Back in Sep 2017, I reported multiple 0-day vulnerabilities, in the Cambium ePMP and cnPilot product lines, to Rapid7 for a coordinated disclosure. The disclosure went smooth and easier than I had expected. Thanks Tod, Jon, & team.!
Rapid7 report is now available here:
All versions prior to ePMP v3.5.1 and cnPilot v4.4, are affected. This disclosure brings to you 10 CVEs, 4 new cnPilot modules, 4 new ePMP modules, 5 updated ePMP modules, and 2 new mixins for Cambium ePMP and cnPilot, for future modules.
All 13 Metasploit modules are ready to play with now.
Read on for details..
Recently, I checked out Rapid7's AppSpider Web Application Testing software. It is a Windows based application, and the demo version is available for anyone to play with.
I found 2 vulnerabilities in AppSpider - DLL Pre-loading & Buffer overflow - which I then reported privately to R7 team. The folks at Rapid7 confirmed my reports and released the CVE-ID# & fixed versions shortly after.
Here's the writeup from Rapid7 Release Announcement:
- Updated nginx.exe to utilize Microsoft Security Advisory on remote code execution. Windows 7, Windows Server 2008 R2, Windows Vista and Windows Server 2008: KB2533623 must be installed on the target platform. Resolves - CVE-2017-5236
- Resolved buffer over flow crash in the AppSpider command line tool for inputs. Resolves - CVE-2017-5240
Read on for more details.