October 24, 2016

Hackers Trying to Build Exploit for RDP Vulnerability

(LiveHacking.Com) – On Tuesday Microsoft patched all currently supported version of Windows to fix a vulnerability in the Remote Desktop Protocol. At the time of the patch there was no actual known exploit but now a $1467 reward has been offered to develop a working module for Metasploit that exploits this vulnerability.

The vulnerability, which is now patched, in the Remote Desktop Protocol (RDP) exists because of the way Windows processes RDP packets in memory. In theory remote attackers can execute arbitrary code by sending crafted RDP packets triggering access to an object that was not properly initialized or has been deleted.

According to SC Magazine a proof of concept exploit has been shown to trigger a blue screen of death on Windows XP and Windows Server 2003 machines. The first proof of concept to be published was posted briefly on a Chinese website before disappearing. The second, based off the Chinese POC, was described by Accuvant researcher Josh Drake.

In a lighthearted tweet Chaouki Bekrar of VUPEN wrote “writing a remote exploit for MS12-020 / RDP for Windows 7 is definitely a challenge for Chuck Norris or Steven Seagal.” Which underlines the complexity of writing an exploit for a known vulnerability.

“However, due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days.” said Microsoft on its Security Research & Defense blog.

For organisations which haven’t yet applied Microsoft’s patches there is a way to substantially reduce the risk on Windows Vista and later systems where RDP is enabled: You can enable Remote Desktop’s Network Level Authentication (NLA) to require authentication before a remote desktop session is established to the remote desktop server. On systems with NLA enabled, the vulnerable code is still present and could potentially be exploited for code execution. However, NLA would require an attacker to first authenticate to the server before attempting to exploit the vulnerability.

New Version of Metasploit Targets IPv6 Risks

(LiveHacking.Com) – Rapid7 has released a new version of Metasploit, its popular penetration testing toolkit, with new functionality to assess the security of IPv6 enabled systems. With Metasploit 4.2 users can test whether IPv6 addresses on their network are vulnerable to cyber-attacks. The framework includes hundreds of working remote exploits for a variety of platforms and the new IPv6 tests are important for organizations that have not methodically implemented an IPv6 network but rather has allowed it to creep in as operating systems and devices starting enabling IPv6 functionality by default.  For example, the default setting in Windows 7 and Windows Server 2008 is to give a higher priority to the IPv6 interface, rather than the IPv4 address, for management traffic and network shares.

“The number of IPv6-enabled systems has quadrupled over the last three years, broadening the attack surface for cyber attackers, with over 10% of the world’s top web sites now offering IPv6 services,” said HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project.

Since IPv6 runs in parallel with IPv4 it is often not as well managed as an existing IPv4 network. It is essential that companies perform security assessments to audit IPv6-enabled internal and external hosts. Rapid7 cite the example of organizations who have blocked zone transfers on their DNS servers for IPv4, but left this common flaw wide open on IPv6. Another real world example is the use of firewalls that have been correctly configured to  filter IPv4 traffic but that accept all IPv6 traffic. Further more, some older Intrusion Prevention Systems (IPS) may even be completely unaware of IPv6 traffic.

Metasploit 4.2 is available immediately from rapid7.com. The new features are available in both the open source and commercial editions of Metasploit.



Rapid7 Gets Cash Boost of $50 Million

(LiveHacking.Com) – The company behind Nexpose and Metasploit, Rapid7, has secured $50 million in venture capital funding from Technology Crossover Ventures (TCV). Rapid7 will use the money for growth and already has plans to expand its engineering teams in Los Angeles, CA and Austin, TX, as well as staffing a brand new innovation center at the Company’s headquarters in Boston, MA.

“In the security battle, attackers currently have the edge and Rapid7 intends to change this by recruiting the most talented people and organizations to drive innovation. We are looking for great people that are passionate about helping customers solve the hard problems they face in security,” said Mike Tuchen, CEO of Rapid7. “Our desire to work with people that excel at what they do led us to this engagement with Technology Crossover Ventures. We’re fortunate to have not only their financial support, but also their deep understanding of how to drive technology companies to success.”

