NCC Group, profile picture
Uploaded byNCC Group
PPTX, PDF977 views

Exploiting appliances presentation v1.1-vids-removed

Security appliances like email filters, firewalls, and remote access gateways are often Linux systems with insecure web applications and configurations. The document analyzes vulnerabilities found in many popular security appliances, including easy password attacks, cross-site scripting, command injection, and privilege escalation issues. It describes how these vulnerabilities allow attackers to gain full access to systems and internal networks. Vendors' responses to reported issues varied, with some fixing problems quickly while others provided no fixes. The conclusions encourage vendors to improve software maintenance and security testing of appliances.

Embed presentation

Downloaded 12 times
Hacking Appliances: Ironic exploits in security products Ben Williams 9:10 AM
Proposition • There is a temptation to think of Security Appliances as impregnable fortresses, this is definitely a mistake. • Security Appliance (noun) - Poorly configured and maintained Linux system with insecure web-app (and other applications) 9:10 AM 9:10 AM
Which kind of appliances exactly? • Email filtering • Proofpoint (F-secure among others), Baracuda, Symantec, Trend Micro, Sophos, McAfee • Firewall, Gateway, Remote Access • McAfee, Pfsense, Untangle, ClearOS, Citrix, Barracuda • Others • Single sign-on, communications, file-storage etc 9:10 AM 9:10 AM
Are these product well-used and trusted? 2013 SC Magazine US Awards Finalists - Reader Trust Awards - “Best Email Security Solution” • Barracuda Email Security • McAfee Email Protection • Proofpoint Enterprise Protection • Symantec Messaging Gateway • Websense Email Security Gateway Anywhere 9:10 AM 9:10 AM
How are they deployed? 9:10 AM 9:10 AM Firewall or Gateway or UTM Email Filter Web Filter Remote Access Security Management Other Appliances
Sophos Email Appliance (v3.7.4.0) • Easy password attacks • Command-injection • Privilege escalation • Post exploitation http://designermandan.com/project/crisis-charity/ 9:10 AM 9:10 AM
Interesting system in a Pentest PORT STATE SERVICE VERSION 24/tcp open ssh OpenSSH 5.1p1 (FreeBSD 20080901; protocol 2.0) |_ssh-hostkey: 1024 23:f4:c6:cf:0d:fe:3f:0b:22:ab:9f:7d:97:19:03:e2 (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: sophos.insidetrust.com, PIPELINING, SIZE 10485760, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http nginx | http-title: 302 Found |_Did not follow redirect to https://sophos.insidetrust.com:443/ |_http-methods: No Allow or Public header in OPTIONS response (status code 302) 443/tcp open ssl/http nginx | ssl-cert: Subject: commonName=sophos.insidetrust.com/organizationName=Sophos PLC/stateOrProvinceName=British Columbia/countryName=CA | Not valid before: 2012-09-20 20:06:32 |_Not valid after: 2022-09-18 20:06:32 |_http-title: Sophos Email Appliance |_http-methods: No Allow or Public header in OPTIONS response (status code 200) 5432/tcp open postgresql PostgreSQL DB 8.0.15 - 8.0.21 18080/tcp open http nginx |_http-methods: No Allow or Public header in OPTIONS response (status code 302) | http-title: 302 Found |_Did not follow redirect to https://sophos.insidetrust.com:18080:18080/ 9:10 AM 9:10 AM
Easy targeted password-attacks… because • Known username (default, often fixed) • Linux platform with a scalable and responsive webserver • No account lockout, or brute-force protection • Minimal password complexity • Administrators choose passwords • Few had logging/alerting • Over an extended period, an attacker stands a very good chance of gaining administrative access 9:10 AM 9:10 AM
