• August 23rd, 2010
  • 5

Application DLL Load Hijacking

Posted by HD Moore in Exploits, General, Metasploit, Penetration Testing, Vulnerabilities, Vulnerability Research

This post discusses the DLL loading vulnerabilities covered in the news last week. For technical information about the flaw and how to test for it, please see the Metasploit Blog.

Last Thursday, Acros, a Slovenian security firm, published an advisory that identified what they call a “binary planting” flaw in iTunes. Essentially, if you open a file type associated with iTunes from a remote network share, iTunes will also try to load one more DLLs from the share. Even if the file that the user opened is completely safe, a malicious DLL can be supplied that will lead to code execution.

While working on the Windows Shortcut exploit, I stumbled on this class of bugs and identified a couple dozen applications that seemed to be affected by this problem.  iTunes was one of these applications and the details in the Acros advisory made it clear that this was indeed the same flaw. I was planning to finish the advisories and start contacting vendors on August 20th (last Friday). The  Acros advisory on the 18th threw a wrench into this process.

I contacted Acros and asked whether they were aware that this problem affected other applications and whether they would like to coordinate the disclosure process. The reply is quoted below.

“I don’t know if you saw the draft of our new commercial disclosure policy, but we essentialy gave up on alerting vendors for free. We’ve been providing free research to them for over 10 years and it hasn’t paid out well. What you’re seeing on Bugtraq now are the “remains of the old days,” so to speak :-) We’ve found better markets for this kind of information. To answer your specific question: no, we have not reported any issues in the products you mentioned – and have no intention to, should we come across one. So if your goal is to get credited for alerting them, you have nothing to worry about. I hope it pays off for you. As for the public status of this class of problems, it has been public for at least 10 years now (see the “ancient” NSA Windows NT security guide) and some developers were obviously not aware of it.”

The reply from Acros made it clear that they were not working with the vendors nor did they have any intention of doing so. Acros is also claiming to have applied for a patent on methods for discovering these vulnerabilities. In the same post, they also claim to have been sitting on these issues since November of 2008. I contacted the folks at Microsoft to give them a heads up about the issues that I found and asked what their plans were to address them. Microsoft indicated that they were aware of the flaws, but were still working on a KB article and guidance information for affected  vendors. At least four of Microsoft’s own applications have been confirmed as exploitable through this vector, two of which were already being addressed by the time I contacted them.

Rapid7 is committed to a Vulnerability Disclosure Policy that is fair to both vendors and customers seeking to use their technology securely. However, at this point, I feel that the cat is firmly out of the bag. I wasn’t the only person to know about these flaws before the Acros advisory was made public. Earlier this year, Taeho Kwon and Zhendong Su published a paper titled Automatic Detection of Vulnerable Dynamic Component Loadings. This paper covers this exact issue and enumerates a large number of affected applications. While this paper focuses on archive files and Carpet Bombing attacks, the same methodology also applies to remote network shares. Over the weekend, Thierry Zoller published a blog entry that describes the underlying issue and indicates that Photoshop is one of the vulnerable applications. As Thierry notes, a variation of this bug was originally published in 2000 by Georgi Guninski. The biggest difference is that the new issues mostly apply to applications where the hijacked DLL does not exist in the system directory (application-specific libraries).

As a compromise between releasing the full list of affected products and not saying anything at all, I decided to push a generic exploit module to the Metasploit Framework and release an audit kit that can be used to identify affected applications on a particular system. At this time, the exploit will not work unless you manually specify a vulnerable file type. The audit kit should make it easier for other folks to identify vulnerable applications and hopefully have them addressed by the vendor.  Metasploit Express will receive an update on Wednesday with support for this generic exploit module. More information about the audit kit and the exploit module can be found in this Metasploit blog entry.

Some quick facts about this class of vulnerabilities:

1. To exploit this vulnerability, an attacker must convince their victim to open a file from a directory they control. This can be an extracted archive, a USB key, or a network share using SMB or WebDAV. The file the user opens is not malicious nor does it have to have specific content to trigger the vulnerability. The audit kit  uses a local directory to test for the issue and the generated proof-of-concept files can load from a local or remote directory.

