11 min
Exploits
Exploiting a 64-bit browser with Flash CVE-2015-5119 (Part 2)
This post is a continuation of Exploiting a 64-bit browser with Flash
CVE-2015-5119 [/2015/07/31/supporting-a-64-bits-renderer-on-flash-cve-2015-5119]
, where we explained how to achieve arbitrary memory read/write on a 64-bit IE
renderer. As a reminder, we are targeting Windows 8.1 / IE11 (64 bits) with
Flash 15.0.0.189. Of course, this write-up may contain a few errors, so your
mileage may vary =)
Where we left off before, we had created an interface to work with memory by
using a corrupted
3 min
Exploits
Exploiting a 64-bit browser with Flash CVE-2015-5119
Some weeks ago, on More Flash Exploits in the Framework
[/2015/06/30/more-on-flash-exploits-into-the-framework], we introduced the
flash_exploiter library, which is used by Metasploit to quickly add new Flash
exploit modules. If you read that blog entry, then you already know that
flash_exploiter only supports 32-bit browsers (renderers). In this blog post, we
will demonstrate initial steps in adding IE11 64-bit support to CVE-2015-5119
[http://www.cvedetails.com/cve/CVE-2015-5119/] , which is o
2 min
Phishing
Top 3 Takeaways from the "Storming the Breach, Part 1: Initial Infection Vector" Webcast
In the recent Rapid7 webcast, “Storming the Breach, Part 1: Initial Infection
Vector
[https://information.rapid7.com/storming-the-breach-part-1-initial-infection-vector.html?CS=blog]
”, Incident Response experts Wade Woolwine [/author/wade-woolwine] and Mike
Scutt had a technical discussion on investigation methodologies for the 3 most
common breach scenarios: spear phishing, browser exploitation, and web server
compromise. Their discussion was packed with details and expert tips for
investigati
2 min
Patch Tuesday
R7-2015-09: Oracle Java JRE AES Intrinsics Remote Denial of Service (CVE-2015-2659)
Java 8 servers versions prior to u46 are susceptible to a remote unauthenticated
denial of service (hard crash) when used with AES intrinsics (AES-NI) CPU
extensions on supported processors. AES intrinsics are enabled by default on the
Oracle JVM if the the JVM detects that processor capability, which is common for
modern processors manufactured after 2010. For more on AES-NI, see the
Wikipedia
article [http://en.wikipedia.org/wiki/AES_instruction_set].
This issue was tracked in the OpenJDK pu
5 min
Metasploit
Safely Dumping Domain Hashes, with Meterpreter
UPDATE: It has been pointed out that there is prior work worth noting. This
blog
post
[http://www.dcortesi.com/blog/2005/03/22/using-shadow-copies-to-steal-the-sam/]
by Damon Cortesi [https://twitter.com/dacort] talked about using Volume Shadow
Copy to get the SAM file back in 2005. As with all things in our Industry, we
stand on the shoulders of those who came before us. We would certainly not want
to take away from anyone else's previous work and accomplishments.
Dumping the stored password
8 min
Metasploit
Wassenaar Arrangement - Frequently Asked Questions
The purpose of this post is to help answer questions about the Wassenaar
Arrangement. You can find the US proposal for implementing the Arrangement here
[https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf],
and an accompanying FAQ from the Bureau of Industry and Security (BIS) here
[http://www.bis.doc.gov/index.php/policy-guidance/faqs#subcat200]. For Rapid7's
take on Wassenaar, and information on the comments we intend to submit to BIS,
please read this companion pie
2 min
Vulnerability Disclosure
Remote Coverage for MS15-034 HTTP.sys Vulnerability (CVE-2015-1635)
Patch Tuesday last week saw the release of Microsoft security bulletin MS15-034,
which addresses CVE-2015-1635, a remote code execution vulnerability in
Microsoft Internet Information Services (IIS) running on Windows 7 / Server 2008
R2 and later. This vulnerability can be trivially exploited as a denial of
service attack by causing the infamous Blue Screen of Death (BSoD) with a
simple
HTTP request [https://www.youtube.com/watch?v=BlBXREzsytc].