Really obvious vulnerabilities • Loads of issues • XSS with session hijacking, CSRF, poor cookie and password security, OS command injection… • So… I got an evaluation… 9:10 AM 9:10 AM
Command-injection (and root shell) • Why do we want a root shell? • Reflective attacks (with reverse shells) • Admins can’t view all email, but an attacker can • Foothold on internal network 9:10 AM 9:10 AM
Direct attack 9:10 AM 9:10 AM
Reflective attack 9:10 AM 9:10 AM Attacker
What do you get on the OS? • Old kernel • Old packages • Unnecessary packages • Poor configurations • Insecure proprietary apps 9:10 AM 9:10 AM
Appliances are not “Hardened Linux” • It’s common for useful tools to be already installed • Compilier/debugger (gcc,gdb), Scripting languages (Perl, Python, Ruby), Application managers (yum, apt-get), Network sniffers (tcpdump), Other tools (Nmap, Netcat) • File-system frequently not “hardened” either • No SELinux. AppArmour or integrity checking • Rare to see no-write/no-exec file systems 9:10 AM 9:10 AM
Meanwhile… Post exploitation That looks like a cosy shell… I think I’ll move in! 9:10 AM 9:10 AM
Stealing passwords • Plain-text passwords on box • Steal credentials from end-users • Just decrypt HTTPS traffic with Wireshark • Using the SSL private key for self-signed cert 9:10 AM 9:10 AM
Sophos fix info: Leave auto-update enabled • Reported Oct 2012 • Vendor responsive and helpful (though limited info released) • Fix scheduled for Jan 14th 2013 9:10 AM 9:10 AM
The ironic thing about Security Appliances • Most Security Appliances suffer from similar security vulnerabilities • Some significantly worse 9:10 AM 9:10 AM
Common exploit categories • Almost all Security Appliance products had • Easy password attacks • XSS with session-hijacking, or password theft • Non-hardened Linux OS – (though vendors claim otherwise) • Unauthenticated information disclosure (exact version) • The majority had • CSRF of admin functions • OS Command-injection • Privilege escalation (either UI and OS) 9:10 AM 9:10 AM
Common exploit categories • Several had • Stored out-of-band XSS and OSRF (for example in email) • Direct authentication-bypass • A few had • Denial-of-Service • SSH misconfiguration • There were a wide variety of more obscure issues 9:10 AM 9:10 AM
Citrix Access Gateway (5.0.4) • Multiple issues • Potential unrestricted access to the internal network 9:10 AM 9:10 AM
Erm… That’s a bit odd… ssh admin@192.168.233.55 9:10 AM 9:10 AM
Where’s my hashes to crack? 9:10 AM 9:10 AM
Port-forwarding (no password) When SSH is enabled on the CAG - port-forwarding is allowed ssh admin@192.168.1.55 ssh admin@192.168.1.55 -L xxxx:127.0.0.1:xxxx 9:10 AM 9:10 AM
Potential access to internal systems! Attacker 9:10 AM 9:10 AM
Rather ironic: Remote Access Gateway • Unauthenticated access to the internal network? • Auth-bypass and root-shell 9:10 AM 9:10 AM
Citrix fix info: Affects CAG 5.0.x • Reported Oct 2012 • Fixed released last week (6th March 2013) • CVE-2013-2263 Unauthorized Access to Network Resources • http://support.citrix.com/article/ctx136623 9:10 AM 9:10 AM
Combination attacks • Combining multiple common issues 9:10 AM 9:10 AM
Proofpoint: ownage by Email (last year) 9:10 AM 9:10 AM
Out-of-band XSS and OSRF • I found 4 products with this issue • Three of which were Anti-spam products where you could attack users/administrators via a specially-crafted spam email • Out-of-Band XSS and OSRF has a massive advantage over CSRF attacks • Easy to distribute attack payloads • XSS cannot be detected and blocked by the admins browser • Minimal social-engineering or reconnaissance 9:10 AM 9:10 AM