2. In most cases, the user must first browse to the directory, then double-click the specific file for this exploit to trigger. Embedding this link into an OLE document or direct linking to the UNC path of the affected file type will not change the working directory to the share prior to opening it. For example, a link to \\server\documents would lead to code execution if the user opened a file from this directory, but a direct link to \\server\documents\somedocument.ext would not trigger this issue. There are some exceptions, but these tend to be application-specific problems and the  general rule still applies.

3. In the case of a network share, a  DLL  does not be visible within the directory listing for this to be  exploitable. The Metasploit module will list the affected file type but the DLL itself is not shown,  since it is generated on the fly when requested by the vulnerable application. This  can lead the user to believe that a safe document type in an otherwise empty network share is safe to open.

4. If the application is trying to load a DLL that is normally found within the PATH, but not the Windows system directories, and the PATH contains environment variables that have not been set, then the literal value of the environment variable be treated as sub-directory of the working directory (the share). For example, if %unknownvariable%\bin is in the system PATH, the share will  be searched for a directory called “%unknownvariable%\bin” and the target DLL will be loaded from  within this sub-directory.

5. Detecting a vulnerable application requires more validation than just watching for an attempt to access a DLL in the current directory. Many applications will call rundll32 to load the DLL in question and this will result in a file access in the working directory, even though the DLL may not actually be loaded. Some applications load executables and configuration files from the current directory, so any audit needs to account for non-DLL file access as well.

Every affected vendor will need to release a product update to completely patch this issue. There are some workarounds that can be put in place in the short-term and these will have a side effect of blocking similar exploits in the future.

a) Block outbound SMB at the perimeter. Every organization should be doing this already, as this also prevents SMB Relay attacks and NTLM hash harvesting.

b) Block outbound WebDAV at the perimeter. This is tricky to do unless you force your users to go through a HTTP proxy. Blocking the PROPFIND HTTP method should be enough to prevent this exploit and ones similar to it from working.

c) Disable the “Web Client” server on all of your desktops through group policy. This is a prudent decision for most enterprises and removes the need to put a PROPFIND filter in place for outbound WebDAV traffic.

We expect to see additional guidance from Microsoft today and will update this post when that information becomes available.

Update. Microsoft has released a security advisory that discusses the flaw and possible workarounds. The MSRC blog has additional information about the advisory and the SRD blog has a link to the KB article and a tool that administrators can use to mitigate the problem today. The KB article is not quite up yet, but will be at this URL. For more information on dynamic link library security, please see this MSDN page.


Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • August 17th, 2010
  • 1

Metasploit Express crucial to win in South Florida ISSA Hack the Flag

Posted by jcran in Awards/Competitions, Exploits, General, Metasploit, Penetration Testing

Last Saturday, our favorite South Florida hacker collective, HackMiami, took first place at the South Florida ISSA Hack the Flag contest in Fort Lauderdale, FL. Seven teams participated, defending systems running a variety of off-the-shelf services such as HTTP, SSH, FTP, while attempting to take control of other teams’ systems. We think it’s a useful case study, and wanted to share the results with you.

HackMiami was the first team to enumerate all servers in a range of 3,096 IP addresses using the discovery feature from our own Metasploit Express. Using screenshots of the Metasploit Express hosts overview, they tracked machines that could no longer be pinged or had moved to different IP addresses.

Tracking via screenshots is hardly ideal, so when discussing the results after the competition, we put together a script to help automate scenarios like this one, where you require on-going discovery scans.

This script simply specifies a configuration to the Metasploit Express discovery module, then instructs the RPC service to scan. Combined with a cron job (*/5 * * * * discover_rpc.rb), this is a powerful way to visualize a target network. Results will automatically populate in the Express interface. Everything within Express is highly automatable, and designed to speed up your pentesting workflow.