In order to provide better assessment of your ass
3 min
AppSpider
Security Testing Complex Workflows, Not So Complex Anymore
Conducting web application security testing
[https://www.rapid7.com/fundamentals/web-application-security-testing/]for
complex workflows can be a real pain. In order to find vulnerabilities, valid
test data must be passed through exactly as the workflow prescribes. Most web
application security testing scanners aren't up for the job, so security testers
must supplement their scans with manual testing.
If your organization has just a couple applications that aren't changing, then
manual testing
4 min
AppSpider
Modernize Your Application Security Scanning in Four Easy Steps
You've built modern mobile and rich internet applications (RIAs) that are sure
to improve your business' next major revenue stream. Conscious of security,
you've ensured that the native application authenticates to the server, and
you've run the app through a web application security scanner to identify
weaknesses in the code. Those vulnerabilities have been remediated, and now
you're ready to go live.
Not so fast.
Despite your best intentions, chances are good your mobile and rich internet
ap
2 min
Vulnerability Disclosure
Breaking down the Logjam (vulnerability)
What is it
Disclosed on May 19, 2015, the Logjam vulnerability
[https://weakdh.org/imperfect-forward-secrecy.pdf] (CVE-2015-4000
[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000]) is a flaw in
common TLS implementations that can be used to intercept secure communications.
This TLS protocol vulnerability would allow an active man-in-the-middle (MITM)
attacker to silently downgrade a TLS session to export-level Diffie-Hellman
keys. The attacker could hijack this downgraded session b
3 min
Vulnerability Disclosure
How Poisonous is VENOM (CVE-2015-3456) to your Virtual Environments?
Today CrowdStrike disclosed VENOM [http://venom.crowdstrike.com/] (Virtualized
Environment Neglected Operations Manipulation) or CVE-2015-3456
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456], a vulnerability
that could allow an attacker with access to one virtual machine to compromise
the host system and access the data of other virtual machines. It's been a few
months since we've seen a branded and logo'd vulnerability disclosure, and the
main question everyone wants to know is wh
3 min
Exploits
R7-2015-01: CSRF, Backdoor, and Persistent XSS on ARRIS / Motorola Cable Modems
By combining a number of distinct vulnerabilities, attackers may take control of
the web interface for popular cable modems in order to further compromise
internal hosts over an external interface.
Affected Product
ARRIS / Motorola SURFboard SBG6580 Series Wi-Fi Cable Modem
The device is described by the vendor as a "fully integrated all-in-one home
networking solution that combines the functionality of a DOCSIS/EuroDOCSIS 3.0
cable modem, four-port 10/100/1000 Ethernet switch with advanced fi
1 min
Vulnerability Management
March 2015 OpenSSL Security Advisory
Today OpenSSL released a security advisory
[https://openssl.org/news/secadv_20150319.txt] listing 14 vulnerabilities
affecting various versions of OpenSSL. There are 2 High, 9 Moderate, and 3 Low
severity vulnerabilities in the mix.
The security community was anxious that there could be another Heartbleed (or
worse) in this list. Thankfully, this is NOT the case, even among the High
severity vulnerabilities. Many of these vulnerabilities are limited in their
scope, impact, and/or prevalence (es
2 min
Microsoft
A Closer Look at February 2015's Patch Tuesday
This month's Patch Tuesday covers nine security bulletins from Microsoft,
including what seems like a not-very-unusual mix of remote code execution (RCE)
vulnerabilities and security feature bypasses. However, two of these bulletins –
MS15-011 [https://technet.microsoft.com/en-us/library/security/ms15-011] and
MS15-014 [https://technet.microsoft.com/en-us/library/security/ms15-014] –
require a closer look, both because of the severity of the vulnerabilities that
they address and the changes Mi
4 min
Nexpose
GHOSTbuster: How to scan just for CVE-2015-0235 and keep your historical site data
A recently discovered severe vulnerability, nicknamed GHOST, can result in
remote code execution exploits on vulnerable systems. Affected systems should be
patched and rebooted immediately. Learn more about
[/2015/01/27/ghost-in-the-machine-is-cve-2015-0235-another-heartbleed]
CVE-2015-0235 and its risks
[/2015/01/27/ghost-in-the-machine-is-cve-2015-0235-another-heartbleed].
The Nexpose 5.12.0 content update provides coverage for the GHOST vulnerability.
Once the Nexpose 5.12.0 content update