Apache Struts Vulnerability (CVE-2017-5638) Exploit Traffic

UPDATE - March 10th, 2017: Rapid7 added a check that works in conjunction with Nexposes web spider functionality. This check will be performed against any URIs discovered with the suffix ".action" the default configuration for Apache Struts apps. To learn more about using this check, read this...

How do I get my data out of Nexpose? Answer: SQL Query Export

Do any of these these questions sound familiar? "Printable reports are really valuable and I use them on a daily basis. However, is there a section that I can add to show a summary by asset group or site?" "I really like the XML format, but its a little hard to process and I have to write code to...

InsightVM/Nexpose Patch Tuesday Reporting

Many of our customers wish to report specifically on Microsoft patch related vulnerabilities. This often includes specific vulnerabilities that are patched in Patch Tuesday updates. This post will show you the various ways that you can create reports for each of these. Remediation Projects...

Metasploit Wrapup

It has been an intense couple of weeks in infosec since the last Wrapup and we've got some cool things for you in the latest update. Hacking like No Such Agency I'll admit I was wrong. For several years, I've been saying we'll never see another bug like MS08-067, a full remote hole in a default...

The Shadow Brokers Leaked Exploits Explained

The Rapid7 team has been busy evaluating the threats posed by last Fridays Shadow Broker exploit and tool release and answering questions from colleagues, customers, and family members about the release. We know that many people have questions about exactly what was released, the threat it poses,...

Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010

A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several European countries and the US. It is believed that the ransomworm achieved its initial infection via a compromised software update, and that it then leverages the EternalBlue and...

Metasploit, [REDACTED] Edition

Why should REDACTED have all the fun with spiffy codenames for their exploits? As of today, Metasploit is taking a page from REDACTED, and equipping all Metasploit modules with equally fear-and-awe-inspiring codenames. Sure, there are catchy names for vulnerabilities -- we remember you fondly,...

Metasploit Weekly Wrapup

Ghost...what??? hdm recently provided a new exploit module for a type confusion vulnerability that exists in Ghostscript versions 9.21 and earlier, allowing remote code execution on the target. And to "kick it up a notch", this exploit got itself a snazzy logo which also contains the exploit:...

Samba CVE-2017-7494: Scanning and Remediating in InsightVM and Nexpose

Just when youd finished wiping away your WannaCry tears, the interwebs dropped another bombshell: a nasty Samba vulnerability, CVE-2017-7494 no snazzy name as of the publishing of this blog, but hopefully something with a Lion King reference will be created soon. As with WannaCry, we wanted to ke...

Remote Desktop Protocol (RDP) Exposure

The Remote Desktop Protocol, commonly referred to as RDP, is a proprietary protocol developed by Microsoft that is used to provide a graphical means of connecting to a network-connected computer. RDP client and server support has been present in varying capacities in most every Windows version...

Metasploit Wrapup

Slowloris: SMB edition Taking a page from the Slowloris HTTP DoS attack, the aptly named SMBLoris DoS attack exploits a vuln contained in many Windows releases back to Windows 2000 and also affects Samba a popular open source SMB implementation. Through creation of many connections to a target's...

Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose

Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated ransomware attack, WannaCry, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 how I miss the halcyon days when vulnerabilities had gentle names like Poodle. Wi...

Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose

Update 5/18/17: EternalBlue exploit used in WannaCry attack is now available in Metasploit for testing your compensating controls and validating remediations. More info: EternalBlue: Metasploit Module for MS17-010. Also removed steps 5 and 6 from scan instructions as they were not strictly...

Patch Tuesday - June 2017

This month sees another spate of critical fixes from Microsoft, including patches for a number of Remote Code Execution RCE vulnerabilities. Two of these are already known to be exploited in the wild CVE-2017-8543 and CVE-2017-8464. Today's patches are so crucial that Microsoft has once again...

Patch Tuesday - May 2017

It's a relatively light month as far as Patch Tuesdays go, with Microsoft issuing fixes for a total of seven vulnerabilities as part of their standard update program. However, an eighth, highly critical vulnerability CVE-2017-0290 that had some of the security community buzzing over the weekend w...

Vulnerability Management Tips for the Shadow Brokers Leaked Exploits

Rebekah Brown and the Rapid7 team have delivered a spot-on breakdown of the recent Shadow Brokers exploit and tool release. Before you read any further, if you havent done so already, please read her post. Its probably not the only post youve read on this topic, but it is cogent, well-constructed...

Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose

Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated ransomware attack, WannaCry, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 how I miss the halcyon days when vulnerabilities had gentle names like Poodle. Wi...

R7-2017-18: Logentries Windows Agent uses vulnerable OpenSSL (FIXED)

Summary The Logentries Windows Agent before version 2.6.0.1 shipped with a version of OpenSSL that is susceptible to several public vulnerabilities described below. While we have no indication that any Logentries customers have been compromised due to these older versions of OpenSSL, we strongly...

