virtualized Environment Neglected Operations Manipulation) or CVE-2015-3456 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456], a vulnerability that could allow an attacker with access to one virtual machine to compromise the host system and access the data of other virtual machines. It's been a few months since we've seen a branded and logo'd vulnerability disclosure, and the main question everyone wants to know is wh

Read Full Post

2 min Microsoft

A Closer Look at February 2015's Patch Tuesday

This month's Patch Tuesday covers nine security bulletins from Microsoft, including what seems like a not-very-unusual mix of remote code execution (RCE) vulnerabilities and security feature bypasses. However, two of these bulletins – MS15-011 [https://technet.microsoft.com/en-us/library/security/ms15-011] and MS15-014 [https://technet.microsoft.com/en-us/library/security/ms15-014] – require a closer look, both because of the severity of the vulnerabilities that they address and the changes Mi

Read Full Post

2 min Android

R7-2015-02: Google Play Store X-Frame-Options (XFO) Gaps Enable Android Remote Code Execution (RCE)

Vulnerability Summary Due to a lack of complete coverage for X-Frame-Options [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options] (XFO) support on Google's Play Store [https://play.google.com/] web application domain, a malicious user can leverage either a Cross-Site Scripting (XSS) vulnerability in a particular area of the Google Play Store web application, or a Universal XSS (UXSS) targeting affected browsers, to remotely install and launch the main intent of an arbitrary Play S

Read Full Post

• ...
• 6
• 7
• 8
• 9
• 10