June 14, 2021

Millions of UPnP devices vulnerable to remote code execution

UPnP(LiveHacking.Com) – Rapid7, the vulnerability management and penetration testing company which is well known for the Metasploit tool, has released a whitepaper describing security flaws in popular implementations of the Universal Plug and Play protocol. It is estimated that more than 80 million unique IPs respond to UPnP discovery requests, all accessible from the internet. Of those 80 million devices, it is thought that between 40 and 50 million are vulnerable to at least one of three attacks outlined in the whitepaper.

The problem is that the two most commonly used UPnP software libraries both contain remotely exploitable vulnerabilities. First, the libupnp library contains multiple buffer overflow vulnerabilities and devices that use it and accept UPnP queries over the WAN interface are vulnerable. In total Rapid7 estimates that some 6,900 product versions are vulnerable from over 1,500 different vendors.

A new version (1.6.18) of libupnp has been released to fix the vulnerabilities but it will take quite a while before device makers start shipping units with the new software and it is unlikely that older devices will ever be updated.

The other library affected is the MiniUPnP library and although it was fixed over two years ago there are still over 330 products using older versions of the library.

Because of the finding Rapid7 is urging everyone to identify and disable any internet-exposed UPnP devices in their environments. “UPnP is pervasive – it is enabled by default on many home gateways, nearly all network printers, and devices ranging from IP cameras to network storage server,” wrote HD Moore, the Chief Security Officer at Rapid7.

The warning was echoed by US-CERT which recommends that users and administrators disable UPnP (if possible), and restrict access to SSDP (1900/udp) and Simple Object Access Protocol (SOAP) services from the Internet.

According to US-CERT’s advisory, the Portable SDK for UPnP Devices, is vulnerable to multiple stack-based buffer overflows when handling malicious SSDP requests. This library is used by tens of millions of deployed network devices, of which approximately twenty million are exposed directly to the internet. In addition to network devices, many streaming media and file sharing applications are also exposed to attack through this library.

Rapid7 has released a tool called ScanNow UPnP which can identify any exposed UPnP endpoints in your network. The only wrinkle is that you need to register the tool, giving Rapid7 your name, email address and phone number, to use it!

Rapid 7 releases MySQL authentication bypass vulnerability scanning tool

(LiveHacking.Com) – Rapid 7, the people behind Metasploit, have released a free scanning tool which can probe all the MySQL servers on a network and see if any of them are vulnerable to the MySQL  authentication bypass vulnerability (CVE-2012-2122). The vulnerability, which was found in June, allows remote attackers to bypass the MySQL authentication by repeatedly authenticating with the same incorrect password.

The problem is that when a user connects to MySQL (or MariaDB), a hash of the password is used and compared with the sent password. But, because of a casting bug and because of the  way memcmp() is implemented in some libraries, sometimes the token and the expected password are considered equal even when they are not.The probability of hitting this bug and authenticating without the right password is about 1 in 256.

The new tool, ScanNow, will tell you if you have this MySQL vulnerability on your systems. It can scan a range of IP addresses and ports and create a report which can be saved for later reference.

Although free and scans for unlimited IPs, the tool ONLY checks for the MySQL CVE-2012-2122 vulnerability, it does not check for any other weaknesses.

New Version of Metasploit Targets IPv6 Risks

(LiveHacking.Com) – Rapid7 has released a new version of Metasploit, its popular penetration testing toolkit, with new functionality to assess the security of IPv6 enabled systems. With Metasploit 4.2 users can test whether IPv6 addresses on their network are vulnerable to cyber-attacks. The framework includes hundreds of working remote exploits for a variety of platforms and the new IPv6 tests are important for organizations that have not methodically implemented an IPv6 network but rather has allowed it to creep in as operating systems and devices starting enabling IPv6 functionality by default.  For example, the default setting in Windows 7 and Windows Server 2008 is to give a higher priority to the IPv6 interface, rather than the IPv4 address, for management traffic and network shares.

“The number of IPv6-enabled systems has quadrupled over the last three years, broadening the attack surface for cyber attackers, with over 10% of the world’s top web sites now offering IPv6 services,” said HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project.

Since IPv6 runs in parallel with IPv4 it is often not as well managed as an existing IPv4 network. It is essential that companies perform security assessments to audit IPv6-enabled internal and external hosts. Rapid7 cite the example of organizations who have blocked zone transfers on their DNS servers for IPv4, but left this common flaw wide open on IPv6. Another real world example is the use of firewalls that have been correctly configured to  filter IPv4 traffic but that accept all IPv6 traffic. Further more, some older Intrusion Prevention Systems (IPS) may even be completely unaware of IPv6 traffic.