Metasploit Wrapup

With Hacker Summer Camp 2017 wrapped up and folks now recovering from it, why not grab a drink and read up on what's new with Metasploit? Where there's smoke... At least a few versions of open source firewall IPFire contain a post-auth RCE vulnerability, and we well, you! now have a module to hel...

Patch Tuesday - April 2017

This month's updates deliver vital client-side fixes, resolving publicly disclosed remote code execution RCE vulnerabilities for Internet Explorer and Microsoft Office that attackers are already exploiting in the wild. In particular, they've patched the CVE-2017-0199 zero-day flaw in Office and...

Petya-like Ransomware Explained

TL;DR summary June 28 and beyond: A major ransomware attack started in Ukraine yesterday and has spread around the world. The ransomware, which was initially thought to be a modified Petya variant, encrypts files on infected machines and uses multiple mechanisms to both gain entry to target...

Patching CVE-2017-7494 in Samba: It’s the Circle of Life

With the scent of scorched internet still lingering in the air from the WannaCry Ransomworm, today we see a new scary-and-potentially-incendiary bug hitting the twitter news. The vulnerability - CVE-2017-7494 - affects versions 3.5 released March 1, 2010 and onwards of Samba, the defacto standard...

Nexpose Scan Engine on the AWS Marketplace

Rapid7 is excited to announce that you can now find a Nexpose Scan Engine AMI on the Amazon Web Services Marketplace making it simple to deploy a pre-authorized Nexpose Scan Engine from the AWS Marketplace to scan your AWS assets! What is an AMI ? An Amazon Machine Image AMI allows you to launch ...

Patch Tuesday - July 2017

Most of the critical vulnerabilities patched this month concern client-side systems, with 14 separate Remote Code Execution RCE issues being addressed for the Microsoft Edge browser and five for Internet Explorer. One of the three Adobe Flash Player vulnerabilities being patched is also a critica...

Protecting against DoublePulsar infection with InsightVM and Nexpose

After WannaCry hit systems around the world last month, security experts warned that the underlying vulnerabilities that allowed the ransomworm to spread are still unpatched in many environments, rendering those systems vulnerable to other hacking tools from the same toolset. Rapid7s Project...

On the lookout for Intel AMT CVE-2017-5689

Weve had some inquiries about checks for CVE-2017-5689, a vulnerability affecting Intel AMT devices. On May 5th, 2017, we released a potential vulnerability check that can help identify assets that may be vulnerable. We initially ran into issues with trying to determine the exact version of the...

Announcing Microsoft Azure Asset Discovery in InsightVM

Almost every security or IT practitioner is familiar with the ascent and continued dominance of Amazon Web Services AWS. But you only need to peel back a layer or two to find Microsoft Azure growing its own market share and establishing its position as the most-used, most-likely-to-renew public...

Metasploit Wrapup

Metasploit Hackathon We were happy to host the very first Metasploit framework open source hackathon this past week in the Rapid7 Austin. Eight Metasploit hackers from outside of Rapid7 joined forces with the in-house team and worked on a lot of great projects, small and large. @bcook started the...

Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010

A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several european countries and the US. It is believed that the ransomworm may achieve its initial infection via a malicious document attached to a phishing email, and then leverages the...

Metasploit Wrapup

It has only been one week since the last wrapup, so it's not like much could have happened, right? Wrong! Misery Loves Company After last week's excitement with Metasploit's version of ETERNALBLUE AKA the Wannacry vulnerability, this week SAMBA had its own "Hold My Beer" moment with the disclosur...

R7-2017-18: Logentries Windows Agent uses vulnerable OpenSSL (FIXED)

Summary The Logentries Windows Agent before version 2.6.0.1 shipped with a version of OpenSSL that is susceptible to several public vulnerabilities described below. While we have no indication that any Logentries customers have been compromised due to these older versions of OpenSSL, we strongly...

SMBLoris: What You Need To Know

What's Up? Astute readers may have been following the recent news around "SMBLoris" -- a proof-of-concept exploit that takes advantage of a vulnerability in the implementation of SMB services on both Windows and Linux, enabling attackers to "kill you softly" with a clever, low-profile...

R7-2017-13 | CVE-2017-5243: Nexpose Hardware Appliance SSH Enabled Obsolete Algorithms

Summary Nexpose physical appliances shipped with an SSH configuration that allowed obsolete algorithms to be used for key exchange and other functions. Because these algorithms are enabled, attacks involving authentication to the hardware appliances are more likely to succeed. We strongly encoura...

Metasploit Wrapup

A fresh, new UAC bypass module for Windows 10! Leveraging the behavior of fodhelper.exe and a writable registry key as a normal user, you too can be admin! Unpatched as of last week, this bypass module works on Windows 10 only, but it works like a charm! Reach out and allocate something This...