Backup-restore flaws - revisited via CSRF • Vendors deciding not to fix the backup/restore tar.gz issue • But… common feature, and high-privilege • Use CSRF to restore the attacker’s backup! • Spoof a file-upload and “apply policy” • Which results in a reverse-shell as root 9:10 AM 9:10 AM
CSRF backup/restore attack 9:10 AM 9:10 AM
Symantec Email Appliance (9.5.x) • Multiple issuesDescription NCC Rating Out-of-band stored-XSS - delivered by email Critical XSS (both reflective and stored) with session-hijacking High Easy CSRF to add a backdoor-administrator (for example) High SSH with backdoor user account + privilege escalation to root High Ability for an authenticated attacker to modify the Web-application High Arbitrary file download was possible with a crafted URL Medium Unauthenticated detailed version disclosure Low 9:10 AM 9:10 AM
Out-of-band XSS and OSRF • Chain together issues in various ways • XSS in spam Email subject line, to attack the administrator • Use faulty “backup/restore” feature (with OSRF) to add arbitrary JSP to the admin UI, and a SUID binary • XSS - Executes new function to send a reverse-shell back to the attacker 9:10 AM 9:10 AM
XSS Email to reverse-shell as root 9:10 AM 9:10 AM
Rather ironic • Root-shell via malicious email message • In an email filtering appliance? 9:10 AM 9:10 AM
Symantec fix info: Upgrade to 10.x • Reported April 2012 – Fixed Aug 2012 • CVE-2012-0307 XSS issues • CVE-2012-0308 Cross-site Request Forgery CSRF • CVE-2012-3579 SSH account with fixed password • CVE-2012-3580 Web App modification as root • CVE-2012-4347 Directory traversal (file download) • CVE-2012-3581 Information disclosure http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se curity_advisory&pvid=security_advisory&year=2012&suid=20120827_00 9:10 AM 9:10 AM
TrendMicro Email Appliance 9:10 AM 9:10 AM
Trend Email Appliance (8.2.0.x) • Multiple issues Description NCC Rating Out-of-band stored-XSS in user-portal - delivered via email Critical XSS (both reflective and stored) with session-hijacking High Easy CSRF to add a backdoor-administrator (for example) High Root shell via patch-upload feature (authenticated) High Blind LDAP-injection in user-portal login-screen High Directory traversal (authenticated) Medium Unauthenticated access to AdminUI logs Low Unauthenticated version disclosure Low 9:10 AM 9:10 AM
9:10 AM
End-user Email XSS ownage 9:10 AM 9:10 AM
Admin Email XSS ownage 9:10 AM 9:10 AM
Trend Fix info: Use workarounds • Reported April 2012 • No fixes released or scheduled AFAIK 9:10 AM 9:10 AM
Other Research • Poking about with binaries • Investigation of memory corruption issues • Processing of messages etc 9:10 AM 9:10 AM
Kernel protections 9:10 AM 9:10 AM
Compiled Binaries 9:10 AM 9:10 AM
“Banned” (insecure) functions in use 9:10 AM 9:10 AM
Conclusions • The majority of Security Appliances tested were insecure • Interesting state of play in 2012 - 2013 • Variable responses from vendors • Some fixed within 3 months, some not • Evolution • Software > Appliances > Virtual Appliances > Cloud Services • Huawei 9:10 AM 9:10 AM
Solutions • Regular software maintenance • Secure Development Lifecycle (SDL) • Product security testing • Penetration testing 9:10 AM 9:10 AM
UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland Questions? 9:10 AM
Exploiting appliances presentation v1.1-vids-removed

