Your SlideShare is downloading. ×
0
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin  Turning your managed av into my botnet
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet

359

Published on

Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the …

Today centrally managed Anti-Virus (AV) solutions are used across all enterprises and are relied upon to provide central management, logging and enforcement. This talk presents the journey and the results of a reviewing the security posture of the core components of a few selected managed AV solutions, the central servers themselves. Critical security vulnerabilities will be presented, covering SQL Injection, Directory Path Traversal and Buffer Overflow. Particular focus will be given to the different steps required to fully compromise both central management servers and managed stations. Who does not want to transform a major managed AV into his private botnet within minutes?


Jerome Nokin works as a Security Consultant for Verizon Enterprise where he is a senior member of the Vulnerability Management Team mainly focusing on Penetration Tests and Web Application Assessment. Prior to his role at Verizon he worked in the area of security covering both consultancy and ICT.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
359
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Turning your managed Anti-Virus … into my Botnet J Jérôme NOKIN http://funoverip.net
  • 2. About me • Jérôme Nokin • http://funoverip.net • jerome.nokin@gmail.com • @funoverip # id • Penetration Tester • Verizon Enterprise Solutions# job • OSCE • OSCP • CEH # sudo certs
  • 3. Research • Central server(s) of such software regularly communicate with the endpoints and perform privileged actions against them. • From an attacker's perspective, vulnerabilities in such servers might have a very large impact against the whole set of managed stations. Topic: Managed Antivirus • This talk isn’t full of reversing/debugging/fuzzing screenshots. Paper will soon address such details. • This talk is about how we used these vulnerabilities (impact). Yes, we found vulnerabilities. However:
  • 4. Approach To focus on the non-clear-text traffic between the central server(s) and the managed stations. To reverse engineer both the software and the communication protocol. To develop dedicated Fuzzers able to impersonate end-point agents.
  • 5. Selected Targets McAfee ePolicy Orchestrator Symantec Endpoint Protection
  • 6. McAfee ePolicy Orchestrator
  • 7. Common deployment
  • 8. Some notes & protocols Agents must be registered Agent GUID DSA/RSA keys Agents to server Events, Info, Updates, … HTTP(S) Regular polling Server to Agents Wake-up calls (8082/ TCP)
  • 9. HTTP request sample (client à server)
  • 10. CVE-2013-0140 – SQL Injection • SQL Injection issues were discovered inside the XML “Full Properties” message (data section)
  • 11. CVE-2013-0141 – Directory Path Traversal • Below is an Event Request content (data section) • This request creates an XML file on the server, which contains data about an event. • BLUE à Destination filename • GREEN à Length of the filename • RED à Length of the data • BLACK à The “data”
  • 12. CVE-2013-0141 – Directory Path Traversal What happens if we replace the filename from: 20121210121340871913800000D60.xml to: ../../Software/00000000000000.jsp
  • 13. Post-Authenticated vulnerabilities So far, we can only trigger vulnerabilities by impersonating a registered agent. Prior to any communication between an agent and the ePo server, the agent must be registered.
  • 14. Registration request
  • 15. Reqseckey – the published private key • How does ePo verify the signature if it doesn’t know the public key yet ? • The signature is actually not generated using the “agent” private key, but using a dedicated ePo key … which is published to everyone … • That private key is called "reqseckey" and is embedded in the agent installation package. • Additionally, that key is available for download from the ePo server: https://epo/Software/Current/EPOAGENT3000/ Install/0409/reqseckey.bin