While the vulnerable servers were able to withstand bruteforce and auto-exploitation, the Metasploit Express banner grab, which uses both nmap and modules from the framework for additional fingerprinting, showed vsftp 2.0.4 running on one server, which accepted anonymous logons (and contains several fairly severe vulnerabilities). HackMiami used this to their advantage and won the competition. Congrats guys!

HackMiami chose to use Metasploit Express in large part because it had recently won over alternative commercial software in the HackMiami Pwn-Off, and we provide a 7-day trial available for free here. Download it and give it a shot!

Tags: ,
Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • August 11th, 2010
  • Comments Off

August Patch Tuesday Roundup

Posted by Suzanne Dickson in General, Patch Tuesday, Security Best Practices, Vulnerabilities

Microsoft’s patch this month, which consists of 14 bulletins that address 34 vulnerabilities, is the largest since October 2009.   With the massive amount of work that lies ahead, it may help to prioritize your work.  

Josh Abraham, Rapid7 Security Researcher, recommends that you pay particular attention to MS10-054. This vulnerability in the SMB protocol “is potentially the most dangerous vulnerability as it allows unauthenticated attackers to execute arbitrary codes on remote machines.”  Abraham notes further that, “if MS10-054 is weaponized, it would primarily be useful against XP SP3, since the other versions of Windows were not rated as critical for this bulletin.  This means that an attacker would be able to exploit workstations on an internal network in the most common situation.”

Here is the breakdown of the bulletins that have a high potential for exploits:

046 – Critical – Exploit in the wild

Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

047 – Important

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)

048 – Important

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)

050 – Important

Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)

052 – Critical

Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)

053 – Critical

Cumulative Security Update for Internet Explorer (2183461)

055 – Critical

Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)

056 – Critical

Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)

057 – Important

Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)

058 – Important

Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)

059 – Important

Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799)

060 – Critical

Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)

NeXpose Community Edition, the free version of NeXpose, has coverage within 24 hours of the release. NeXpose Community Edition will enable you to detect these and every other Microsoft vulnerability and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) with publicly available exploits on up to 32 hosts in your environment. For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft’s update release.

For larger environments, we invite you to download NeXpose Enterprise. Get it here.


Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • August 09th, 2010
  • Comments Off

Black Hat Race To Root Results

Posted by jcran in Exploits, General, Penetration Testing

We had a good number of folks compete for prizes in the Race to Root competition at this year’s Black Hat, so thanks to everyone who came by. Three competitors came out on top. Anders Hansen took first place! He’ll be receiving both a ProxMark3 (http://proxmark3.com/) and a MAKInterface Magstripe Reader/Writer (http://www.makinterface.de/index_e.php3?frompage=/makstusbe.php3), Haikon Krohn took second place and will pick up a ProxMark3, and our third place finalist (JT Taylor) will also be receiving a MAKInterface.

I was surprised by the number of folks who had heard about Metasploit Express but hadn’t had a chance to try it yet. There’s a seven-day trial available here (http://www.rapid7.com/contact/metasploit-express-contact.jsp) if you’d like to try it. Much of the time in the booth was spent demoing features and talking through pentesting scenarios. Some of the features that we ended up talking a lot about:

 - Vulnerability Scanner Integration – You can control the NeXpose vulnerability scanner right in the interface of Metasploit Express, and don’t have to bother with exporting / importing results. We can also import from other formats like Nessus, Qualys, and nmap. All that info gets imported, and you can simply hit bruteforce or exploit to bang on it. Doesn’t get much simpler than that. The exploit mapping is significantly better than anything previously available with Metasploit, and can be configured to stop after the first exploit hits.

 - Post-Exploitation Collection – This was a useful feature in the Race to Root competition. By exploiting a device & running the collection scripts, you can quickly grab data from massive number of machines. In the case of Race to Root, this picked up an SSH key which gave access to the target device.

 - Pass-The-Hash Attacks – Built-in to the product is quite likely the simplest way to take control of a corporate windows network today. If you’re able to take control of a single device on a network; be it with automatic exploitation (described by one attendee as autopwn on steroids), bruteforce, or manual exploitation; you can use Metasploit Express to collect hashes from the device. Once you have hashes for a single box on a domain, it’s very likely that the administrator had used the same password on all the boxes on the domain, and therefore, you have the hashes for all the boxes. By simply re-running bruteforce with known credentials, you can own the entire domain in a matter of minutes. Watching this happen turns out to be quite convincing for management.

