2 min
Vulnerability Disclosure
R7-2015-26: Advantech EKI Dropbear Authentication Bypass (CVE-2015-7938)
While looking into the SSH key issue outlined in the ICS-CERT ISCA-15-309-01
[https://ics-cert.us-cert.gov/advisories/ICSA-15-309-01] advisory, it became
clear that the Dropbear SSH daemon did not enforce authentication, and a
possible backdoor account was discovered in the product. All results are from
analyzing and running firmware version 1322_D1.98, which was released in
response to the ICS-CERT advisory.
This issue was discovered and disclosed as part of research resulting in
Rapid7's dis
5 min
Vulnerability Disclosure
CVE-2015-7755: Juniper ScreenOS Authentication Backdoor
On December 18th, 2015 Juniper issued an advisory
[https://supportportal.juniper.net/s/article/2015-12-Out-of-Cycle-Security-Bulletin-ScreenOS-Multiple-Security-issues-with-ScreenOS-CVE-2015-7755-CVE-2015-7756?language=en_US]
indicating that they had discovered unauthorized code in the ScreenOS software
that powers their Netscreen firewalls. This advisory covered two distinct
issues; a backdoor in the VPN implementation that allows a passive eavesdropper
to decrypt traffic and a second backdoor
12 min
Vulnerability Disclosure
Multiple Disclosures for Multiple Network Management Systems
Today, Rapid7 is disclosing several vulnerabilities affecting several Network
Management System (NMS) products. These issues were discovered by Deral Heiland
[https://twitter.com/percent_x] of Rapid7 and independent researcher Matthew
Kienow [https://twitter.com/hacksforprofit], and reported to vendors and CERT
for coordinated disclosure per Rapid7's disclosure policy. All together, we're
disclosing six vulnerabilities that affect four NMSs, four of which are expected
to be patched by the time o
10 min
Vulnerability Disclosure
R7-2015-22: ManageEngine Desktop Central 9 FileUploadServlet connectionId Vulnerability (CVE-2015-8249)
ManageEngine Desktop Central 9
[https://www.manageengine.com/products/desktop-central/] suffers from a
vulnerability that allows a remote attacker to upload a malicious file, and
execute it under the context of SYSTEM. Authentication is not required to
exploit this vulnerability.
In addition, the vulnerability is similar to a ZDI advisory released on May 7th,
2015, ZDI-15-180 [http://www.zerodayinitiative.com/advisories/ZDI-15-180/]. This
advisory specifically mentions computerName, and this is
2 min
Exploits
R7-2015-17: HP SiteScope DNS Tool Command Injection
This is a vulnerability advisory for the HP SiteScope DNS Tool Command Injection
vulnerability, made in accordance with Rapid7's disclosure policy.
Summary
Due to a problem with sanitizing user input, authenticated users of HP SiteScope
running on Windows can execute arbitrary commands on affected platforms as the
local SYSTEM account. While it is possible to set a password for the SiteScope
application administrator, this is not enforced upon installation. Therefore, in
default deployments, an
6 min
Vulnerability Disclosure
Multiple Insecure Installation and Update Procedures for RStudio (R7-2015-10) (FIXED)
Prior to RStudio version 0.99.473, the RStudio integrated toolset for Windows is
installed and updated in an insecure manner. A remote attacker could leverage
these flaws to run arbitrary code in the context of the system Administrator by
leveraging two particular flaws in the update process, and as the RStudio user
via the third update process flaw. This advisory will discuss all three issues.