More Related Content

PDF
All You Need is One - A ClickOnce Love Story - Secure360 2015
byNetSPI
 
PDF
Ch 9: Embedded Operating Systems: The Hidden Threat
bySam Bowne
 
PPTX
Extracting Credentials From Windows
byNetSPI
 
PDF
Docking stations andy_davis_ncc_group_slides
byNCC Group
 
PDF
07182013 Hacking Appliances: Ironic exploits in security products
byNCC Group
 
PDF
WTF is Penetration Testing
byNetSPI
 
PDF
Attack All the Layers - What's Working in Penetration Testing
byNetSPI
 
PDF
How we breach small and medium enterprises (SMEs)
byNCC Group
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
byNetSPI
 
Ch 9: Embedded Operating Systems: The Hidden Threat
bySam Bowne
 
Extracting Credentials From Windows
byNetSPI
 
Docking stations andy_davis_ncc_group_slides
byNCC Group
 
07182013 Hacking Appliances: Ironic exploits in security products
byNCC Group
 
WTF is Penetration Testing
byNetSPI
 
Attack All the Layers - What's Working in Penetration Testing
byNetSPI
 
How we breach small and medium enterprises (SMEs)
byNCC Group
 

What's hot

PDF
Thick Application Penetration Testing: Crash Course
byScott Sutherland
 
PDF
CNIT 123 Ch 8: OS Vulnerabilities
bySam Bowne
 
PDF
CISSP Prep: Ch 8. Security Operations
bySam Bowne
 
PDF
CNIT 123: Ch 3: Network and Computer Attacks
bySam Bowne
 
PDF
3. Security Engineering
bySam Bowne
 
PDF
Dns firewalls null-may2020
byn|u - The Open Security Community
 
PDF
Thick Application Penetration Testing - A Crash Course
byNetSPI
 
PDF
CNIT 152: 1 Real-World Incidents
bySam Bowne
 
PDF
CNIT 152: 1 Real-World Incidents
bySam Bowne
 
PDF
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
bySam Bowne
 
PDF
CNIT 126: Ch 2 & 3
bySam Bowne
 
PDF
Ch 6: Attacking Authentication
bySam Bowne
 
PPTX
Reverse_Engineering_Thick-clients
bySteve Markey
 
PPTX
Internet Accessible ICS in Japan (English)
byDigital Bond
 
PDF
CNIT 123: Ch 7: Programming for Security Professionals
bySam Bowne
 
PPTX
Securing the cloud and your assets
byMarcus Dempsey
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
PDF
Is Your Mobile App Secure?
bySam Bowne
 
PDF
3. Security Engineering
bySam Bowne
 
PDF
CNIT 50: 9. NSM Operations
bySam Bowne
 
Thick Application Penetration Testing: Crash Course
byScott Sutherland
 
CNIT 123 Ch 8: OS Vulnerabilities
bySam Bowne
 
CISSP Prep: Ch 8. Security Operations
bySam Bowne
 
CNIT 123: Ch 3: Network and Computer Attacks
bySam Bowne
 
3. Security Engineering
bySam Bowne
 
Dns firewalls null-may2020
byn|u - The Open Security Community
 
Thick Application Penetration Testing - A Crash Course
byNetSPI
 
CNIT 152: 1 Real-World Incidents
bySam Bowne
 
CNIT 152: 1 Real-World Incidents
bySam Bowne
 
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data Collection
bySam Bowne
 
CNIT 126: Ch 2 & 3
bySam Bowne
 
Ch 6: Attacking Authentication
bySam Bowne
 
Reverse_Engineering_Thick-clients
bySteve Markey
 
Internet Accessible ICS in Japan (English)
byDigital Bond
 
CNIT 123: Ch 7: Programming for Security Professionals
bySam Bowne
 
Securing the cloud and your assets
byMarcus Dempsey
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
bySam Bowne
 