Also of major interest were the reporting features (yep, we’ve got editable reports) and post-exploitation pivoting functionality (got it too :). Pivoting is a recent add, so if you haven’t had a chance to check it out, download the 3.4.1 trial and give it a go.

Huge props to our marketing team for putting together a rather awesome Black Hat party. It was during that party that we announced the next version of Metasploit; Metasploit Pro. You can find the trailer (yes, we have a trailer!) here: http://www.rapid7.com/revolution.

Thanks again to everyone who came by the booth at Black Hat, whether it was to learn about NeXpose, learn about Metasploit Express, or just to say hello.


Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • August 05th, 2010
  • Comments Off

MS10-046: A rude awakening

Posted by Derek Abdine in Exploits, Patch Tuesday, Vulnerabilities

Unless you’ve been living under a rock, you’ve probably seen some chatter about the Stuxnet worm and the patch now known to the world as MS10-046.  This out-of-band patch Microsoft released on Monday plugged a hole in the Windows shell component which handles lnk file parsing.  That bug  allowed malware authors to piggyback their own malicious code to infect sensitive networks.

If you hadn’t tasked yourself with reversing the worm to figure out it’s internals, you’d think that it was exploiting a vulnerability that was limited to local execution–after all, the Stuxnet reports were widely focused on transmission of the worm through USB keys.  However, Microsoft’s release of the advisory tells us a different story — now that we have a CVE and associated CVSS score (presumably submitted by MSRC):  CVE-2010-2568.  Looking at the CVSS vector (scored 9.3), we can see that it allows for remote (AV:N), unauthenticated (Au:N) execution but requires a bit of interaction from the user (AC:M).  Why not AV:L?  An attacker can coerce a user into viewing a lnk file exploiting the vulnerability by hosting something such as a CIFS share and coercing the user to visit that share.  To equate the social engineering method to another type of (unrelated) attack, think of it like an attacker coercing a user to visit a link that exploits an XSS weakness in a webapp to grab that user’s session cookie.  In the Stuxnet case, SCADA environments (the most volatile of which are infrastructure related such as power plants) are usually totally disconnected or filtered from the internet.

Critical Infrastructure

SCADA environments are typically made up of proprietary equipment with shoddy implementations of contextually popular protocols such as DNP3 and ModBus as well as protocols popular in Corporate IT such as TCP.  It is also common for these environments to use operating systems that have reached their end-of-life, and for the vendors of such systems to leave them unpatched for some time.  This equipment is used to drive machinery, report statistics and control systems.  In the case of power plants, a failure of even one of these assets can have a catastrophic outcome.

Perhaps by now you’ve asked yourself “why isn’t there a clean room policy?”.  These systems are governed by the NERC CIP standards, which are relatively new.  CIP is a gigantic forward for security in that industry, but it’s still evolving.  The standards cover a wide range of processes which build up a security management program.  There is definitely a big focus on critical assets and the data around those assets, but no real policy of what data goes in.  Additionally, there are stipulations for the use of a vulnerability assessment solution and endpoint scanner.  That’s a great mix of proactive and reactive.  However, the accuracy of those tools depends on the vendors putting updates out for that 0day (which may not even be known to the public) and the internal policies of the plant that maintains them pertaining to updating the software.  If either of those links fail, these environments are still vulnerable to an attack.  NERC could improve this gap by more clearly defining policies on what and how data can be transferred into the electronic perimeter.

The great thing about the Stuxnet worm is that it kick-started scrutiny on SCADA environments again.  NeXpose was updated with a check for this vulnerability this week, so go grab a copy and scan your own environment if you haven’t already.  I’m sleeping more easily knowing that there are now guys in black suits scrambling around…

-D

Tags: ,
Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • August 02nd, 2010
  • Comments Off

New VxWorks Vulnerabilities

Posted by HD Moore in General

CERT plans to publish advisories for VU#362332 and VU#840249 today, both flaws in the VxWorks operating system. VxWorks is used to power a wide range of devices, including everything from printers, to fibre-channel switches, and even spacecraft. NeXpose users already have a check in place for VU#362332, while VU#840249 is a bit more complicated and has to be handled at the vendor level.

