Computer security is built on the contributions of knowledge and time from the security community. These contributions help secure the software that computers use every day and help prevent malicious actors from taking advantage of flaws to create a more secure ecosystem. While there are many people who contribute to projects such as NMAP, Rapid7’s Metasploit, and Mitre’s ATT&CK, nDepth is proud to include some of those contributors amongst its ranks. In this blog post we’ll explore some of the recent contributions to open source computer security software from nDepth employees.
Metasploit Project
The Metasploit Project, owned by Rapid 7, is a computer security program which is the world’s most used penetration testing framework. This Free and Open Source Software (FOSS) is used by nearly all penetration testers, and is extremely common in training courses from SANS, EC-Council, and many others.
The Metasploit Project, being Open Source Software, flourishes from the contributions of the community. nDepth’s own Mike Cyr (h00die) is a frequent contributor to the project and has continued to spend their personal time conducting security research and providing enhancements to Metasploit for the benefit of the security community. This month, h00die contributed the following enhancements:
RocketMQ Version Scanner Enhancements
RocketMQ is an Apache project for distributed messaging and data streaming. After submitting a RocketMQ version scanner module the previous month, h00die determined that some of the code could be optimized. The RocketMQ version scanner had previously been written as part of a two-part module contribution: a version scanner, and an exploit. However, the two modules would need to share the portion of the code which determines the version of the software and is not locked into the version scanner’s code. The enhancement was to move the version scanning code into a shared library and develop tests to ensure it worked correctly. This move helped ensure code reliability while also minimizing duplication between Metasploit Modules.
WordPress Plugin: WooCommerce Payments Authentication Bypass and Privilege Escalation
WooCommerce Payments is a plugin for the popular blogging software, WordPress. According to colorlib, approximately 163 million websites run the WooCommerce plugin for WordPress to create store fronts, making it the largest ecommerce platform. The WooCommerce Payments plugin, which is used by ~600,000 websites, was developed to further enhance WooCommerce by allowing it to accept additional payment methods. However, a bug in the code allowed an attacker to bypass logging in (authentication) and masquerade (take over) any account on the website including the administrator. In technical terms, WooCommerce Payments utilized an HTTP header to track which user account a visitor to the site was. However, an attacker was able to edit that value to then take over an account of their choosing. With this vulnerability, an attacker can completely compromise the website and all data in it by masquerading as the administrator, creating a new administrator account for themselves, or deploying malware to the site. The Metasploit module which was developed creates a new administrator account for the user, which empowers penetration testers to quickly identify and help protect these sites for malicious actors.
To view this month’s contributions, check the following links: