I am looking forward to speaking at BlackHat EU again on Thursday of this week as I will be talking on the subject of "Hacking Appliances: Ironic exploits in security products" which is an area of research I have particularly enjoyed.
In short, I will be discussing some of the vulnerabilities I have escalated to various vendors of popular Security Appliances during 2012, and demonstrating how these vulnerabilities could be exploited in realistic scenarios.
There will be some root shell, for those of us who like that sort of thing, but I think the most interesting aspect is that most of the vulnerabilities were typical OWASP Top 10 type issues, or other fairly basic misconfigurations, which could be found and exploited in a few days using typical attack techniques.
People outside the Pentesting community find it surprising when I tell them that most popular Security Appliances I have looked at had fairly basic and rather easy to find vulnerabilities. Most of the products I looked at were popular and widely deployed, so the concerning thing is that companies using these products (and the vendors who produce them) were unaware that these products suffered from such issues.
In regard to the irony; I have certainly seen some ironic issues over the past 18 months, for example issues like:
• A URL filter which could be fully compromised with a malicious URL
• Email filtering products which could be fully compromised with malicious emails
• A single-sign-on system where all the credentials could be extracted in an unauthenticated way
• A firewall that could be fully compromised from the outside due to authentication-bypass
• A secure remote access gateway which could give unauthenticated external attackers free and easy access to the internal network
I showed some of these issues last year, I will be showing a few more during my talk on Thursday.
(by "fully compromised" I generally mean a root shell on the underlying operating system)
Looks like Symantec have finally fixed some security issues I raised with them back in January 2012 for Symantec Message Filter 6.3.
It took them 6-months - so I am not impressed with their patching-cycle, or their focus on IT Security generally (this is supposed to be a security product after all).
Basically, as I described at BlackHat EU back in May 2012, this product-installer had versions of Tomcat and MySQL which were 7 years old, with default content and no patches (so the product had well-known third-party exploits right out of the box).
Additionally (which I felt I couldn't describe at the time, because it was 0-day) there were session-management and information-disclosure issues in the administrative UI, plus Cross Site Request Forgery (CSRF) of administrative-functions and XSS.
Here is a quick update on some of my exploit-development research into finding exploits in Security Gateways.
This is the video from my presentation at BlackHatEU 2012 back in May, which shows some typical examples of exploits I had found in the period from October 2011 to March 2012 (all of the issues in the demo videos have now been addressed).
(this video is around 40 minutes, and may take a minute or so to start depending on your connection)
Since then I have continued my research project, and to-date have found around 80 exploits (most of which are in Security Gateways, though I have also started to look at some other types of appliances as well). Fixes and updates have been released for at least 25 of these exploits so far, though the majority are still in the respective vendor's patch-cycle (this means that these products are improving, which is a positive outcome).
Some vendors are very reactive, a few vendors (especially Symantec and Barracuda) don't seem to be able to turn around fixes within a reasonable timeframe (Symantec still have not addressed serious issues I raised with them back in January 2012 - despite me chasing them). The good news is that many vendors address issues within a couple of months or so, and some within a few days - which is excellent!
As for a briefest of summaries; this research is continuing to uncover more and more similar issues, showing alarming trends in the insecurities of security-product Web UIs. For example:
Almost all Security Gateway products had
Unauthenticated information disclosure
XSS with session-hijacking
The majority had
CSRF of admin functions
Command-injection
Privilege escalation
Several had
Direct authentication-bypass
Stored out-of-band XSS and OSRF
A few had
Gateway Denial-of-Service
There were a wide variety of more obscure issues
Also, the majority had bruteforce password guessing issues (and though I considered this too basic for my research, this is also a big failure on the part of these software vendors)
Basically speaking, almost all of the Security Gateways I looked at could be compromised by an attacker, and used as an entry point to break into corporated networks.
More recently, and of particular interest I have been looking at ways of exploiting these systems via insecure backup/restore functions, using request forgery to perform arbitrary file-upload. I feel this is an interesting attack-vector because it usually results in a "root shell" - maybe I will do a post on that at some point to explain how the attack works.
Anyway, there are plenty more similar products out there, so I will continue looking. If you have any suggestions of products you think I should look at (especially security appliances) let me know.
I have been enjoying myself at BlackHat Europe 2012, soaking up some of the leetness, absorbing some of the technologies I am less familiar with, meeting great people, and talking with them about things which really interest me - which is all good.
BlackHat EU 2012 - Day two
My Presentation seemed to go well, with several interested people coming up to ask various questions afterwards, maybe due to the fact that I described and showed around 10 exploits I recently discovered in common security products (all patched now BTW - but some very interesting, some creative, and several rather ironic - for example: "a spam the reconfigures the spam-filter", "a URL that owns the URL-filter").
My favourite presentation of Day two was "Data mining a mountain of Vulnerabilities" with Chris Wysopal.
This was quite a dry subject, but very well presented. Lots of data on vulnerabilities, with statistics on vulnerabilites sorted by application language, platform, horizontal and vertical markets, (among many other things)
Really interesting data, and something I feel that I might consult when doing application testing.
Chris had some really interesting graphs, the one above showing clearly that most web-apps contain at least one of the most serious flaws.
Day three
Some really interesting presentations today on mobile/smartphone security. It's hard to choose the best one really, as the following three were very good, and looked like the conclusions were based on very solid research (and many hours of work).
"Secure Password Managers" and "Military-Grade Encryption" on Smartphones: Oh Really? by Andrey Belenko + Dmitry Sklyarov
Hmm... so password managers on smartphones are not very well coded - not a surprise really but, a lot of work has been done by these guys to review some of the most popular ones and find some bugs
Apple vs. Google Client Platforms by Felix 'FX' Lindner
A great talk this, delivered in FX's highly amusing style
The Mobile Exploit Intelligence Project by Dan Guido + Mike Arpaia
Interesting perspective from acedemia on the stats behind mobile exploits, it seems that the hype might be just hype (at least on the iOS platform, more potential on Android though, but still, not a great deal of real platform-pwnage happening)
Anyway, I am in the airport on the way home, and it has been a very good week...