Since reporting these issues, RStudio version 0.99.473 has been released. This
version addresses all
13 min
Metasploit
Using Reflective DLL Injection to exploit IE Elevation Policies
As you are probably aware, sandbox bypasses are becoming a MUST when exploiting
desktop applications such as Internet Explorer. One interesting class of sandbox
bypasses abuse IE's Elevation Policies. An example of this type of sandbox
bypass is CVE-2015-0016
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0016]. The
vulnerability has already been analyzed by Henry Li, who published a complete
description in this blog entry
[http://blog.trendmicro.com/trendlabs-security-intelligence/
11 min
Exploits
Exploiting a 64-bit browser with Flash CVE-2015-5119 (Part 2)
This post is a continuation of Exploiting a 64-bit browser with Flash
CVE-2015-5119 [/2015/07/31/supporting-a-64-bits-renderer-on-flash-cve-2015-5119]
, where we explained how to achieve arbitrary memory read/write on a 64-bit IE
renderer. As a reminder, we are targeting Windows 8.1 / IE11 (64 bits) with
Flash 15.0.0.189. Of course, this write-up may contain a few errors, so your
mileage may vary =)
Where we left off before, we had created an interface to work with memory by
using a corrupted
3 min
Exploits
Exploiting a 64-bit browser with Flash CVE-2015-5119
Some weeks ago, on More Flash Exploits in the Framework
[/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the
flash_exploiter library, which is used by Metasploit to quickly add new Flash
exploit modules. If you read that blog entry, then you already know that
flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we
will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119
[http://www.cvedetails.com/cve/CVE-2015-5119/] , which is o
4 min
Vulnerability Disclosure
R7-2015-08: Accellion File Transfer Appliance Vulnerabilities (CVE-2015-2856, CVE-2015-2857)
This disclosure covers two issues discovered with the Accellion
[https://www.accellion.com/] File Transfer Appliance, a device used for secure
enterprise file transfers. Issue R7-2015-08.1 is a remote file disclosure
vulnerability, and issue R7-2015-08.2 is remote command execution vulnerability.
Metasploit modules have been released for both issues, as of Pull Request 5694
[https://github.com/rapid7/metasploit-framework/pull/5694].
According to the vendor, both issues were addressed in version
2 min
Vulnerability Disclosure
Remote Coverage for MS15-034 HTTP.sys Vulnerability (CVE-2015-1635)
Patch Tuesday last week saw the release of Microsoft security bulletin MS15-034,
which addresses CVE-2015-1635, a remote code execution vulnerability in
Microsoft Internet Information Services (IIS) running on Windows 7 / Server 2008
R2 and later. This vulnerability can be trivially exploited as a denial of
service attack by causing the infamous Blue Screen of Death (BSoD) with a
simple
HTTP request [https://www.youtube.com/watch?v=BlBXREzsytc].
In order to provide better assessment of your ass
2 min
Vulnerability Disclosure
Breaking down the Logjam (vulnerability)
What is it
Disclosed on May 19, 2015, the Logjam vulnerability
[https://weakdh.org/imperfect-forward-secrecy.pdf] (CVE-2015-4000
[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000]) is a flaw in
common TLS implementations that can be used to intercept secure communications.
This TLS protocol vulnerability would allow an active man-in-the-middle (MITM)
attacker to silently downgrade a TLS session to export-level Diffie-Hellman
keys. The attacker could hijack this downgraded session b
3 min
Vulnerability Disclosure
How Poisonous is VENOM (CVE-2015-3456) to your Virtual Environments?
Today CrowdStrike disclosed VENOM [http://venom.crowdstrike.com/] (Virtualized
Environment Neglected Operations Manipulation) or CVE-2015-3456
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456], a vulnerability
that could allow an attacker with access to one virtual machine to compromise
the host system and access the data of other virtual machines. It's been a few
months since we've seen a branded and logo'd vulnerability disclosure, and the
main question everyone wants to know is wh
2 min
Microsoft
A Closer Look at February 2015's Patch Tuesday
This month's Patch Tuesday covers nine security bulletins from Microsoft,
including what seems like a not-very-unusual mix of remote code execution (RCE)
vulnerabilities and security feature bypasses. However, two of these bulletins –
MS15-011 [https://technet.microsoft.com/en-us/library/security/ms15-011] and
MS15-014 [https://technet.microsoft.com/en-us/library/security/ms15-014] –
require a closer look, both because of the severity of the vulnerabilities that
they address and the changes Mi
2 min
Android
R7-2015-02: Google Play Store X-Frame-Options (XFO) Gaps Enable Android Remote Code Execution (RCE)
Vulnerability Summary
Due to a lack of complete coverage for X-Frame-Options
[https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options] (XFO)
support on Google's Play Store [https://play.google.com/] web application
domain, a malicious user can leverage either a Cross-Site Scripting (XSS)
vulnerability in a particular area of the Google Play Store web application, or
a Universal XSS (UXSS) targeting affected browsers, to remotely install and
launch the main intent of an arbitrary Play S