The first flaw (VU#362332) refers to an exposed VxWorks debug service (WDB Agent). This service runs over UDP port 17185 and allows complete access to the device, including the ability to manipulate memory, steal data, and ultimately hijack the entire operating system. This service was inadvertently left exposed by over 100 different vendors and affects at least 250,000 devices sitting on the internet today. We strongly recommend that ACLs be put in place for UDP 17185 until you have a chance to assess each of your networks and verify that none of your devices suffer from this issue. The NeXpose check was pushed out in the last update and should detect all instances of this vulnerability. The open source and free to use Metasploit Framework can also be used to scan for this vulnerability. Our own research indicates that this flaw has already been widely exploited as far back as 2006. You may also refer to our list of known-vulnerable devices, however, keep in mind that this list is not comprehensive.

The second flaw relates to a weak password hashing implementation in the VxWorks operating system. Any device that uses the builtin authentication library to handle Telnet and FTP authentication can be compromised. The flaw occurs because there are only 210,000 possible hash outputs for all possible passwords. An attacker can simply cycle through the most common ranges of hash outputs of about 8,000 work-alike passwords to gain access to a VxWorks device. Using the FTP protocol, this attack would only take about 30 minutes to try all common password permutations. Since detecting this flaw requires knowing a valid username and knowing that the device uses the built-in library, there is no quick way to scan for this issue across the network. Instead, we recommend that you keep an eye out for any device with a Telnet or FTP banner containing the “VxWorks” string. If you need to confirm that a specific device is not affected, you can also contact the manufacturer and refer to the CERT ID (VU#840249). In some situations, it is possible to detect this flaw by analyzing a firmware image of the target device.

While the most commonly found VxWorks devices include printers and print servers, many critical systems have also been found to run the VxWorks operating system and be affected by at least one of these two flaws. Dell’s PowerConnect switches, HP’s MSA raid controllers, and a large number of fibre-channel switches and VoIP equipment have all been identified as vulnerable. If you would like more information on these issues, please see the Metasploit blog post and the Fun with VxWorks presentation slides.

Tags:
Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • July 28th, 2010
  • 1

Better is not good enough

Posted by Sheldon Malm in General, Penetration Testing, Vulnerability Research, Web Application Security

In July 2009 I posted to the Rapid7 blog that the future is friendly.  In that post, I talked about how we, as vendors and service providers, have not fulfilled our promises to protect our customers, feed the community, and catalyze change.  I admitted that we need to be better, committed that we will be better, and announced to you that it starts now.  Now that we’ve reached the end of July 2010, it seems like an appropriate time to reflect on that optimism, reflect on our commitment, and reflect on the state of our industry.

Life’s been busy at Rapid7 over the last year, and we’ve been laser-focused on fulfilling these promises.

Within our own products and services, we’ve started to move the ball forward.  We’ve greatly expanded our detection coverage, speed, and accuracy in NeXpose.  We’ve expanded the scope and maturity of our Professional Services team, broadening the penetration testing, technical assessment, and engagement practices of our folks out there on the road every day.  We acquired the Metasploit project and provided dedicated resources to the community-based framework, released the first commercial version with Metasploit Express, and brought critical intelligence from the penetration testing discipline into NeXpose with Exploit Exposure.  We delivered a free version of NeXpose to the community with NeXpose Community Edition.  All of this has been done to deliver more capability and to make security more accessible to more people by making it easier to use and affordable.  These are important first steps, and while we are extremely proud of the work that our people have done in delivering this value, they are just that: first steps.