Is Your Mobile App Secure?
bySam Bowne
 
3. Security Engineering
bySam Bowne
 
CNIT 50: 9. NSM Operations
bySam Bowne
 

Viewers also liked

PDF
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
byEC-Council
 
PDF
NCC Group 44Con Workshop: How to assess and secure ios apps
byNCC Group
 
PDF
USB: Undermining Security Barriers
byNCC Group
 
PPTX
Cryptography - 101
byn|u - The Open Security Community
 
PDF
Cryptography101
byNCC Group
 
PDF
Current & Emerging Cyber Security Threats
byNCC Group
 
PDF
Pki 202 Architechture Models and CRLs
byNCC Group
 
PDF
Pragmatic Real-World Scala (short version)
byJonas Bonér
 
PPTX
Ncc group overview presentation august 2012 final
byTony_Clarke
 
PPTX
NCC Group Presentation
byNCC AB
 
PDF
How Spotify Helps Their Engineers Grow - Chris Angove
byHakka Labs
 
PDF
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
byNCC Group
 
PDF
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
byNCC Group
 
PDF
2012 12-04 --ncc_group_-_mobile_threat_war_room
byNCC Group
 
PPTX
Practical SME Security on a Shoestring
byNCC Group
 
PPTX
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
byPawel Krawczyk
 
PPTX
Mobile App Security: Enterprise Checklist
byJignesh Solanki
 
PDF
Ncc Group Escrow Overview 2010
byJonnyhyde
 
PPTX
The Mobile Internet of Things and Cyber Security
byNCC Group
 
PPTX
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
byNCC Group
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
byEC-Council
 
NCC Group 44Con Workshop: How to assess and secure ios apps
byNCC Group
 
USB: Undermining Security Barriers
byNCC Group
 
Cryptography - 101
byn|u - The Open Security Community
 
Cryptography101
byNCC Group
 
Current & Emerging Cyber Security Threats
byNCC Group
 
Pki 202 Architechture Models and CRLs
byNCC Group
 
Pragmatic Real-World Scala (short version)
byJonas Bonér
 
Ncc group overview presentation august 2012 final
byTony_Clarke
 
NCC Group Presentation
byNCC AB
 
How Spotify Helps Their Engineers Grow - Chris Angove
byHakka Labs
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
byNCC Group
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
byNCC Group
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
byNCC Group
 
Practical SME Security on a Shoestring
byNCC Group
 
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
byPawel Krawczyk
 
Mobile App Security: Enterprise Checklist
byJignesh Solanki
 
Ncc Group Escrow Overview 2010
byJonnyhyde
 
The Mobile Internet of Things and Cyber Security
byNCC Group
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
byNCC Group
 

Similar to Exploiting appliances presentation v1.1-vids-removed

PPTX
Secure Software: Action, Comedy or Drama? (2017 edition)
byPeter Sabev
 
PPT
The Top 10/20 Internet Security Vulnerabilities – A Primer
byamiable_indian
 
PPT
Threats, Vulnerabilities & Security measures in Linux
byAmitesh Bharti
 
PPTX
Enemy at the gates: vulnerability research in embedded appliances
byChris Hernandez
 
PDF
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
byfangjiafu
 
PPTX
Vulnerability Management
byjustinkallhoff
 
PDF
Отчет Audit report RAPID7
bySergey Yrievich
 
PDF
Report PAPID 7
bySergey Yrievich
 
PDF
Web hackingtools cf-summit2014
byColdFusionConference
 
PPT
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
PDF
1.3. (In)security Software
bydefconmoscow
 
PDF
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
bymichelemanzotti
 
PDF
I got 99 trends and a # is all of them
byRoberto Suggi Liverani
 
PDF
Is Troy Burning: an overview of targeted trojan attacks
byMaarten Van Horenbeeck
 
PDF
Developers Focus on Security-Minded Tooling - Quintis Venter
byThoughtworks
 
PPT
Firewalls (Distributed computing)
bySri Prasanna
 
PPTX
Alexander Antukh
byPositive Hack Days
 
PPTX
Alexander Antukh. (In)security of Appliances
byPositive Hack Days
 
PPTX
Kurt baumgartner lan_deskse2012
byKurt Baumgartner
 
PDF
business
byGajendra Saini
 
Secure Software: Action, Comedy or Drama? (2017 edition)
byPeter Sabev
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
byamiable_indian
 
Threats, Vulnerabilities & Security measures in Linux
byAmitesh Bharti
 
Enemy at the gates: vulnerability research in embedded appliances
byChris Hernandez
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
byfangjiafu
 
Vulnerability Management
byjustinkallhoff
 
Отчет Audit report RAPID7
bySergey Yrievich
 
Report PAPID 7
bySergey Yrievich
 
Web hackingtools cf-summit2014
byColdFusionConference
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
1.3. (In)security Software
bydefconmoscow
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
bymichelemanzotti
 
