Search for hundreds of thousands of exploits

"Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path"

Author

Exploit author

LiquidWorm

Platform

Exploit platform

windows

Release date

Exploit published date

2020-09-14

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# Exploit Title: Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path
# Date: 2020-08-31
# Exploit Author: Angelo D'Amato
# Vendor Homepage: https://www.rapid7.com
# Version: <=6.6.39
# CVE :N/A

Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation


Vendor: Rapid7
Product web page: https://www.rapid7.com
Affected version: <=6.6.39

Summary: Rapid7 Nexpose is a vulnerability scanner which aims to support
the entire vulnerability management lifecycle, including discovery, detection,
verification, risk classification, impact analysis, reporting and mitigation.
It integrates with Rapid7's Metasploit for vulnerability exploitation.

Desc: Rapid7 Nexpose installer version prior to 6.6.40 uses a search path
that contains an unquoted element, in which the element contains whitespace
or other separators. This can cause the product to access resources in a parent
path, allowing local privilege escalation.

Tested on: Microsoft Windows 10 Enterprise, x64-based PC
           Microsoft Windows Server 2016 Standard, x64-based PC


Vulnerability discovered by Angelo D'Amato
                            @zeroscience


Advisory ID: ZSL-2019-5587
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5587.php


07.08.2020

--


C:\Users\test>sc qc nexposeengine
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: nexposeengine
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files\rapid7\nexpose\nse\bin\nxengine.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Nexpose Scan Engine
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
Release Date Title Type Platform Author
2020-09-21 "ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path" local windows "Burhanettin Ozgenc"
2020-09-21 "B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution" webapps multiple LiquidWorm
2020-09-21 "Mida eFramework 2.9.0 - Back Door Access" webapps hardware elbae
2020-09-21 "BlackCat CMS 1.3.6 - Cross-Site Request Forgery" webapps php Noth
2020-09-21 "Seat Reservation System 1.0 - 'id' SQL Injection" webapps php Augkim
2020-09-21 "Online Shop Project 1.0 - 'p' SQL Injection" webapps php Augkim
2020-09-18 "Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)" webapps php "Nikolas Geiselman"
2020-09-18 "SpamTitan 7.07 - Remote Code Execution (Authenticated)" webapps multiple "Felipe Molina"
2020-09-17 "Microsoft SQL Server Reporting Services 2016 - Remote Code Execution" remote windows "West Shepherd"
2020-09-16 "Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software" local windows hyp3rlinx
Release Date Title Type Platform Author
2020-09-21 "B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution" webapps multiple LiquidWorm
2020-09-14 "Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path" local windows LiquidWorm
2020-08-28 "Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation" webapps hardware LiquidWorm
2020-08-26 "Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal" webapps multiple LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass" webapps hardware LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure" webapps hardware LiquidWorm
2020-08-07 "All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2020-07-26 "UBICOD Medivision Digital Signage 1.5.1 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2020-07-23 "UBICOD Medivision Digital Signage 1.5.1 - Authorization Bypass" webapps hardware LiquidWorm
2020-06-04 "Cayin Digital Signage System xPost 2.5 - Remote Command Injection" webapps multiple LiquidWorm
2020-06-04 "Cayin Signage Media Player 3.0 - Remote Command Injection (root)" webapps multiple LiquidWorm
2020-06-04 "Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read" webapps hardware LiquidWorm
2020-06-04 "SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)" webapps hardware LiquidWorm
2020-06-04 "Cayin Content Management Server 11.0 - Remote Command Injection (root)" webapps multiple LiquidWorm
2020-05-08 "Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC)" dos hardware LiquidWorm
2020-04-24 "Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution" webapps java LiquidWorm
2020-04-21 "P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2020-03-23 "FIBARO System Home Center 5.021 - Remote File Include" webapps multiple LiquidWorm
2020-01-29 "Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting" webapps hardware LiquidWorm
2019-12-30 "AVE DOMINAplus 1.10.x - Cross-Site Request Forgery (enable/disable alarm)" webapps hardware LiquidWorm
2019-12-30 "AVE DOMINAplus 1.10.x - Credential Disclosure" webapps hardware LiquidWorm
2019-12-30 "AVE DOMINAplus 1.10.x - Unauthenticated Remote Reboot" webapps hardware LiquidWorm
2019-12-30 "HomeAutomation 3.3.2 - Remote Code Execution" webapps php LiquidWorm
2019-12-30 "Thrive Smart Home 1.1 - Authentication Bypass" webapps php LiquidWorm
2019-12-30 "WEMS BEMS 21.3.1 - Undocumented Backdoor Account" webapps hardware LiquidWorm
2019-12-30 "HomeAutomation 3.3.2 - Authentication Bypass" webapps php LiquidWorm
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48808/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.