Posts tagged Exploits

1 min Public Policy

NIST 800-53 Control Mappings in SQL Query Export

In July, we added National Institute of Standards and Technology (NIST) Special Publication 800-53r4 controls mappings to version 2.0.2 of the reporting data model for SQL Query Export reports. NIST 800-53 is a publication that develops a set of security controls standards that are designed to aid organizations in protecting themselves from an array of threats. What does this mean for you? Well, now you can measure your compliance against these controls by writing SQL queries. For example, say

8 min Vulnerability Disclosure

R7-2016-10: Multiple OSRAM SYLVANIA Osram Lightify Vulnerabilities (CVE-2016-5051 through 5059)

Nine issues affecting the Home or Pro versions of Osram LIGHTIFY were discovered, with the practical exploitation effects ranging from the accidental disclosure of sensitive network configuration information, to persistent cross-site scripting (XSS) on the web management console, to operational command execution on the devices themselves without authentication. The issues are designated in the table below. At the time of this disclosure's publication, the vendor has indicated that all but the la

1 min Exploits

Adobe Flash CVE-2016-4171 Patch Tomorrow

Tomorrow, Adobe is expected [http://arstechnica.com/security/2016/06/critical-adobe-flash-bug-under-active-attack-currently-has-no-patch/] to release a patch for CVE-2016-4171 [https://helpx.adobe.com/security/products/flash-player/apsa16-03.html], which fixes a critical vulnerability in Flash 21.0.0.242 that Kaspersky reports is being used in active, targeted campaigns. Generally speaking, these sorts of pre-patch, zero day exploits don't see a lot of widespread use; they're too valuable to bu

2 min Exploits

Social Attacks in Web App Hacking - Investigating Findings of the DBIR

This is a guest post from Shay Chen [https://twitter.com/sectooladdict], an Information Security Researcher, Analyst, Tool Author and Speaker. The guy behind TECAPI [http://tecapi.com/public/relative-vulnerability-rating-gui.jsp] , WAVSEP [https://github.com/sectooladdict/wavsep] and WAFEP [https://sourceforge.net/projects/wafep/] benchmarks. Are social attacks that much easier to use, or is it the technology gap of exploitation engines that make social attacks more appealing? While reading t

2 min Microsoft

On Badlock for Samba (CVE-2016-2118) and Windows (CVE-2016-0128)

Today is Badlock Day You may recall that the folks over at badlock.org [http://badlock.org/] stated about 20 days ago that April 12 would see patches for "Badlock," a serious vulnerability in the SMB/CIFS protocol that affects both Microsoft Windows and any server running Samba, an open source workalike for SMB/CIFS services. We talked about it back in our Getting Ahead of Badlock [/2016/03/30/getting-ahead-of-badlock] post, and hopefully, IT administrators have taken advantage of the pre-releas

2 min Microsoft

Getting Ahead of Badlock

While we are keeping abreast of the news about the foretold Badlock vulnerability [http://badlock.org/], we don't know much more than anyone else right now. We're currently speculating that the issue has to do with the fundamentals of the SMB/CIFS protocol, since the vulnerability is reported to be present in both Microsoft's and Samba's implementations. Beyond that, we're expecting the details from Microsoft as part of their regularly scheduled patch Tuesday. How Bad Is It? Microsoft and the S

3 min IoT

What's In A Hostname?

Like the proverbial cat, curiosity can often get me in trouble, but often enough, curiosity helps us create better security. It seems like every time I encounter a product with a web management console, I end up feeding it data that it wasn't expecting. As an example, while configuring a wireless bridge that had a discovery function that would identify and list all Wi-Fi devices in the radio range, I thought: "I wonder what would happen if I broadcast a service set identifier (SSID) [https://en

4 min Metasploit

12 Days of HaXmas: Metasploit End of Year Wrapup

This is the seventh post in the series, "The 12 Days of HaXmas." It's the last day of the year, which means that it's time to take a moment to reflect on the ongoing development of the Metasploit Framework, that de facto standard in penetration testing, and my favorite open source project around. While the acquisition of Metasploit way back in 2009 was met with some healthy skepticism, I think this year, it's easy to say that Rapid7's involvement with Metasploit has been an enormously positive

5 min Vulnerability Disclosure

CVE-2015-7755: Juniper ScreenOS Authentication Backdoor

On December 18th, 2015 Juniper issued an advisory [https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST] indicating that they had discovered unauthorized code in the ScreenOS software that powers their Netscreen firewalls. This advisory covered two distinct issues; a backdoor in the VPN implementation that allows a passive eavesdropper to decrypt traffic and a second backdoor that allows an attacker to bypass authentication in the SSH and Telnet daemons. Shortly

3 min Exploits

What is SQL Injection?

The SQL Injection is one of the oldest and most embarrassing vulnerabilities web enabled code faces. It is so old that there really is no excuse for only a niche of people (namely web security professionals) to understand how it works. Every time I think we've beat this topic to death, SQL Injection finds its way back into the news. This post is my attempt to help anyone and everyone understand how it works and why it's such a persistent problem. Related Resource: Download our SQL Injection Bas

1 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

This week's update brings a fun user-assisted code execution bug in Safari. It works by opening up an "applescript://" URL, which pops an Applescript editor, and then getting the user to hit Command-R (normally the keybinding for reloading the page). The key combo will pass down to the editor and run the script. There is a mitigating factor here in the form of Gatekeeper, part of Apple's "walled garden" architecture, designed to protect users from people who haven't given Apple $99 [https://de

3 min Exploits

Watch your SaaS: Partial parameter checking or the case of unfinished homework

“Laws are like sausages. It's better not to see them being made.” – Otto von Bismarck I'm not sure how many of you have kids or how diligent they are with their homework but I'm sure you've heard stories of parents observing that their kids have finished their homework in a remarkably short period of time.  However, upon investigation, you quickly discover that your child has only finished half of their homework. Sadly, this state of affairs can also be true for SAAS providers offering web app

2 min Exploits

SQL Injection Vulnerabilities: 4 Reasons Security Teams Can't Stop Them

SQL injection vulnerabilities [https://www.rapid7.com/resources/videos/what-is-sql-injection.jsp] have threatened application security for over 15 years and most security experts and many developers alike understand SQLi very well. So why are they still quite common, despite the fact that we, as an industry, know how to prevent them? Related Resource: Download our SQL Injection Basics Toolkit [https://information.rapid7.com/sql-injection-attacks-basics-toolkit.html?CS=community] SQLInjection i

2 min Exploits

Why SQL Injection Vulnerabilities Still Exist: 8 Reasons Developer's Can't Eliminate Them

Knowing how to prevent a SQL injection vulnerability is only half the web application security battle. A multitude of factors come into play when it comes to writing secure code, many of which are out of the developers' direct control. That's why common vulnerabilities like SQL injection continue to plague today's applications, and why application security testing software is so important. These problems can be overcome – with a little insight, organizations can begin to address these challenges

2 min Exploits

R7-2015-17: HP SiteScope DNS Tool Command Injection

This is a vulnerability advisory for the HP SiteScope DNS Tool Command Injection vulnerability, made in accordance with Rapid7's disclosure policy [http://www.rapid7.com/disclosure.jsp]. Summary Due to a problem with sanitizing user input, authenticated users of HP SiteScope running on Windows can execute arbitrary commands on affected platforms as the local SYSTEM account. While it is possible to set a password for the SiteScope application administrator, this is not enforced upon installation