On a personal level, my responsibilities have expanded from Security Strategy to include Strategic Alliances.  This has not only proven to be a personally enriching experience; it has been an important move for Rapid7 to keep our partner strategy focused on collaborations that add value beyond revenue growth for the company.  Our strategic alliances are driven from the core values that I communicated on the blog just over a year ago: to better protect our customers, to better feed the community, and to catalyze change.  We’ve engaged in some important partnerships and collaborations as a result, and we’ve declined a number of opportunities that were not focused on these core values.  We are not trying to become a malware detection company.  We are not trying to become a narrow-focused MSSP.  We are not trying to become a SIEM vendor.  We will continue to be the fastest growing, most innovative Vulnerability Management and Penetration Testing company in our industry because that is the value that customers look for us to provide. 

This focus and relentless execution have brought business benefit to the company, with much more awareness about Rapid7 in the market, 117% growth in Sales in the first half of 2010 over the same period last year, top tier ranking in the latest Gartner Market Scope, recognition as a leader in the latest Forrester Wave, and increased adoption of our open source and community offerings that have far exceeded our expectations.  When you do the right things at the right time for the right reasons with the right collaborations, you achieve success.  This is the basis of our success to date, and this is the basis of our strategy moving forward.

We’ve seen change happening on many fronts, and the expansion of community-based collaboration has never been so vibrant.  The launch, community participation, and viral growth of the Security B-Sides conference series is a perfect example of how the community can come together to provide immediate value.  Within a single year, B-Sides has established itself as an important forum for information exchange and personal connection alongside recognized conferences like BlackHat, DEFCON, RSA, SECtor, and others.

We’ve seen some changes from our competitors as well.  There is revitalization in the penetration testing technology space that is exciting to see.  People have acknowledged that Vulnerability Management and Penetration Testing solutions must converge for the value of proactive security to grow.  We’d like to think that our activities are a small part of why the competition is re-investing in their value proposition, although they have a long way to go in making penetration testing solutions affordable.  The truth is, they now have no choice – there is an affordable, best-in-class solution available and competition in this sense brings benefits to customers and community. 

The competitive response in the Vulnerability Management space has not been as encouraging.  We’ve seen some vendors ignore these important steps forward, while others continue to release check-the-box features in response.  When we released Exploit Exposure, 1 vendor posted a web page with 12 month top 10 patch rankings, another is working to emulate the feature, and the rest of the pack released crickets back into the wild along with updated press releases about integrations that have existed and have been virtually neglected for years.   We’ve seen one vendor release a limited iteration of our remediation report, with no apparent efforts to raise the quality and precision of the underlying detection that makes remediation-based reporting so valuable.  The others are still without this capability, seemingly missing the point that making security affordable means reducing vendor costs AND cost of operation.  We’ve expanded the value of our mobile solution for consultant laptops, with no notable updates to competitors’ mobile solutions and one competitor who is still unable to deliver a mobile form factor.  We firmly believe that we are still not doing a good enough job at Rapid7, and this lack of compelling competitive response is unacceptable to us as members of our industry and community.   We are continuing to press forward, and we genuinely hope that competitors will step up as the bar continues to be raised.

One of the most significant areas of investment for us is in web application security.  We have always been significantly ahead of our Vulnerability Management competitors in this regard, with highly scalable web application scanning capabilities delivered from the NeXpose core application and support for AJAX, and Web 2.0 technologies.  Despite this market leadership, we are not satisfied with using this group as our yard stick.  Today, I am pleased to announce that Rapid7 has officially launched our global Center of Excellence for Web Security with the addition of Andres Riancho as Director of Web Security along with collaboration and Rapid7 sponsorship of the w3af open source project.  As you may know, Andres is the founder of the open-source w3af project, an extensible Web Application Attack and Audit Framework that finds and exploits web application vulnerabilities.

I’m excited about what this means for our company, for our technical solutions, for w3af, and for the value that we can create for customers and the community from this partnership.  Andres and w3af are a perfect fit for Rapid7, expanding the capabilities of NeXpose and our research discipline, supporting the convergence of Vulnerability Management and Penetration Testing/Exploit frameworks, expanding the dynamic nature of solving a dynamic security problem, and providing another important proof point that collaboration between commercial vendors and open source community is the only way to drive meaningful and lasting change. 

