13 min
Vulnerability Disclosure
Multiple Disclosures for Multiple Network Management Systems, Part 2
As you may recall, back in December Rapid7 disclosed six vulnerabilities
[/2015/12/16/multiple-disclosures-for-multiple-network-management-systems] that
affect four different Network Management System (NMS) products, discovered by
Deral Heiland [https://twitter.com/percent_x] of Rapid7 and independent
researcher Matthew Kienow [https://twitter.com/hacksforprofit]. In March, Deral
followed up with another pair of vulnerabilities
[/2016/03/17/r7-2016-02-multiple-vulnerabilities-in-mangeengine-opu
8 min
Vulnerability Disclosure
R7-2016-10: Multiple OSRAM SYLVANIA Osram Lightify Vulnerabilities (CVE-2016-5051 through 5059)
Nine issues affecting the Home or Pro versions of Osram LIGHTIFY were
discovered, with the practical exploitation effects ranging from the accidental
disclosure of sensitive network configuration information, to persistent
cross-site scripting (XSS) on the web management console, to operational command
execution on the devices themselves without authentication. The issues are
designated in the table below. At the time of this disclosure's publication, the
vendor has indicated that all but the la
2 min
Vulnerability Disclosure
R7-2016-08: Seeking Alpha Mobile App Unencrypted Sensitive Information Disclosure
Due to a lack of encryption in communication with the associated web services,
the Seeking Alpha [http://seekingalpha.com] mobile application for Android and
iPhone leaks personally identifiable and confidential information, including the
username and password to the associated account, lists of user-selected stock
ticker symbols and associated positions, and HTTP cookies.
Credit
Discovered by Derek Abdine (@dabdine [https://twitter.com/dabdine]) of Rapid7,
Inc., and disclosed in accordance wit
5 min
Vulnerability Disclosure
R7-2016-06: Remote Code Execution via Swagger Parameter Injection (CVE-2016-5641)
This disclosure will address a class of vulnerabilities in a Swagger Code
Generator [https://github.com/swagger-api/swagger-codegen] in which injectable
parameters in a Swagger JSON or YAML file facilitate remote code execution. This
vulnerability applies to NodeJS [https://nodejs.org/en/], PHP, Ruby
[https://www.ruby-lang.org/en/], and Java [https://java.com/en/download/] and
probably other languages as well. Other code generation tools
[https://apimatic.io/] may also be vulnerable to paramete
4 min
Vulnerability Disclosure
R7-2016-02: Multiple Vulnerabilities in ManageEngine OpUtils
Disclosure Summary
ManageEngine OpUtils is an enterprise switch port and IP address management
system. Rapid7's Deral Heiland discovered a persistent cross-site scripting
(XSS) vulnerability, as well as a number of insecure direct object references.
The vendor and CERT have been notified of these issues. The version tested was
OpUtils 8.0, which was the most recent version at the time of initial
disclosure. As of today, the current version offered by ManageEngine is OpUtils
12.0.
R7-2016-02.1:
5 min
IoT
R7-2016-01: Null Credential on Moxa NPort (CVE-2016-1529)
This advisory was written by the discoverer of the NPort issue, Joakim Kennedy
of Rapid7, Inc.
Securing legacy hardware is a difficult task, especially when the hardware is
being connected in a way that was never initially intended. One way of making
legacy hardware more connectable is to use serial servers. The serial server
acts as a bridge and allows serial devices to communicate over TCP/IP. The
device then appears on the network as a normal network-connected device. This
allows for remote
2 min
IoT
CVE-2015-7547: Revenge of Glibc Resolvers
If you've been involved in patch frenzies for any reasonable amount of time, you
might remember last year's hullabaloo around GHOST
[/2015/01/27/ghost-in-the-machine-is-cve-2015-0235-another-heartbleed], a
vulnerability in glibc's gethostbyname() function. Well, another year, another
resolver bug.
gethostbyname(), meet getaddrinfo()
This time, it's an exploitable vulnerability in glibc's getaddrinfo(). Like
GHOST, this will affect loads and loads of Linux client and server applications,
and lik
2 min
Vulnerability Disclosure
R7-2015-26: Advantech EKI Dropbear Authentication Bypass (CVE-2015-7938)
While looking into the SSH key issue outlined in the ICS-CERT ISCA-15-309-01
[https://ics-cert.us-cert.gov/advisories/ICSA-15-309-01] advisory, it became
clear that the Dropbear SSH daemon did not enforce authentication, and a
possible backdoor account was discovered in the product. All results are from
analyzing and running firmware version 1322_D1.98, which was released in
response to the ICS-CERT advisory.
