This document discusses finding zero-day vulnerabilities in virtual appliances. It describes analyzing two virtual appliances - Cryoserver 7.3.x, an email archiving solution, and Piler 0.1.24, an advanced email archiver. For Cryoserver, the document outlines exploiting a default "support" account to escalate privileges and ultimately gain root access. For Piler, it notes exploiting lack of input sanitation on form fields to conduct XSS and session hijacking to steal an administrator's session. The document encourages analyzing virtual appliances that may not receive regular patches for potential low-hanging security issues.

1. Enemy At The Gates
FINDING 0-DAYS IN VIRTUAL APPLIANCES
Chris Hernandez
(piffd0s)
@Defcon831

2. $whoami
• Penetration Tester for Veris Group
• Vulnerability hunter in spare time
• Addicted to learning all things security related
• certs= “OSCE, OSCP, CEH, Sec +, MCSE. etc”
• echo $certs > /dev/null
• Infosec dwarf standing on the shoulders of giants

3. Background
• Vulnerable VMs are fun & a great way to learn
• Metasploitable / Mutillidae only takes you so far
• OSCP / OSCE labs are great
• Lab services and training cost $$$
• Tutorials are great (Corelan)
• No tutorial to follow on a pentest
• Still a consumer of other peoples work / time / effort
• CTFs can have a steep barrier to entry / short timeframe

4. EIP: What comes next?
• Lots of virtual appliances out
there
• Some secure, some not so
much
• No guarantee you will find
something
• Might make you feel l33t if you
do
• Might make you feel like a
n00b if you don't

5. Why a virtual appliance?
• Test a method for finding vulns
• Potentially low hanging fruit
• Typically Linux box managed
through a web interface
• Misses regular patch cycles /
forgotten?
• Easy to download .ovf
template or .vhd file
• Actually used in the enterprise
• Low barrier to entry
Download VM
Find 0-day
Become Infosec
Rockstar

6. $methods
• VM has web interface: use automated & manual tester (burp)
Run automated tests then dive in and manually test parameters
• Test for os / privesc issues
http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
• Look for files to read / write / modify, can you sudo run anything, any files
running with additional privileges?
• Trial and error (lots)
• Research previously disclosed vulnerabilities (don’t duplicate work)
• Or use an advisory to build a working exploit 

7. Examples:
Cryoserver 7.3.x (current version)
“Secure” email archiving solution.
Comes in appliance, software, cloud and service provider
form.
Blurb from cryoserver: The Cryoserver™ email archiving solution allows organisations to
collect, store and save every email and instant message in a secure, tamper-evident repository. Users can sift
through catalogued data quickly and easily – where email and attachments can be found in split seconds.
Safely stored and never edited, the Cryoserver archive allows forensic eDiscovery of an
organisation’s entire email history. The stored data is readily available for any need in a Legal
Procedure, Dispute Resolutions, HR investigations, Subject Access Requests, Freedom of Information
requests, Regulatory Compliance or Data Protection.

8. Potential Issues with Cryoserver
• Comes packaged with default “support” service account.
• Password documented in admin guide.
• Support account only used to setup IP on device, all
administration through web interface (forgotten about)
• Ssh on by default
• Customer not prompted to ever change service account
password
• Service account is essentially a linux user account (very
few permissions)
• Compromise could lead to invalidated forensic data?
• Steal all t3h emailz! Read all t3h passw0rdz!

9. Cryoserver Privesc-Exploit:
Starting with limited “support” user account: have the ability
to sudo exec /bin/cryo-mgmt.
Bash script to execute management functions 

10. Cryoserver Exploit:
No permissions to modify cryo-mgmt. 
Not to worry… other scripts called by cryo-mgmt. 
No permissions to that either 
But! /etc/init.d/cryoserver is called by cryo-mgmt (option2) 

11. Cryoserver Exploit:
/etc/init.d/cryoserver
Lets add our attack (reset root password to known password)

12. EXECUTE CRYO-MGMT. + OPT 2
ROOT!

13. DEMO

14. Examples:
Piler 0.1.24 (current vm version)
“advanced open source email archiver”
“Piler helps you to provide relevant information in a
timely manner in case of legal discovery, audit or
other events.”

15. Issues with piler:
lack of input sanitation on most form fields leading to
XSS…
Evil kitteh is reading ur emailz

16. Piler privesc-exploit
-piler user can execute searches & update account
-search & account fields do limited input sanitation
-admin can audit user behavior resulting in script
execution

17. Piler privesc-exploit
execute malicious search
or malicious settings update

18. Admin executes audit…

19. To steal session…
1. Attacker injects
malicious XSS into
“theme” param
2. Attacker receives “callback”
With cookies
3. Attacker browses to referrer site +
Modifies cookie: becomes admin

20. DEMO

21. QUESTIONS?