As has been the case over the last year, you will see various responses from our competitors.  Many will ignore it and hope it goes away.  It will not.  Others will renew marketing efforts on their existing solutions to divert from their lack of R&D investment.  One competitor has responded with a legacy Network VA approach to the web application problem, providing an inventory of the technologies within web applications.  None of these responses add value to solving the dynamic security problem and they will need to do better just as we need to do better.

If you haven’t worked with w3af, I encourage you to visit http://w3af.sourceforge.net/ to see the great work that Andres and the contributing community have done to date.  Andres will remain the project owner of w3af, accelerating the expansion of its capabilities and maintaining the project as open source.

I’d like to thank Andres for his contributions to our industry and community, and for agreeing to join the Rapid7 family.  I’d like to thank customers for continued support of Rapid7 and for your valuable feedback on how we can make our products and services better for you.  Finally, I’d like to thank the community for your cautious optimism following the Metasploit acquisition, your support in adopting our free and open source solutions, and for your tireless efforts in moving the state of security forward.

I firmly believe that we collectively have started to drive change.  We are on the right path and we have a lot of work ahead of us.  I believe that we will be even better one year from now, and I’m just as certain that it still won’t be good enough.  That’s the journey that drives our passion for everything we do and we couldn’t do it without you.  We hope you feel the same way.


Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • July 22nd, 2010
  • Comments Off

Cheer and Pwning in Las Vegas

Posted by HD Moore in Community, General, Penetration Testing

Rapid7 and the entire core Metasploit team are headed to Las Vegas next week for Black Hat USA, Security B-Sides, and Defcon 18. The full schedule of events is listed below, make sure you drop by Booth #64 at Black Hat to take a shot at the Race to Root contest, where the winners will receive hacker lust-worthy prizes.

July 26th-27th, 2010 — HD Moore will be hosting the training session, “Tactical Exploitation”, at Black Hat USA. This course is taught in conjunction with Attack Research and walks through the process of compromising a “secure” network by combining information leaks with design weaknesses.

July 27th, 2010 — Joshua “Jabra” Abraham will be hosting the training session, “Pentesting with Perl”, at Black Hat USA, which will focus on streamlining tasks during a penetration testing assessment and demonstrating how to improve existing tools as well as create new tools.

July 28th, 2010 — Join Rapid7 at Booth #64 of the exposition area of Black Hat USA for the Race to Root contest, where contestants race against the clock to discover and gain access to a target network. This is a timed event where the winners will receive hacker lust-worthy prizes. Contestants will have a chance to try Rapid7’s commercial products, including Metasploit Express and NeXpose Enterprise.

July 28th, 2010 — Starting at 1:30pm, Jonathan Cran will be hosting a series of demos entitled “Automating Metasploit and AutoLab” in the Black Hat Arsenal area of the Black Hat conference. These demos will focus on the myriad ways to automate Metasploit and how to quickly extend it to assist with common penetration testing tasks. At Security B-Sides, Joshua “jabra” Abraham will present on “Fierce v2“, the latest version of his DNS assessment tool at 5pm.

July 28th, 2010 — Rapid7 will be hosting a mega-party at the Palms hotel, this will run from 9:00pm to at least 2:00am and in the words of Michael Burns, “This is gonna make our RSA bash look like a day at church”. This party is invite only and has already reached capacity.

July 29th, 2010 –Head to Security B-Sides at 10:00am to catch HD Moore, along with Jack Daniel, Dennis Fisher, and Josh Corman for the “InfoSec Speed Debates“. This is immediately followed by James “egypt” Lee’s talk on “Beyond R57“, which focuses on his recent research around PHP post-exploitation. After James speaks, HD Moore will present on “Fun with VxWorks“, a deep-dive into the vulnerability landscape of the VxWorks platform followed by a live demonstration of exploiting a widely-deployed commercial product. Following HD’s demo, Tod Beardsley will commandeer the B-Sides Lightning Talk space to release the next version of PacketFu, the network packet crafting library for Ruby.