Metasploit 4.2 is available immediately from rapid7.com. The new features are available in both the open source and commercial editions of Metasploit.



Rapid7 Gets Cash Boost of $50 Million

(LiveHacking.Com) – The company behind Nexpose and Metasploit, Rapid7, has secured $50 million in venture capital funding from Technology Crossover Ventures (TCV). Rapid7 will use the money for growth and already has plans to expand its engineering teams in Los Angeles, CA and Austin, TX, as well as staffing a brand new innovation center at the Company’s headquarters in Boston, MA.

“In the security battle, attackers currently have the edge and Rapid7 intends to change this by recruiting the most talented people and organizations to drive innovation. We are looking for great people that are passionate about helping customers solve the hard problems they face in security,” said Mike Tuchen, CEO of Rapid7. “Our desire to work with people that excel at what they do led us to this engagement with Technology Crossover Ventures. We’re fortunate to have not only their financial support, but also their deep understanding of how to drive technology companies to success.”

The information security market is growing at an impressive rate due to the daily reports of security incidents and security breaches. The security and vulnerability management market is predicted to exceed revenue of $5.2 billion by the end of 2014. According to the 2011 Data Breach Investigations Report, 50% of data breaches in 2010 utilized some form of hacking and 49% incorporated malware.

Rapid7 launched its flagship solution Nexpose, in 2007, giving the information security industry its first unified vulnerability management platform. Nexpose provides users with scanning capabilities across their entire IT environment, including Web, network, applications and databases.

In 2009, the Company acquired the popular open source Metasploit® Framework to further support the community and deliver advanced penetration testing solutions that integrate with vulnerability management. Since then, Rapid7 has delivered a family of Metasploit commercial products, while also growing the open source Metasploit Framework by a factor of four with more than 1 million downloads per year.


Rapid7 Introduces Metasploit Community Edition

(LiveHacking.Com) – To coincide with the second anniversary of Rapid7’s acquisition of the Metasploit project, it has announced that as of version 4.1 of Metaploit, there will now be a Metasploit Community Edition, a free commercial product that is available for both personal and professional use. Metasploit Community Edition includes the same network discovery, data import, and Nexpose integration as its Metasploit Pro counterpart.

Rapid7 are releasing the Metasploit Community Edition to address the growing gap between two types of users: The security researchers and developers who want a powerful platform to build custom tools and exploits using the console interface and the security and IT professionals that use the Metasploit Framework to conduct security assessments and verify vulnerabilities.

The free Community Edition provides a simple path for identifying targets, selecting an exploit, and launching it. Sessions can be managed through the user interface and have full access to the extensive post-exploit modules built into the Metasploit Framework.

“The best way to tackle the increasing information security challenge is to share knowledge between practitioners, open source projects and commercial vendors,” said HD Moore, Rapid7 CSO and Metasploit chief architect. “With that in mind, we’ve combined the Metasploit Framework with Rapid7’s commercial development to bring together the best of both worlds – the collaboration of security researchers around the world with quality-tested and stable commercial features. The new Metasploit Community Edition will greatly help security professionals seeking to understand risk and improve their security programs without needing to increase budgets.”

Metasploit Community Edition is available today as part of the Metasploit 4.1 release.

Metasploit Framework 3.7.0 Released

Two months after the release of the Metasploit Framework 3.6, the Metasploit team has announced the availability of Metasploit Framework 3.7.0. Since V3.6 the developers have focussed on one of the least-visible, but most important pieces of the Metasploit Framework; the session backend. This overhaul increases performance in the presence of many sessions and allows for a larger number of concurrent incoming sessions in a more reliable manner.

Metasploit now ships with 685 exploit modules of which 35 are new, 355 auxiliary modules (15 new), and 39 post modules (17 new).

V3.7 also includes some new features:

  • Support for SMB signing, enabling pass-the-hash and stolen password attacks against Windows 2008 Server environments.
  • The Microsoft SQL Server mixin (and all modules) now supports NTLM authentication.
  • Data import backend has undergone a rewrite, speeding up most import tasks by a factor of four.
  • OS information is now normalized to make fingerprinting more accurate and easier to deal with.