The information security market is growing at an impressive rate due to the daily reports of security incidents and security breaches. The security and vulnerability management market is predicted to exceed revenue of $5.2 billion by the end of 2014. According to the 2011 Data Breach Investigations Report, 50% of data breaches in 2010 utilized some form of hacking and 49% incorporated malware.

Rapid7 launched its flagship solution Nexpose, in 2007, giving the information security industry its first unified vulnerability management platform. Nexpose provides users with scanning capabilities across their entire IT environment, including Web, network, applications and databases.

In 2009, the Company acquired the popular open source Metasploit® Framework to further support the community and deliver advanced penetration testing solutions that integrate with vulnerability management. Since then, Rapid7 has delivered a family of Metasploit commercial products, while also growing the open source Metasploit Framework by a factor of four with more than 1 million downloads per year.


Opera Fixes SVG Vulnerability

(LiveHacking.Com) – Opera has released version 11.52 of its web browser to address an explotable vulnerability in the processing of SVG images. This release is in response to a new metasploit module which was released along with details of the vulnerability by security researcher José A. Vázquez.

Opera also issued a security advisory which describes the problem:

Certain font manipulations inside a dynamically added and specifically embedded SVG image can cause Opera to crash. Additional techniques can reliably be used in combination with this crash to allow execution of arbitrary code.

In a blog post, the company also responded to claims that Opera had intentionally decided not to fix this particular vulnerability as José had informed Opera of the problem several months ago, via the  SecuriTeam Secure Disclosure program, but it remain unresolved.

In the blog Sigbjørn Vik writes:

About 6 months ago (in April 2011), we were contacted by a security research group, on behalf of a researcher, giving details of a handful of bugs and issues that could be demonstrated in old releases of Opera. We confirmed most of these in the then-current releases and fixed the exploitable ones. These fixes were released in a regular security update, Opera 11.11.

Opera then informed SecuriTeam of the fixes and asked for more details about the remaining issue that it was unable to reproduce including a request for known ways to reproduce it in the then-current Opera release. However it receive no further information from SecuriTeam or José.

This then raises the question of responsible disclosure and if José did all he could to ensure that Opera had all the relevant details.

Also fixed is 11.52 are the following non-security related bugs:

  • Adjusting volume on a YouTube HTML5 Video causes freeze
  • Fixed a non-exploitable bug which allowed injection of untrusted markup into the X-Frame-Options error page, as reported by Masato Kinugawa.
  • Crashes when downloading via BitTorrent


Rapid7 Introduces Metasploit Community Edition

(LiveHacking.Com) – To coincide with the second anniversary of Rapid7’s acquisition of the Metasploit project, it has announced that as of version 4.1 of Metaploit, there will now be a Metasploit Community Edition, a free commercial product that is available for both personal and professional use. Metasploit Community Edition includes the same network discovery, data import, and Nexpose integration as its Metasploit Pro counterpart.

Rapid7 are releasing the Metasploit Community Edition to address the growing gap between two types of users: The security researchers and developers who want a powerful platform to build custom tools and exploits using the console interface and the security and IT professionals that use the Metasploit Framework to conduct security assessments and verify vulnerabilities.

The free Community Edition provides a simple path for identifying targets, selecting an exploit, and launching it. Sessions can be managed through the user interface and have full access to the extensive post-exploit modules built into the Metasploit Framework.

“The best way to tackle the increasing information security challenge is to share knowledge between practitioners, open source projects and commercial vendors,” said HD Moore, Rapid7 CSO and Metasploit chief architect. “With that in mind, we’ve combined the Metasploit Framework with Rapid7’s commercial development to bring together the best of both worlds – the collaboration of security researchers around the world with quality-tested and stable commercial features. The new Metasploit Community Edition will greatly help security professionals seeking to understand risk and improve their security programs without needing to increase budgets.”

