Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Reversing blue coat proxysg - wa-

2,077 views

Published on

Published in: Technology
  • Be the first to comment

Reversing blue coat proxysg - wa-

  1. 1. Reversing BlueCoat ProxySGFor fun and profit<br />Idsecconf 2011@PalComTech<br />Palembang<br />
  2. 2. Research and Development Center Indonesia<br />http://rndc.or.id @0x0000F4C0<br />
  3. 3. BlueCoat<br /><ul><li>Web Security
  4. 4. ProxySG
  5. 5. Web security Module
  6. 6. WAN Optimization
  7. 7. MACH5
  8. 8. PacketShaper
  9. 9. Personal Security
  10. 10. K9 Web Protection
  11. 11. Service Provider Caching
  12. 12. CacheFlow</li></li></ul><li>ProxySG<br /><ul><li>ProxySG provides complete control over all your web traffic with robust features that include user authentication, web filtering, data loss prevention, inspection and validation of SSL-encrypted traffic, content caching, bandwidth management, stream-splitting and more.</li></li></ul><li>ProxySG<br />
  13. 13. ProxySG<br />
  14. 14. ProxySG License<br /><ul><li>Blue Coat SG510-5, Proxy Edition8,000.00
  15. 15. Blue Coat SG510-10, Proxy Edition14,000.00
  16. 16. Blue Coat SG510-20, Proxy Edition23,000.00
  17. 17. Blue Coat SG510-25, Proxy Edition27,600.00
  18. 18. Blue Coat SG510-10, MACH5 Edition10,000.00
  19. 19. Blue Coat SG510-20, MACH5 Edition20,000.00
  20. 20. Blue Coat SG510-25, MACH5 Edition24,000.00</li></li></ul><li>ProxySG Component<br /><ul><li>SGOS 5
  21. 21. SG Client – Acceleration
  22. 22. SG Client - Web Filtering
  23. 23. Peer-To-Peer
  24. 24. Bandwidth Management
  25. 25. Compression
  26. 26. Websense Offbox Content Filtering
  27. 27. dll</li></li></ul><li>Inside ProxySG <br />
  28. 28. Inside ProxySG <br /><ul><li>Firmware
  29. 29. CHK (< v5.5.1.1)
  30. 30. Unsigned Firmware Image File
  31. 31. BCSI (> v6.0.0.0)
  32. 32. Signed Firmware Image File</li></li></ul><li>ProxySG CHK File<br />struct BCoatImage<br />{<br />DWORDdwCsum;<br />BYTEdwSignature[0x3C];<br />CFBounddwCF1; //0x1000 bytes<br />CFBounddwCF2; //0x1000 bytes<br />BYTE<br />ImageContent[dwCF2.dwSizeOfImage];<br />ImageIndex dwImageIndex[dwCF2.dwTotalFiles];<br />};<br />
  33. 33. ProxySG CHK File<br />typedef structCFBound<br />{<br />BYTE Signatures[0x40];<br />WORDunkW1;<br />WORDunkW2;<br />DWORDunkDW1;<br />DWORDdwSizeOfImage;<br />DWORDdwStartOfIndex;<br />DWORDdwTotalFiles;<br />DWORDdwStartOfName;<br />DWORDunkDW3[0xBC];<br />DWORDdwMD5[4];<br />DWORDunkDW4[0x32A];<br />} CFBound;<br />
  34. 34. ProxySG CHK File<br />typedef struct ImageIndex<br />{<br />DWORDoffset;<br />DWORDsize;<br />DWORDname;<br />DWORDunkDW1[5];<br />} ImageIndex;<br />
  35. 35. ProxySG CHK File<br />
  36. 36. ProxySG CHK File<br /><ul><li>Protection
  37. 37. 2 MD5 hash
  38. 38. 1 Cheksum</li></li></ul><li>ProxySG CHK License File<br /><ul><li>Base64 Encoded
  39. 39. Signed XML
  40. 40. Certificate</li></li></ul><li>Bypassing License Check<br /><ul><li>Patching EVP_VerifyFinal()
  41. 41. Injecting Self-Signed CA</li></li></ul><li>Next Steps?<br /><ul><li>Inject Backdoor?
  42. 42. Provide API?</li>

×