Tuesday, 12 March 2013

BlackHat EU this week

I am looking forward to speaking at BlackHat EU again on Thursday of this week as I will be talking on the subject of "Hacking Appliances: Ironic exploits in security products" which is an area of research I have particularly enjoyed.


In short, I will be discussing some of the vulnerabilities I have escalated to various vendors of popular Security Appliances during 2012, and demonstrating how these vulnerabilities could be exploited in realistic scenarios.

There will be some root shell, for those of us who like that sort of thing, but I think the most interesting aspect is that most of the vulnerabilities were typical OWASP Top 10 type issues, or other fairly basic misconfigurations, which could be found and exploited in a few days using typical attack techniques.

People outside the Pentesting community find it surprising when I tell them that most popular Security Appliances I have looked at had fairly basic and rather easy to find vulnerabilities. Most of the products I looked at were popular and widely deployed, so the concerning thing is that companies using these products (and the vendors who produce them) were unaware that these products suffered from such issues.

In regard to the irony; I have certainly seen some ironic issues over the past 18 months, for example issues like:
• A URL filter which could be fully compromised with a malicious URL
• Email filtering products which could be fully compromised with malicious emails
• A single-sign-on system where all the credentials could be extracted in an unauthenticated way
• A firewall that could be fully compromised from the outside due to authentication-bypass
• A secure remote access gateway which could give unauthenticated external attackers free and easy access to the internal network

I showed some of these issues last year, I will be showing a few more during my talk on Thursday.
(by "fully compromised" I generally mean a root shell on the underlying operating system)


  1. Do you need a loan at 3% to pay your bills or start up a business of your own? If yes ,contact US with this following details... GLOBAL SOLUTION FINANCE COMPANY

    (1)Full Name
    (2)Loan Amount Needed
    (5)Phone numbers
    Email Us: globalsulutionfinance89@gmail.com
    Tell : +919205335862
    Website: https://gsfcloan.com/
    Best Regards,

  2. This comment has been removed by the author.

  3. Coaxial Cable Manufacturer And Supplier

    Mandeep Cables Pvt. Ltd. highly flexible coaxial cables consist of various features, including rust-resistance and extended utility that collectively makes our products of impeccable quality and suitable for industrial usages, such as telecom and radio etc. Call Us +91 9560718414.

  4. DO YOU NEED FINANCIAL HELP? $5000 to $20,000,000.00 No credit check

    Repaid over 1 year to maximum of 30 years at a low interest rate of 3%.

    Approval in 15-30 minutes Open 7 days a week from 24/7 Service available

    nationwide Whatsapp:+919205335862 E-MAIL

    globalsulutionfinance89@gmail.com Tell : +919205335862