I got 99 trends and a # is all of them
byRoberto Suggi Liverani
 
Is Troy Burning: an overview of targeted trojan attacks
byMaarten Van Horenbeeck
 
Developers Focus on Security-Minded Tooling - Quintis Venter
byThoughtworks
 
Firewalls (Distributed computing)
bySri Prasanna
 
Alexander Antukh
byPositive Hack Days
 
Alexander Antukh. (In)security of Appliances
byPositive Hack Days
 
Kurt baumgartner lan_deskse2012
byKurt Baumgartner
 
business
byGajendra Saini
 

Recently uploaded

PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PDF
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
PPTX
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
PPTX
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
PDF
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
PPTX
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
PDF
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
PDF
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PDF
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
PDF
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
PDF
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PDF
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
PDF
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
PDF
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 

Exploiting appliances presentation v1.1-vids-removed

  • 1.
    Hacking Appliances: Ironic exploitsin security products Ben Williams 9:10 AM
  • 2.
    Proposition • There isa temptation to think of Security Appliances as impregnable fortresses, this is definitely a mistake. • Security Appliance (noun) - Poorly configured and maintained Linux system with insecure web-app (and other applications) 9:10 AM 9:10 AM
  • 3.
    Which kind ofappliances exactly? • Email filtering • Proofpoint (F-secure among others), Baracuda, Symantec, Trend Micro, Sophos, McAfee • Firewall, Gateway, Remote Access • McAfee, Pfsense, Untangle, ClearOS, Citrix, Barracuda • Others • Single sign-on, communications, file-storage etc 9:10 AM 9:10 AM
  • 4.
    Are these productwell-used and trusted? 2013 SC Magazine US Awards Finalists - Reader Trust Awards - “Best Email Security Solution” • Barracuda Email Security • McAfee Email Protection • Proofpoint Enterprise Protection • Symantec Messaging Gateway • Websense Email Security Gateway Anywhere 9:10 AM 9:10 AM
  • 5.
    How are theydeployed? 9:10 AM 9:10 AM Firewall or Gateway or UTM Email Filter Web Filter Remote Access Security Management Other Appliances
  • 6.
    Sophos Email Appliance(v3.7.4.0) • Easy password attacks • Command-injection • Privilege escalation • Post exploitation http://designermandan.com/project/crisis-charity/ 9:10 AM 9:10 AM
  • 7.
    Interesting system ina Pentest PORT STATE SERVICE VERSION 24/tcp open ssh OpenSSH 5.1p1 (FreeBSD 20080901; protocol 2.0) |_ssh-hostkey: 1024 23:f4:c6:cf:0d:fe:3f:0b:22:ab:9f:7d:97:19:03:e2 (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: sophos.insidetrust.com, PIPELINING, SIZE 10485760, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http nginx | http-title: 302 Found |_Did not follow redirect to https://sophos.insidetrust.com:443/ |_http-methods: No Allow or Public header in OPTIONS response (status code 302) 443/tcp open ssl/http nginx | ssl-cert: Subject: commonName=sophos.insidetrust.com/organizationName=Sophos PLC/stateOrProvinceName=British Columbia/countryName=CA | Not valid before: 2012-09-20 20:06:32 |_Not valid after: 2022-09-18 20:06:32 |_http-title: Sophos Email Appliance |_http-methods: No Allow or Public header in OPTIONS response (status code 200) 5432/tcp open postgresql PostgreSQL DB 8.0.15 - 8.0.21 18080/tcp open http nginx |_http-methods: No Allow or Public header in OPTIONS response (status code 302) | http-title: 302 Found |_Did not follow redirect to https://sophos.insidetrust.com:18080:18080/ 9:10 AM 9:10 AM
