3 min
Exploits
Exploiting a 64-bit browser with Flash CVE-2015-5119
Some weeks ago, on More Flash Exploits in the Framework
[/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the
flash_exploiter library, which is used by Metasploit to quickly add new Flash
exploit modules. If you read that blog entry, then you already know that
flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we
will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119
[http://www.cvedetails.com/cve/CVE-2015-5119/] , which is o
4 min
Vulnerability Disclosure
R7-2015-08: Accellion File Transfer Appliance Vulnerabilities (CVE-2015-2856, CVE-2015-2857)
This disclosure covers two issues discovered with the Accellion
[https://www.accellion.com/] File Transfer Appliance, a device used for secure
enterprise file transfers. Issue R7-2015-08.1 is a remote file disclosure
vulnerability, and issue R7-2015-08.2 is remote command execution vulnerability.
Metasploit modules have been released for both issues, as of Pull Request 5694
[https://github.com/rapid7/metasploit-framework/pull/5694].
According to the vendor, both issues were addressed in version
2 min
Vulnerability Disclosure
Remote Coverage for MS15-034 HTTP.sys Vulnerability (CVE-2015-1635)
Patch Tuesday last week saw the release of Microsoft security bulletin MS15-034,
which addresses CVE-2015-1635, a remote code execution vulnerability in
Microsoft Internet Information Services (IIS) running on Windows 7 / Server 2008
R2 and later. This vulnerability can be trivially exploited as a denial of
service attack by causing the infamous Blue Screen of Death (BSoD) with a
simple
HTTP request [https://www.youtube.com/watch?v=BlBXREzsytc].
In order to provide better assessment of your ass
2 min
Vulnerability Disclosure
Breaking down the Logjam (vulnerability)
What is it
Disclosed on May 19, 2015, the Logjam vulnerability
[https://weakdh.org/imperfect-forward-secrecy.pdf] (CVE-2015-4000
[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000]) is a flaw in
common TLS implementations that can be used to intercept secure communications.
This TLS protocol vulnerability would allow an active man-in-the-middle (MITM)
attacker to silently downgrade a TLS session to export-level Diffie-Hellman
keys. The attacker could hijack this downgraded session b
3 min
Vulnerability Disclosure
How Poisonous is VENOM (CVE-2015-3456) to your Virtual Environments?
Today CrowdStrike disclosed VENOM [http://venom.crowdstrike.com/] (Virtualized
Environment Neglected Operations Manipulation) or CVE-2015-3456
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456], a vulnerability
that could allow an attacker with access to one virtual machine to compromise
the host system and access the data of other virtual machines. It's been a few
months since we've seen a branded and logo'd vulnerability disclosure, and the
main question everyone wants to know is wh
2 min
Microsoft
A Closer Look at February 2015's Patch Tuesday
This month's Patch Tuesday covers nine security bulletins from Microsoft,
including what seems like a not-very-unusual mix of remote code execution (RCE)
vulnerabilities and security feature bypasses. However, two of these bulletins –
MS15-011 [https://technet.microsoft.com/en-us/library/security/ms15-011] and
MS15-014 [https://technet.microsoft.com/en-us/library/security/ms15-014] –
require a closer look, both because of the severity of the vulnerabilities that
they address and the changes Mi
2 min
Android
R7-2015-02: Google Play Store X-Frame-Options (XFO) Gaps Enable Android Remote Code Execution (RCE)
Vulnerability Summary
Due to a lack of complete coverage for X-Frame-Options
[https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options] (XFO)
support on Google's Play Store [https://play.google.com/] web application
domain, a malicious user can leverage either a Cross-Site Scripting (XSS)
vulnerability in a particular area of the Google Play Store web application, or
a Universal XSS (UXSS) targeting affected browsers, to remotely install and
launch the main intent of an arbitrary Play S
4 min
Nexpose
GHOSTbuster: How to scan just for CVE-2015-0235 and keep your historical site data
A recently discovered severe vulnerability, nicknamed GHOST, can result in
remote code execution exploits on vulnerable systems. Affected systems should be
patched and rebooted immediately. Learn more about
[/2015/01/27/ghost-in-the-machine-is-cve-2015-0235-another-heartbleed]
CVE-2015-0235 and its risks
[/2015/01/27/ghost-in-the-machine-is-cve-2015-0235-another-heartbleed].
