Thursday 21 June 2012

More on Exploiting Security Gateways

Here is a quick update on some of my exploit-development research into finding exploits in Security Gateways.

This is the video from my presentation at BlackHatEU 2012 back in May, which shows some typical examples of exploits I had found in the period from October 2011 to March 2012 (all of the issues in the demo videos have now been addressed).

(this video is around 40 minutes, and may take a minute or so to start depending on your connection)

If you are interested in the technical side, the white-paper that went with this presentation can be found here:
http://www.nccgroup.com/en/learning-research-centre/security-testing-audit-compliance-resources/white-papers/

Since then I have continued my research project, and to-date have found around 80 exploits (most of which are in Security Gateways, though I have also started to look at some other types of appliances as well). Fixes and updates have been released for at least 25 of these exploits so far, though the majority are still in the respective vendor's patch-cycle (this means that these products are improving, which is a positive outcome).

Some vendors are very reactive, a few vendors (especially Symantec and Barracuda) don't seem to be able to turn around fixes within a reasonable timeframe (Symantec still have not addressed serious issues I raised with them back in January 2012 - despite me chasing them). The good news is that many vendors address issues within a couple of months or so, and some within a few days - which is excellent!

As for a briefest of summaries; this research is continuing to uncover more and more similar issues, showing alarming trends in the insecurities of security-product Web UIs. For example:

Almost all Security Gateway products had
  • Unauthenticated information disclosure
  • XSS with session-hijacking
The majority had
  • CSRF of admin functions
  • Command-injection
  • Privilege escalation
Several had
  • Direct authentication-bypass
  • Stored out-of-band XSS and OSRF
A few had
  • Gateway Denial-of-Service
  • There were a wide variety of more obscure issues
Also, the majority had bruteforce password guessing issues (and though I considered this too basic for my research, this is also a big failure on the part of these software vendors)

Basically speaking, almost all of the Security Gateways I looked at could be compromised by an attacker, and used as an entry point to break into corporated networks.

More recently, and of particular interest I have been looking at ways of exploiting these systems via insecure backup/restore functions, using request forgery to perform arbitrary file-upload. I feel this is an interesting attack-vector because it usually results in a "root shell" - maybe I will do a post on that at some point to explain how the attack works.

Anyway, there are plenty more similar products out there, so I will continue looking. If you have any suggestions of products you think I should look at (especially security appliances) let me know.

6 comments:

  1. Great ceativity and the post clarity is awesome! I hope you will continue to have such articles to share with everyone!
    happy wheels

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. I will provide some useful video tutorials to give you an idea on how to prepare the PPT files. http://jllivmowhq.dip.jp http://s3678blftg.dip.jp http://loy7ii9009.dip.jp

    ReplyDelete
  4. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  5. QUALITY SSN DOB DL HIGH CREDIT SCORES Leads
    CC with CVV Fullz (USA, UK, CANADA)
    Tutorials & E-Books For Ethical Hacking
    Tools For Everything You Need

    I'm On Telegram = @killhacks & I C Q = 752822040

    Stuff available for
    (Spamming, Carding, Ethical Hacking, LINUX, Programming, Scripting, etc. )

    Deals in all kind of Tools, Tutorials, E-books, Leads/Fullz/Pros
    Availability 24/7
    FASTEST DELIVERY

    Build Your Own Business with proper guide & Legit Tools
    Always glad to serve

    GOOD LUCK
    Here I'm:
    I C Q = 752822040
    Tele-gram = @killhacks

    ReplyDelete