  • 9.
    Easy targeted password-attacks…because • Known username (default, often fixed) • Linux platform with a scalable and responsive webserver • No account lockout, or brute-force protection • Minimal password complexity • Administrators choose passwords • Few had logging/alerting • Over an extended period, an attacker stands a very good chance of gaining administrative access 9:10 AM 9:10 AM
  • 10.
    Really obvious vulnerabilities •Loads of issues • XSS with session hijacking, CSRF, poor cookie and password security, OS command injection… • So… I got an evaluation… 9:10 AM 9:10 AM
  • 12.
    Command-injection (and rootshell) • Why do we want a root shell? • Reflective attacks (with reverse shells) • Admins can’t view all email, but an attacker can • Foothold on internal network 9:10 AM 9:10 AM
  • 13.
  • 15.
  • 17.
    What do youget on the OS? • Old kernel • Old packages • Unnecessary packages • Poor configurations • Insecure proprietary apps 9:10 AM 9:10 AM
  • 18.
    Appliances are not“Hardened Linux” • It’s common for useful tools to be already installed • Compilier/debugger (gcc,gdb), Scripting languages (Perl, Python, Ruby), Application managers (yum, apt-get), Network sniffers (tcpdump), Other tools (Nmap, Netcat) • File-system frequently not “hardened” either • No SELinux. AppArmour or integrity checking • Rare to see no-write/no-exec file systems 9:10 AM 9:10 AM
  • 19.
    Meanwhile… Post exploitation Thatlooks like a cosy shell… I think I’ll move in! 9:10 AM 9:10 AM
  • 21.
    Stealing passwords • Plain-textpasswords on box • Steal credentials from end-users • Just decrypt HTTPS traffic with Wireshark • Using the SSL private key for self-signed cert 9:10 AM 9:10 AM
  • 23.
    Sophos fix info:Leave auto-update enabled • Reported Oct 2012 • Vendor responsive and helpful (though limited info released) • Fix scheduled for Jan 14th 2013 9:10 AM 9:10 AM
  • 24.
    The ironic thingabout Security Appliances • Most Security Appliances suffer from similar security vulnerabilities • Some significantly worse 9:10 AM 9:10 AM
  • 25.
    Common exploit categories •Almost all Security Appliance products had • Easy password attacks • XSS with session-hijacking, or password theft • Non-hardened Linux OS – (though vendors claim otherwise) • Unauthenticated information disclosure (exact version) • The majority had • CSRF of admin functions • OS Command-injection • Privilege escalation (either UI and OS) 9:10 AM 9:10 AM
  • 26.
    Common exploit categories •Several had • Stored out-of-band XSS and OSRF (for example in email) • Direct authentication-bypass • A few had • Denial-of-Service • SSH misconfiguration • There were a wide variety of more obscure issues 9:10 AM 9:10 AM
  • 27.
    Citrix Access Gateway(5.0.4) • Multiple issues • Potential unrestricted access to the internal network 9:10 AM 9:10 AM
  • 28.
    Erm… That’s abit odd… ssh admin@192.168.233.55 9:10 AM 9:10 AM
  • 29.
    Where’s my hashesto crack? 9:10 AM 9:10 AM
  • 30.
    Port-forwarding (no password) WhenSSH is enabled on the CAG - port-forwarding is allowed ssh admin@192.168.1.55 ssh admin@192.168.1.55 -L xxxx:127.0.0.1:xxxx 9:10 AM 9:10 AM
  • 32.
    Potential access tointernal systems! Attacker 9:10 AM 9:10 AM
  • 34.
    Rather ironic: RemoteAccess Gateway • Unauthenticated access to the internal network? • Auth-bypass and root-shell 9:10 AM 9:10 AM
  • 35.
    Citrix fix info:Affects CAG 5.0.x • Reported Oct 2012 • Fixed released last week (6th March 2013) • CVE-2013-2263 Unauthorized Access to Network Resources • http://support.citrix.com/article/ctx136623 9:10 AM 9:10 AM
  • 36.
    Combination attacks • Combiningmultiple common issues 9:10 AM 9:10 AM
  • 37.
    Proofpoint: ownage byEmail (last year) 9:10 AM 9:10 AM