The Nexpose 5.12.0 content update provides coverage for the GHOST vulnerability.
Once the Nexpose 5.12.0 content update
2 min
Linux
GHOST in the Machine - Is CVE-2015-0235 another Heartbleed?
CVE-2015-0235 is a remote code execution vulnerability affecting Linux systems
using older versions of the GNU C Library (glibc versions less than 2.18). The
bug was discovered by researchers at Qualys and named GHOST in reference to the
_gethostbyname function (and possibly because it makes for some nice puns).
To be clear, this is NOT the end of the Internet as we know, nor is it further
evidence (after Stormaggedon) that the end of the world is nigh. It's also not
another Heartbleed. But it
3 min
Vulnerability Disclosure
POODLE Jr.: The Revenge - How to scan for CVE-2014-8730
A severe vulnerability was disclosed in the F5 implementation of TLS 1.x that
allows incorrect padding and therefore jeopardizes the protocol's ability to
secure communications in a way similar to the POODLE vulnerability
[/2014/10/14/poodle-unleashed-understanding-the-ssl-30-vulnerability].
The Nexpose 5.11.10 update provides coverage for this vulnerability, which has
been given the identifier CVE-2014-8730
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730]. Learn more
about CVE-2
3 min
Authentication
Patch CVE-2014-6324 To Avoid A Complete Domain Rebuild When UserInsight Detects Its Exploit
On Tuesday, November 18th, Microsoft released an out-of-band security patch
affecting any Windows domain controllers that are not running in Azure. I have
not yet seen any cute graphics or buzzword names for it, so it will likely be
known as MS14-068, CVE-2014-6324, or "that Kerberos vulnerability that is being
exploited in the wild to completely take over Windows domains" because it rolls
off the tongue a little better.
There is a very informative description of the vulnerability, impact, and
3 min
Vulnerability Disclosure
R7-2014-15: GNU Wget FTP Symlink Arbitrary Filesystem Access
Introduction
GNU Wget is a command-line utility designed to download files via HTTP, HTTPS,
and FTP. Wget versions prior to 1.16 are vulnerable a symlink attack
(CVE-2014-4877) when running in recursive mode with a FTP target. This
vulnerability allows an attacker operating a malicious FTP server to create
arbitrary files, directories, and symlinks on the user's filesystem. The symlink
attack allows file contents to be overwritten, including binary files, and
access to the entire filesystem wit
3 min
Vulnerability Disclosure
Block the POODLE's bite: How to scan for CVE-2014-3566
A severe vulnerability was disclosed in the SSL 3.0 protocol that significantly
jeopardizes the protocol's ability to secure communications. All versions of SSL
have been deprecated and its use should be avoided wherever possible. POODLE
(Padding Oracle On Downgraded Legacy Encryption) is the attack that exploits
this vulnerability and allows a hacker to potentially steal information by
altering communications between the SSL client and the server (MitM). Learn
more
about CVE-2014-3566
[/2014/10
2 min
Vulnerability Disclosure
UserInsight Gets the All-Clear for ShellShock and Helps Detect Attackers on Your Network
If you're in security, you've likely already heard about the ShellShock
vulnerability [http://www.rapid7.com/resources/bashbug.jsp] (aka Bash Bug,
CVE-2014-6271, and CVE-204-7169). We have reviewed how ShellShock is being
exploited, and the disclosed vectors are not applicable to our UserInsight
deployment, yet we're following the security community's lead around patching
all of our systems.
In case other systems on your network have been compromised, you should be extra
vigilant about suspicio
3 min
Vulnerability Disclosure
Bash the bash bug: Here's how to scan for CVE-2014-6271 (Shellshock)
_[Edited 10:05 AM PDT, October, 2014 for the Nexpose 5.10.13 release]_
[Edited 10:05 AM PDT, September 26, 2014 for the Nexpose 5.10.11 release]
A severe vulnerability was disclosed in bash that is present on most Linux, BSD,
and Unix-like systems, including Mac OS X. The basis of this vulnerability
(nicknamed Shellshock) is that bash does not stop processing after the function
definition, leaving it vulnerable to malicious functions containing trailing
commands. Common Vulnerabilities and Exp