This issue was discovered and disclosed as part of research resulting in
Rapid7's dis
5 min
Vulnerability Disclosure
CVE-2015-7755: Juniper ScreenOS Authentication Backdoor
On December 18th, 2015 Juniper issued an advisory
[https://supportportal.juniper.net/s/article/2015-12-Out-of-Cycle-Security-Bulletin-ScreenOS-Multiple-Security-issues-with-ScreenOS-CVE-2015-7755-CVE-2015-7756?language=en_US]
indicating that they had discovered unauthorized code in the ScreenOS software
that powers their Netscreen firewalls. This advisory covered two distinct
issues; a backdoor in the VPN implementation that allows a passive eavesdropper
to decrypt traffic and a second backdoor
12 min
Vulnerability Disclosure
Multiple Disclosures for Multiple Network Management Systems
Today, Rapid7 is disclosing several vulnerabilities affecting several Network
Management System (NMS) products. These issues were discovered by Deral Heiland
[https://twitter.com/percent_x] of Rapid7 and independent researcher Matthew
Kienow [https://twitter.com/hacksforprofit], and reported to vendors and CERT
for coordinated disclosure per Rapid7's disclosure policy. All together, we're
disclosing six vulnerabilities that affect four NMSs, four of which are expected
to be patched by the time o
10 min
Vulnerability Disclosure
R7-2015-22: ManageEngine Desktop Central 9 FileUploadServlet connectionId Vulnerability (CVE-2015-8249)
ManageEngine Desktop Central 9
[https://www.manageengine.com/products/desktop-central/] suffers from a
vulnerability that allows a remote attacker to upload a malicious file, and
execute it under the context of SYSTEM. Authentication is not required to
exploit this vulnerability.
In addition, the vulnerability is similar to a ZDI advisory released on May 7th,
2015, ZDI-15-180 [http://www.zerodayinitiative.com/advisories/ZDI-15-180/]. This
advisory specifically mentions computerName, and this is
2 min
Exploits
R7-2015-17: HP SiteScope DNS Tool Command Injection
This is a vulnerability advisory for the HP SiteScope DNS Tool Command Injection
vulnerability, made in accordance with Rapid7's disclosure policy.
Summary
Due to a problem with sanitizing user input, authenticated users of HP SiteScope
running on Windows can execute arbitrary commands on affected platforms as the
local SYSTEM account. While it is possible to set a password for the SiteScope
application administrator, this is not enforced upon installation. Therefore, in
default deployments, an
6 min
Vulnerability Disclosure
Multiple Insecure Installation and Update Procedures for RStudio (R7-2015-10) (FIXED)
Prior to RStudio version 0.99.473, the RStudio integrated toolset for Windows is
installed and updated in an insecure manner. A remote attacker could leverage
these flaws to run arbitrary code in the context of the system Administrator by
leveraging two particular flaws in the update process, and as the RStudio user
via the third update process flaw. This advisory will discuss all three issues.
Since reporting these issues, RStudio version 0.99.473 has been released. This
version addresses all
13 min
Metasploit
Using Reflective DLL Injection to exploit IE Elevation Policies
As you are probably aware, sandbox bypasses are becoming a MUST when exploiting
desktop applications such as Internet Explorer. One interesting class of sandbox
bypasses abuse IE's Elevation Policies. An example of this type of sandbox
bypass is CVE-2015-0016
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0016]. The
vulnerability has already been analyzed by Henry Li, who published a complete
description in this blog entry
[http://blog.trendmicro.com/trendlabs-security-intelligence/
11 min
Exploits
Exploiting a 64-bit browser with Flash CVE-2015-5119 (Part 2)
This post is a continuation of Exploiting a 64-bit browser with Flash
CVE-2015-5119 [/2015/07/31/supporting-a-64-bits-renderer-on-flash-cve-2015-5119]
, where we explained how to achieve arbitrary memory read/write on a 64-bit IE
renderer. As a reminder, we are targeting Windows 8.1 / IE11 (64 bits) with
Flash 15.0.0.189. Of course, this write-up may contain a few errors, so your
mileage may vary =)
Where we left off before, we had created an interface to work with memory by
using a corrupted