9 min
Vulnerability Disclosure
R7-2014-12: More Amplification Vulnerabilities in NTP Allow Even More DRDoS Attacks
Overview
As part of Rapid7 Labs' Project Sonar [https://sonar.labs.rapid7.com/], among
other things, we scan the entire public IPv4 space (minus those who have opted
out) looking for listening NTP servers. During this research we discovered some
unknown NTP servers responding to our probes with messages that were entirely
unexpected. This lead to the writing of an NTP fuzzer in Metasploit
[https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuz
5 min
Vulnerability Disclosure
R7-2014-01, R7-2014-02, R7-2014-03 Disclosures: Exposure of Critical Information Via SNMP Public Community String
Summary of Vulnerabilities
This report details three critical information disclosure vulnerabilities. The
vulnerabilities were discovered while Matthew Kienow and I (Deral Heiland
[https://twitter.com/percent_x]) were researching information disclosure issues
in SNMP on embedded appliances for a talk
[http://carolinacon.org/abstracts.html#6] at CarolinaCon
[http://carolinacon.org/index.html]. During this research project, most devices
exposed information that would be classified as benign or pub
4 min
Vulnerability Disclosure
Supermicro IPMI Firmware Vulnerabilities
Introduction
This post summarizes the results of a limited security analysis of the
Supermicro IPMI firmware. This firmware is used in the baseboard management
controller (BMC) of many Supermicro motherboards.
The majority of our findings relate to firmware version SMT_X9_226. The
information in this post was provided to Supermicro on August 22nd, 2013 in
accordance with the Rapid7 vulnerability disclosure policy.
Although we have a number of Metasploit modules in development to test these
iss
5 min
Vulnerability Disclosure
Seven FOSS Tricks and Treats (Part One)
Adventures in FOSS Exploitation, Part One: Vulnerability Discovery
_This is the first of a pair of blog posts covering the disclosure of seven new
Metasploit modules exploiting seven popular free, open source software (FOSS)
projects.
Back over DEFCON, Metasploit contributor Brandon Perry decided to peek in on
SourceForge, that grand-daddy of open source software distribution sites, to see
what vulnerabilities and exposures he could shake loose from an assortment of
popular open source enterpri
3 min
Product Updates
Weekly Update: Cooperative Disclosure and Assessing Joomla
Cooperative Disclosure
I'm in attendance this year at Rapid7's UNITED Security Summit, and the
conversations I'm finding myself in are tending to revolve around vulnerability
disclosure. While Metasploit doesn't traffic in zero-day vulnerabilities every
day, it happens often enough that we have a disclosure policy that we stick to
when we get a hold of newly uncovered vulnerabilities.
What's not talked about in that disclosure policy is the Metasploit exploit dev
community's willingness to help
6 min
Metasploit
Good Exploits Never Die: Return of CVE-2012-1823
According to Parallels, "Plesk is the most widely used hosting control panel
solution, providing everything needed for creating and offering rich hosting
plans and managing customers and resellers, including an intuitive User
Interface for setting up and managing websites, email, databases, and DNS."
(source: Parallels [http://www.parallels.com/products/plesk/webhosters/]). On
Jun 05 kingcope shocked Plesk world by announcing a new 0 day which could allow
for remote command execution:
Accordi
13 min
Metasploit
From the Wild to Metasploit: Exploit for MoinMoin Wiki (CVE-2012-6081)
Recently we've added to Metasploit a module for CVE-2012-6081,
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6081] an arbitrary file
upload vulnerability affecting to the version 1.9.5 (patched!) of the MoinMoin
[http://moinmo.in/] Wiki software. In this blog entry we would like to share
both the vulnerability details and how this one was converted in RCE (exploited
in the wild!) because the exploitation is quite interesting, where several
details must have into account to successful e
5 min
Exploits
Exploiting Ruby on Rails with Metasploit (CVE-2013-0156)
Background
Earlier this week, a critical security flaw
[https://www.rapid7.com/blog/post/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156/]
in Ruby on Rails (RoR) was identified that could expose an application to remote
code execution, SQL injection
[https://www.rapid7.com/fundamentals/sql-injection-attacks/], and denial of
service attacks. Ruby on Rails is a popular web application framework that is
used by both web sites and web-enabled products and this flaw is by far the
worst
4 min
Metasploit
Serialization Mischief in Ruby Land (CVE-2013-0156)
This afternoon a particularly scary advisory
[https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion]
was posted to the Ruby on Rails (RoR) security discussion list. The summary is
that the XML processor in RoR can be tricked into decoding the request as a YAML
document or as a Ruby Symbol, both of which can expose the application to remote
code execution or SQL injection. A gentleman by the name of Felix Wilhelm went
into detail [http://www.insinuator.net/2013/01/r
7 min
Exploits
New 0day Exploit: Novell ZENworks CVE-2012-4933 Vulnerability
Today, we present to you a flashy new vulnerability with a color-matching
exploit straight from our super secret R&D safe house here in Metasploit
Country. Known as CVE-2012-4933
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4933], it applies to
Novell ZENworks Asset Management 7.5, which "integrates asset inventory,
software usage, software management and contract management to provide the most
complete software asset management tool available". Following our standard
disclosure polic
1 min
Nexpose
Moving from HML (High, Medium, Low) Hell to Security Heaven – Whiteboard Wednesdays
At last check there are about 22 new vulnerabilities being published and
categorized every single day (see National Vulnerability Database web site -
http://nvd.nist.gov/). In total, the National Vulnerability Database now
contains more than 53,000 vulnerabilities. No wonder security professionals are
overwhelmed with the sheer volume of vulnerabilities in their daily practices.
At the same time, the prioritization schema that many organizations use are
quite basic and are either proprietary or
2 min
Authentication
Free Scanner for MySQL Authentication Bypass CVE-2012-2122
The MySQL authentication bypass vulnerability (CVE-2012-2122) - explained in
detail in HD Moore's blog post - was the cause for much concern when it was
first discovered. In response, we've created a new vulnerability scanner for
CVE-2012-2122 called ScanNow, which enables you to check your network for
vulnerability to this security issue. The best thing: it's simple to use,
completely free, and scans unlimited IPs for this vulnerability!
This vulnerability allows an attacker to bypass authenti
3 min
Metasploit
New Critical Microsoft IE Zero-Day Exploits in Metasploit
We've been noticing a lot of exploit activities against Microsoft
vulnerabilities lately. We decided to look into some of these attacks, and
released two modules for CVE-2012-1889
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1889] and CVE-2012-1875
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1875] within a week of
the vulnerabilities' publication for our users to test their systems. Please
note that both are very important to any organization using Windows, because one
of
5 min
Vulnerability Disclosure
CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL
Introduction
On Saturday afternoon Sergei Golubchik posted to the oss-sec mailing list about
a recently patched security flaw CVE-2012-2122in the MySQL and MariaDB database
servers. This flaw was rooted in an assumption that the memcmp() function would
always return a value within the range -128 to 127 (signed character). On some
platforms and with certain optimizations enabled, this routine can return values
outside of this range, eventually causing the code that compares a hashed
password to s
2 min
Microsoft
Information Disclosure: Out of Office Auto Replies
Out of office replies are a blessing and a curse for organizations from an
operational security perspective. Many of the out of office auto replies I
receive contain too much information. Since many security professionals are at
the RSA Conference this week I've had plenty hit my inbox. This is nothing
compared to December around the holiday season. Like anything the information in
the replies can be used for good and bad. Good people are trying to ensure that
work continues while they are away