Metasploit Community Edition is available today as part of the Metasploit 4.1 release.

New Metasploit Module Exposes Hole in Opera Web Browser

(LiveHacking.Com) – Security Researcher José A. Vázquez has released details of a vulnerability in the Opera web browser which is caused by bugs in its SVG processing code. What is more startling is that José actually reported this vulnerability and some others, via the SecuriTeam Secure Disclosure program over 10 months ago, but Opera have done nothing about it.

So now José has decided to go public and with the help of the guys over at metasploit.com he has also released a metasploit module.

Due to the nature of the vulnerability, visiting a specially crafted web page is enough to trigger the exploit and allow the attacker to run malicious code. However the exploit isn’t successful 100% of the time. According to his testing the succes rate differs on different version of Opera:

  • Opera 12 pre-alpha -> RCE on 6/10 attempts
  • Opera 11.51 -> RCE on 3/10 attempts
  • Opera 11.50 -> RCE on 3/10 attempts
  • Opera 11.11 -> RCE on 4/10 attempts
  • Opera 11.10 -> RCE on 4/10 attempts
  • Opera 11.01 -> RCE on 5/10 attempts
  • Opera 11.00 -> RCE on 4/10 attempts
Opera did fix a related problem that José submitted, however he reported several vulnerabilities at the same time and the SVG processing has so far been ignored.

Metasploit Framework 3.7.0 Released

Two months after the release of the Metasploit Framework 3.6, the Metasploit team has announced the availability of Metasploit Framework 3.7.0. Since V3.6 the developers have focussed on one of the least-visible, but most important pieces of the Metasploit Framework; the session backend. This overhaul increases performance in the presence of many sessions and allows for a larger number of concurrent incoming sessions in a more reliable manner.

Metasploit now ships with 685 exploit modules of which 35 are new, 355 auxiliary modules (15 new), and 39 post modules (17 new).

V3.7 also includes some new features:

  • Support for SMB signing, enabling pass-the-hash and stolen password attacks against Windows 2008 Server environments.
  • The Microsoft SQL Server mixin (and all modules) now supports NTLM authentication.
  • Data import backend has undergone a rewrite, speeding up most import tasks by a factor of four.
  • OS information is now normalized to make fingerprinting more accurate and easier to deal with.

Highlights from the new modules include:

  • Apple iOS Backup File Extraction: Extract sensitive data from iTunes backup files (location, call history, SMS content, pictures, etc).
  • Exploits for two different Adobe Flash vulnerabilities exploited in the wild.
  • Code execution modules for MySQL and PostgreSQL when a valid login is available.
  • Exploit for the Accellion File Transfer Appliance Default Encryption Key flaw found by Rapid7.
  • Over ten new exploits for HP Network Node Manager (plus an HP OpenView exploit).
  • Post-exploitation module for privilege escalation through the .NET Optimizer Service.
  • Post-exploitation modules for stealing stored WinSCP and VNC passwords.

Metasploit Upgraded to V3.6 – Pro Version Has Better PCI DSS Compliance Reporting

Rapid7 has released V3.6 of its penetration testing suite Metasploit. The tools comes in three flavors: Pro, Express and open source. The most significant improvements have been made to the Pro version but Metasploit Express and the open source version have also had several improvements.

Metasploit Pro now generates reports for PCI DSS compliance with pass/fail information for applicable PCI DSS requirements. Also new to the Pro version is a feature that allows users to freely assign tags to assets based on multiple criteria such as compliance, operation workflow and team collaboration on different operational units.

Post-Exploitation modules is a new feature found in all editions. It includes more than a dozen modules that can be run on exploited systems to perform actions such as gathering additional information, pivoting to other networks and elevating system privileges.

This release also adds 15 new exploits making a total of 64 new modules since version 3.5.1 and brings the grand total to 648 exploit modules, 342 auxiliary modules, and 23 post modules.

Metasploit Framework 3.6.0, the open source edition of Metasploit, can be downloaded from here.