  • 16. Did you say 3DES ? • Part of the registration request is encrypted using 3DES • The symmetric key is obfuscated inside the binaries and therefore is the same in all ePo environments (and versions) J • At your office, the key is: echo -n '<!@#$%^>' | sha1sum 3ef136b8b33befbc3426a7b54ec41a377cd3199b
  • 17. Sign Up (It’s free and always will be)
  • 18. Post-Authenticated vuln (Kind of) Pre-Authenticated Rogue Agent Registration:
  • 19. Remote Command Execution
  • 20. Remote command execution – Method 1 Extendedstoredprocedure Using SQLi and 'xp_cmdshell’ If available (dba privs ?) MSSQL isn’t always running with SYSTEM privileges L Enhancement: In recent ePo versions, admin is warned if ePo starts with DBA privs
  • 21. Remote command execution – Method 2 • Reuse ePo features ! Registered Executable • To be used as an Automatic Response with “Rogue Event requests” • Always run with SYSTEM privileges J
  • 22. So far, so good … • “Published” private key • Static encryption key (3DES)Registration • SQL Injection (CVE-2013-0140)Database access • Directory Path Traversal (CVE-2013-0141)Upload • Registered Executable • Automatic Responses Remote Command Execution • After all, It’s a web server … • Just have to move files using RCEDownload
  • 23. Remember this ?
  • 24. Would that be possible ?
  • 25. Creating Rogue McAfee packages
  • 26. Creating rogue packages (1) • Updating catalog.z on the ePo server (available software list) • XML file containing “the software catalog” • Compressed as a CAB file • Digitally signed using: • DSA: C:Program~1McAfeeEpoDBKeystoresm<hostname>.zip • RSA: C:Program~1McAfeeEpoDBKeystoresm2048<hostname>.zip • Encrypted using 3DES • Same key as before. Seems to be an universal key in McAfee world ? • Creating a McAfee package • Generating a PkgCatalog.z file (metadata information). • Also XML à CAB à Signature à 3DES • Add evil files
  • 27. Creating rogue packages (2) • Updating ePo repository files (using “Dir Path Traversal”) • Kindly ask other ePo repositories to update their caches (using SQLi) • Creating a Deployment Task (using SQLi) • Abusing the “Wake Up” calls (using SQLi) “… Dears agents, please download and install the following package. I have digitally signed the package so you can trust it…” “… By the way, do you mind to obey now ? …”
  • 28. ePolicy 0wner – Tiny Demo (Get the full version here: http://funoverip.net/?p=1405)
  • 29. Security patch & references • McAfee released a security patch in May 2013. • All of these issues are resolved in ePO 5.0, 4.6.6, and 4.5.7 • https://kc.mcafee.com/corporate/index?page=content&id=SB10042 • US-CERT advisory • http://www.kb.cert.org/vuls/id/209131 • CVE • http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0140 • http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0141
  • 30. Internet survey – Getting data • Using ePo SSL server certificatesFingerprint • SSL DB not ready yetShodan • Internet wide scan using Zmap at 70Mbps (~13h) + SSL extract (~2 weeks)Zmap • Thanks to Zmap team for your data! Crossing Results
  • 31. Internet survey – 1701 servers found 862 699 140 Vulnerable versions Non Vulnerable versions Unknown versions How many managed devices behind ? (Scan date: Sep 1st 2013)
  • 32. Internet survey – World map view • Still a draft picture.. Sorry..
  • 33. Conclusion
  • 34. What did we learn ? Security issues can be everywhere • In mature products, since years! • Hidden by complex protocols or structures • It’s only a matter of time and energy to find them Chained issues • Do not under-estimate a single vulnerability • Impact is much more important if coupled with additional weaknesses Do not rely on CVSS score only • ePo SQL Injection – base score: 7.9 • ePo Dir Path Traversal – base score : 4.3 • However, impact for chained vulnerabilities: We 0wn the Matrix…
  • 35. Give enough time to your testers… Customer • I would like you to audit my web application. Security is important for us ! Pentester • I’m your man! • I would need 6 days + 1 day for reporting. Customer • Awesome! • You have 4 days, including reporting. Pentester • …
  • 36. Q&A
  • 37. Btw, about SEP (Symantec) • CVE-2013-1612 Remote buffer Overflow

×