2 min
Patch Tuesday
September Patch Tuesday Roundup
Microsoft's patch for September includes 4 Critical Bulletins and 5 Important
Bulletins covering 11 vulnerabilities.
A couple vulnerabilities are worth noting including:
MS10-064 a vulnerability in Microsoft Outlook allows for Remote Code Execution.
This is the classic drive-by malware in which the attacker sends a malicious
email message to the victim. Simply by opening the contents of an email, the
attacker can gain full control of the victim's machine. Organizations should
conduct user aw
3 min
Impersonating the Windows Print Spooler for Relayed RPC
On Friday night, I committed our exploit module which takes advantage of the
vulnerability [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2729]
fixed in MS10-061
[http://www.microsoft.com/technet/security/bulletin/ms10-061.mspx]. If you
haven't seen it yet, you can find it here
[http://www.metasploit.com/modules/exploit/windows/smb/ms10_061_spoolss].
In its most egregious form, this bug allowed a guest user with print access to
write arbitrary content to arbitrary files with SYSTEM p
2 min
Patch Tuesday
August Patch Tuesday Roundup
Microsoft's patch this month, which consists of 14 bulletins that address 34
vulnerabilities, is the largest since October 2009. With the massive amount of
work that lies ahead, it may help to prioritize your work.
Josh Abraham, Rapid7 Security Researcher, recommends that you pay particular
attention to MS10-054. This vulnerability in the SMB protocol “is potentially
the most dangerous vulnerability as it allows unauthenticated attackers to
execute arbitrary codes on remote machines.” Abrah
2 min
Black Hat Race To Root Results
We had a good number of folks compete for prizes in the Race to Root competition
at this year's Black Hat, so thanks to everyone who came by. Three competitors
came out on top. Anders Hansen took first place! He'll be receiving both a
ProxMark3 (http://proxmark3.com/) and a MAKInterface Magstripe Reader/Writer,
Haikon Krohn took second place and will pick up a ProxMark3, and our third place
finalist (JT Taylor) will also be receiving a MAKInterface.
I was surprised by the number of folks who h
5 min
Shiny Old VxWorks Vulnerabilities
Back in June, I decided to spend some time looking at the VxWorks
[https://secure.wikimedia.org/wikipedia/en/wiki/VxWorks] operating system.
Specifically, I kept finding references to VxWorks-based devices running
firmware images with the debug service (WDB Agent) enabled, but I could not find
a description of the protocol or any estimates as to how prevalent this service
was. After a couple days of digging around and a couple more days of scanning, I
became aware of just how extensive this issu
2 min
W3AF: An Open Source Success Story
Today, as Rapid7 announced the sponsorship
[http://www.rapid7.com/news-events/press-releases/2010/2010-w3af.jsp] of a
second open source project with its support of w3af
[http://w3af.sourceforge.net/], I reflect back on my experience with Rapid7 over
the last 9 months. When I agreed to the acquisition of the Metasploit project by
Rapid7 in October last year it was with a lot of excitement but also with a
small leap of faith. In my initial blog post [/2009/10/21/metasploit-rising]
from October 2
3 min
July Patch Tuesday Roundup
The highlight of Microsoft's security bulletins is the fix for Microsoft's
online help vulnerability (MS10-042) identified by Google security researcher,
Tavis Ormandy, which could allow an attacker to take control of a computer by
luring a computer user to a malicious Web site.
Also as Microsoft's July security bulletins also address vulnerabilities in
Windows XP, Josh Abraham, Rapid7 Security Researcher recommends that “customers
should keep in-mind that Windows XP SP2 is now end-of-life. Th
1 min
Metasploit
Metasploit Framework 3.4.1 Released!
The Metasploit Project is proud to announce the release of the Metasploit
Framework version 3.4.1. As always, you can get it from our downloads page
[http://www.metasploit.com/framework/download/], for Windows or Linux. This
release sees the first official non-Windows Meterpreter payload, in PHP as
discussed last month [/2010/06/14/meterpreter-for-pwned-home-pages]. Rest
assured that more is in store for Meterpreter on other platforms. A new
extension called Railgun
[http://mail.metasploit.c
2 min
Introducing Metasploitable
One of the questions that we often hear is "What systems can i use to test
against?" Based on this, we thought it would be a good idea throw together an
exploitable VM that you can use for testing purposes.
Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number
of vulnerable packages are included, including an install of tomcat 5.5 (with
weak credentials), distcc, tikiwiki, twiki, and an older mysql.
You can use most VMware products [http://www.vmware.com/products/play
2 min
Metasploit Framework 3.4.0 Released!
After five months of development, version 3.4.0 of the Metasploit Framework
[http://www.metasploit.com/framework/download/] has been released. Since the
last major release (3.3) over 100 new exploits have been added and over 200 bugs
have been fixed.
This release includes massive improvements to the Meterpreter payload; both in
terms of stability and features, thanks in large part to Stephen Fewer of
Harmony Security. The Meterpreter payload can now capture screenshots without
migrating, inc
2 min
May Patch Tuesday Roundup
Time for the May 2010 summary of the upcoming Microsoft Security Updates….
2 Advisories, with 2 Vulnerabilities covered. Both are rated as Critical.
The first one covering Outlook Express, Microsoft Mail, and Microsoft Live Mail
on all Windows Operating Systems (sans Server Core and Server Core for Windows
Server 2008 R2) and the second covering Microsoft Visual Basic for Applications.
Both Vulnerabilities allow for Remote Code Execution.
Heres a breakdown:
MS10-030 – Mail Server Integ
3 min
Metasploit
Approaching Metasploit 3.4.0 and Metasploit Express
Since mid-December, the Metasploit team has been working non-stop towards
version 3.4.0 of the Metasploit Framework. The final release is still scheduled
for mid-May, but I wanted to share some of the upcoming features, available
today from the development tree. Version 3.4.0 includes major improvements to
the Meterpreter payload, the expansion of the framework's brute force
capabilities, and the complete overhaul of the backend database schema and event
subsystem. In addition, more than 60 exp
3 min
April Microsoft Patch Tuesday Roundup
Time for this month's summary of the latest Microsoft Security updates …
11 advisories, with 25 vulnerabilities covered. 5 Critical; 5 Important; 1
Moderate. This is the heaviest April update we've seen; we generally see 5-8
updates in April and 25 vulnerabilities breaks the 2009 April record of 21.
The SMB DoS issue is being addressed, rated Important and affecting Windows
& Exchange. 2 issues affecting Office, both of which are rated Important.
The other 8 affect Windows with 5 Crit
3 min
Persistent Meterpreter over Reverse HTTPS
Botnet agents and malware go through inordinate lengths to hide their command
and control traffic. From a penetration testing perspective, emulating these
types of communication channels is possible, but often requires a custom toolkit
to be deployed to the target. In this post I will walk through using the
standard Metasploit Meterpreter payload as a persistent encrypted remote control
tool.
First things first, grab the latest version
[http://www.metasploit.com/framework/download/] of Metasplo
2 min
March Microsoft Out-Of-Band Patch Tuesday Roundup
Brief summary of today's Out-Of-Band Microsoft Security update …
1 Cumulative IE update, with 10 vulnerabilities covered. While Out-Of-Band
updates are not unheard of (this is the second one so far this year), 10
vulnerabilities covered is a lot.
Here's the breakdown:
MS10-018: Rated Critical. Cumulative update for Internet Explorer, covering 10
vulnerabilities:
CVE-2010-0267 (Uninitialized Memory Corruption)
CVE-2010-0488 (Post Encoding Information Disclosure)
CVE-2010-0489 (Race C