Hack with Metasploit: Announcing the UNITED 2017 CTF

Got mad skillz? Want mad skillz? This year at Rapid7s annual UNITED Summit, were hosting a first-of-its-kind Capture the Flag CTF competition. Whether youre a noob to hacking or a grizzled pro, youll emerge from our 25-hour CTF with more knowledge and serious bragging rights. Show off your 1337...

Multiple Vulnerabilities Affecting Four Rapid7 Products

Today, we'd like to announce eight vulnerabilities that affect four Rapid7 products, as described in the table below. While all of these issues are relatively low severity, we want to make sure that our customers have all the information they need to make informed security decisions regarding the...

Gone Phishing: A Case Study on Conducting Internal Phishing Campaigns

To many, emails are boring. Its been a long time since they were cool, and theyre probably the slowest form of communication in an evolving fast-paced digital world. Nevertheless, there were 215 billion emails exchanged per day in 2016, and that number is growing at 3% annually. It's clear that...

Patch Tuesday - August 2017

It was a busy month this month with a total of 48 security issues fixed. All of these have a severity of Critical or Important with Remote Code Execution vulnerabilities again figuring highly, particularly for Microsoft Edge. There were also a few publicly disclosed vulnerabilities that were fixe...

R7-2017-16 | CVE-2017-5244: Lack of CSRF protection for stopping tasks in Metasploit Pro, Express, and Community editions (FIXED)

Summary A vulnerability in Metasploit Pro, Express, and Community was patched in Metasploit v4.14.0 Update 2017061301. Routes used to stop running tasks either particular ones or all tasks allowed GET requests. Only POST requests should have been allowed, as the stop/stopall routes change the sta...

EternalBlue: Metasploit Module for MS17-010

This week's release of Metasploit includes a scanner and exploit module for the EternalBlue vulnerability, which made headlines a couple of weeks ago when hacking group, the Shadow Brokers, disclosed a trove of alleged NSA exploits. Included among them, EternalBlue, exploits MS17-010, a Windows S...

R7-2017-02: Hyundai Blue Link Potential Info Disclosure (FIXED)

Summary Due to a reliance on cleartext communications and the use of a hard-coded decryption password, two outdated versions of Hyundai Blue Link application software, 3.9.4 and 3.9.5 potentially expose sensitive information about registered users and their vehicles, including application...

Rapid7 Threat Report: Q2 2017

We cannot believe that we're already into August! Time really flies when the internet is constantly on fire. When it came time to analyze data for our Q2 Threat Report and pull out threat trends and landscape changes, there was plenty to work with. Q2 kept defenders on their toes--from the Shadow...

R7-2017-06 | CVE-2017-5241: Biscom SFT XSS (FIXED)

Summary The Workspaces component of Biscom Secure File Transfer SFT version 5.1.1015 is vulnerable to stored cross-site scripting in two fields. An attacker would need to have the ability to create a Workspace and entice a victim to visit the malicious page in order to run malicious Javascript in...

R7-2015-27 and R7-2015-24: Fisher-Price Smart Toy® & hereO GPS Platform Vulnerabilities (FIXED)

Through our recent publication of numerous security issues of Internet-connected baby monitors, we were able to comprehensively raise awareness of the real-world risks facing those devices. Further, we were able to work with a number of vendors to get key security problems resolved, resulting in...

Vulnerability Management Market Disruptors

Gartners recent vulnerability management report provides a wealth of insight into vulnerability management VM tools and advice for how to build effective VM programs. Although VM tools and capabilities have changed since the reports last iteration in 2015, interestingly one thing hasnt: Gartners...

An open letter concerning my resignation from the Digital Economy Board of Advisors

Yesterday I resigned from my position as a member of the Department of Commerces Digital Economy Board of Advisors. It has been an honor to serve on the Board; however, I believe it is the responsibility of leaders to unequivocally denounce bigotry, racism, hate, and violence, and to respect...

Building a Car Hacking Development Workbench: Part 3

Welcome back to the car hacking development workbench series. In part two we discussed how to read wiring diagrams. In part three, we are going to expand on the workbench by re-engineering circuits and replicate signals used in your vehicle. If this is your first time stumbling across this write...

Rapid7 acquires Komand for security orchestration and automation

Today, Rapid7 announced the acquisition of Komand, an orchestration and automation solution for both security and IT teams. You can read the formal announcement here, but I wanted to share a little bit about why Im so excited about this acquisition. Komand has been bold. Theyve been unafraid to...

Remediation Workflow Now Integrates with ServiceNow

Today were sharing an update to Remediation Workflow Ticketing capabilities. We are pleased to announce that Remediation Workflow in InsightVM now integrates with ServiceNow. One of the main benefits of Remediation Workflow Ticketing is to improve collaboration between security and remediation...

Introducing InsightAppSec: Cloud-powered Application Security Testing

Rapid7 announces today the launch of InsightAppSec, the newest product to be delivered on the Insight platform. InsightAppSec combines the power and accuracy of Rapid7s industry-leading and proven Dynamic Application Security Testing DAST engine with the quick deployment, scalability, and...