  • 38.
    Out-of-band XSS andOSRF • I found 4 products with this issue • Three of which were Anti-spam products where you could attack users/administrators via a specially-crafted spam email • Out-of-Band XSS and OSRF has a massive advantage over CSRF attacks • Easy to distribute attack payloads • XSS cannot be detected and blocked by the admins browser • Minimal social-engineering or reconnaissance 9:10 AM 9:10 AM
  • 39.
    Backup-restore flaws -revisited via CSRF • Vendors deciding not to fix the backup/restore tar.gz issue • But… common feature, and high-privilege • Use CSRF to restore the attacker’s backup! • Spoof a file-upload and “apply policy” • Which results in a reverse-shell as root 9:10 AM 9:10 AM
  • 41.
  • 42.
    Symantec Email Appliance(9.5.x) • Multiple issuesDescription NCC Rating Out-of-band stored-XSS - delivered by email Critical XSS (both reflective and stored) with session-hijacking High Easy CSRF to add a backdoor-administrator (for example) High SSH with backdoor user account + privilege escalation to root High Ability for an authenticated attacker to modify the Web-application High Arbitrary file download was possible with a crafted URL Medium Unauthenticated detailed version disclosure Low 9:10 AM 9:10 AM
  • 43.
    Out-of-band XSS andOSRF • Chain together issues in various ways • XSS in spam Email subject line, to attack the administrator • Use faulty “backup/restore” feature (with OSRF) to add arbitrary JSP to the admin UI, and a SUID binary • XSS - Executes new function to send a reverse-shell back to the attacker 9:10 AM 9:10 AM
  • 45.
    XSS Email toreverse-shell as root 9:10 AM 9:10 AM
  • 46.
    Rather ironic • Root-shellvia malicious email message • In an email filtering appliance? 9:10 AM 9:10 AM
  • 47.
    Symantec fix info:Upgrade to 10.x • Reported April 2012 – Fixed Aug 2012 • CVE-2012-0307 XSS issues • CVE-2012-0308 Cross-site Request Forgery CSRF • CVE-2012-3579 SSH account with fixed password • CVE-2012-3580 Web App modification as root • CVE-2012-4347 Directory traversal (file download) • CVE-2012-3581 Information disclosure http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se curity_advisory&pvid=security_advisory&year=2012&suid=20120827_00 9:10 AM 9:10 AM
  • 48.
  • 49.
    Trend Email Appliance(8.2.0.x) • Multiple issues Description NCC Rating Out-of-band stored-XSS in user-portal - delivered via email Critical XSS (both reflective and stored) with session-hijacking High Easy CSRF to add a backdoor-administrator (for example) High Root shell via patch-upload feature (authenticated) High Blind LDAP-injection in user-portal login-screen High Directory traversal (authenticated) Medium Unauthenticated access to AdminUI logs Low Unauthenticated version disclosure Low 9:10 AM 9:10 AM
  • 51.
  • 52.
    End-user Email XSSownage 9:10 AM 9:10 AM
  • 54.
    Admin Email XSSownage 9:10 AM 9:10 AM
  • 55.
    Trend Fix info:Use workarounds • Reported April 2012 • No fixes released or scheduled AFAIK 9:10 AM 9:10 AM
  • 56.
    Other Research • Pokingabout with binaries • Investigation of memory corruption issues • Processing of messages etc 9:10 AM 9:10 AM
  • 57.
  • 58.
  • 59.
    “Banned” (insecure) functionsin use 9:10 AM 9:10 AM
  • 60.
    Conclusions • The majorityof Security Appliances tested were insecure • Interesting state of play in 2012 - 2013 • Variable responses from vendors • Some fixed within 3 months, some not • Evolution • Software > Appliances > Virtual Appliances > Cloud Services • Huawei 9:10 AM 9:10 AM
  • 61.
    Solutions • Regular softwaremaintenance • Secure Development Lifecycle (SDL) • Product security testing • Penetration testing 9:10 AM 9:10 AM
  • 62.
    UK Offices Manchester -Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland Questions? 9:10 AM