July 29th, 2010 — Rapid7 will announce the winners of the “Race to Root” contest at Booth #64 in the exposition area of the Black Hat conference. Winners will receive seriously awesome prizes.

July 30th, 2010 — The Metasploit team will head to Defcon 18 to catch some talks. Check Twitter and IRC for an impromptu Metasploit community meetup sometime during the day.

July 31st, 2010 — At 2:00pm, HD Moore will present on “Fun with VxWorks” during the Skytalks at Defcon 18. This talk will focus on exploiting the VxWorks platform and include some theory crafting on possible ways to compromise the Mars Rovers (VxWorks-based robots with a 20-minute ping time).

July 31st, 2010 — The Metasploit team can be found wandering around the last day of Defcon 18. The CTF winners will be announced and we are all rooting (hah) for our own Joshua “jduck” Drake and James “egypt” Lee.

Tags: , , , , ,
Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • July 19th, 2010
  • Comments Off

Metasploit Express v3.4.1 Released!

Posted by HD Moore in Exploits, General, Penetration Testing

Metasploit Express 3.4.1 was released on July 15th, 2010. This release adds 16 new exploits, an overhauled module browser, island-hopping support, brute force support for FTP and HTTPS, enhanced import and export functionality, and improvements to the online update system, including support for HTTP proxies. This release fixes over 100 bugs. Full details of this release can be found in the online release notes. Existing customers can download the new release from the Rapid7 Customer Center. We also offer free trial evaluations as well.

The screenshot below highlights the new session option for island-hopping:


Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

  • July 19th, 2010
  • Comments Off

July Patch Tuesday Roundup

Posted by Suzanne Dickson in Patch Tuesday, Security Best Practices, Vulnerabilities

The highlight of Microsoft’s security bulletins is the fix for Microsoft’s online help vulnerability (MS10-042) identified by Google security researcher, Tavis Ormandy, which could allow an attacker to take control of a computer by luring a computer user to a malicious Web site.

Also as Microsoft’s July security bulletins also address vulnerabilities in Windows XP, Josh Abraham, Rapid7 Security Researcher recommends that “customers should keep in-mind that Windows XP SP2 is now end-of-life. Therefore, organizations should be verifying (if they have not done so already) that all of their systems have already been migrated to SP3. One area to double check is third-party vendor devices which may need to be replaced and/or upgraded by the vendor”

Here’s a quick take on Microsoft’s four security bulletins addressing five vulnerabilities in Office and Windows:

MS10-042  (1 vulnerability)
Help Center URL Validation Vulnerability
Rated: Critical
CVE-2010-1885
Exploit already in the wild. (Note: There is a Metasploit module for this vulnerability.)

This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful,
a user must click a link listed within an e-mail message.

MS10-044  (2 vulnerabilities)
Rated: Critical

This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file or views a Web page that instantiates Access ActiveX controls.
Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Access ActiveX control vulnerability
CVE-2010-0814
Exploit – 1 (exploit code likely)

A remote code execution vulnerability exists in Access ActiveX controls due to the way that multiple ActiveX controls are loaded by Internet Explorer.  An attacker who successfully exploits this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.  Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

ACCWIZ.dll Uninitialized Variable vulnerability
CVE-2010-1881
Exploit – 1 (exploit code likely)

A remote code execution vulnerability exists in the way that the FieldList ActiveX control is instantiated by Microsoft Office and Internet Explorer.  An attacker who successfully exploits this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with         administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS10-043 (1 vulnerability)
Rated: Critical
Canonical Display Driver Integer Overflow
CVE-2009-3678
Exploit -2 (Inconsistent exploit likely)

This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll).  Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much    more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.

MS10-045 (1 vulnerability)
Rated: Important
Microsoft Outlook SMB Attachment Vulnerability
CVE-2010-0266
Exploit – 1 exploit code likely

This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook.  An attacker who successfully
exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Tags:
Share this: Del.icio.us | Digg | reddit | Stumble it! | Tweet This | Share on Facebook

Post Your Comment

Older Posts »