Highlights from the new modules include:

  • Apple iOS Backup File Extraction: Extract sensitive data from iTunes backup files (location, call history, SMS content, pictures, etc).
  • Exploits for two different Adobe Flash vulnerabilities exploited in the wild.
  • Code execution modules for MySQL and PostgreSQL when a valid login is available.
  • Exploit for the Accellion File Transfer Appliance Default Encryption Key flaw found by Rapid7.
  • Over ten new exploits for HP Network Node Manager (plus an HP OpenView exploit).
  • Post-exploitation module for privilege escalation through the .NET Optimizer Service.
  • Post-exploitation modules for stealing stored WinSCP and VNC passwords.

Metasploit Upgraded to V3.6 – Pro Version Has Better PCI DSS Compliance Reporting

Rapid7 has released V3.6 of its penetration testing suite Metasploit. The tools comes in three flavors: Pro, Express and open source. The most significant improvements have been made to the Pro version but Metasploit Express and the open source version have also had several improvements.

Metasploit Pro now generates reports for PCI DSS compliance with pass/fail information for applicable PCI DSS requirements. Also new to the Pro version is a feature that allows users to freely assign tags to assets based on multiple criteria such as compliance, operation workflow and team collaboration on different operational units.

Post-Exploitation modules is a new feature found in all editions. It includes more than a dozen modules that can be run on exploited systems to perform actions such as gathering additional information, pivoting to other networks and elevating system privileges.

This release also adds 15 new exploits making a total of 64 new modules since version 3.5.1 and brings the grand total to 648 exploit modules, 342 auxiliary modules, and 23 post modules.

Metasploit Framework 3.6.0, the open source edition of Metasploit, can be downloaded from here.

Rapid7 and Modulo Partner to Bring Rich VulnerabilCompliance Data to Leading GRC Solution

Rapid7®, the leading provider of unified vulnerability management and penetration testing solutions, and Modulo, a leading provider of enterprise governance, risk and compliance (GRC) solutions, announced a technology integration that enables global customers to better manage their organizations’ risk by automating the collection and analysis of security intelligence across IT assets. Critical vulnerability, misconfiguration and policy violation data identified by Rapid7 NeXpose® scans can then be assessed, prioritized and remediated by Modulo Risk Manager™ NG to centrally manage, track and report security and compliance risks and make more informed business decisions.

Rapid7 NeXpose is the only integrated vulnerability management solution that allows organizations to manage network, operating system, Web application and database security strategies. Additionally, NeXpose is the only vulnerability management solution to use real exploit intelligence to perform risk classification and deliver prioritized remediation reports.

The Modulo Risk Manager NG governance, risk and compliance management solution allows the platform to consistently and repeat-ably demonstrate multi-regulatory compliance, pass demanding audits and reduce security threats before they cause costly damage to the organization – while eliminating duplication of effort through automation. Modulo NG brings together product innovation based on feedback from more than 1,000 customers and 25 years experience in the GRC space. Ease of deployment and use, straightforward integration and a distinctive emphasis on worldwide requirements are a few areas in which Modulo is recognized.


An Introduction to NeXpose Community Edition

Rapid7’s NeXpose is a vulnerability management tool which scans your network and identifies vulnerabilities across a wide range of devices and operating systems. NeXpose uses one of the world’s largest vulnerabilities databases to identify the vulnerabilities on your network.

And the great news is that there is a free community edition. The NeXpose Community Edition is a free, single-user version of NeXpose and is powered by the same scan engine as its big brother NeXpose Enterprise and offers many of the same features. The single biggest limitation is that it only works with up to 32 IP addresses, but this makes it perfect for small organizations or for individual use.

NeXpose Community Edition is available for MS Windows Server 2003 SP2 / Server 2003 R2 and several flavours of Linux including Red Hat Enterprise Linux 5, Ubuntu and SuSE Linux Enterprise Server. Note: There isn’t an official Windows XP version as XP has some limitations with regards to raw sockets which NeXpose needs to perform its scans.

It is also worth noting that NeXpose Community Edition needs 4 GB of RAM (on 32-bit machines) or 8 GB of RAM (on 64-bit machines), don’t try using it without the minimum amount of memory otherwise your machine will start swapping heavily.

Once installed and updated to includ the latest list of vulnerabilities, NeXpose Community Edition offers a comprehensive range of tools for scanning and reporting the vulnerabilities on your network.

Rapid7 have some useful YouTube tutorials here: http://www.youtube.com/user/NeXposeTutorials