Friday, 20 January 2012

An update on my research into attacking Security Gateways via the Web UI – and Blackhat Europe

I haven't written much on my blog for the past few months. This is because I have been very busy with my exploit-development research.

A while back I had the idea to combine web-attacks with Security Gateways, mix things up, and see what happens. This has been very productive, and a lot of fun.

In short, over the past 4 months, I have raised 30+ PoC exploits with vendors of Security Gateways. I have looked at quite a few Gateway products, and discovered serious vulnerabilities in almost all of the ones I have investigated.

Whilst Security Gateway products provide good security features for the protocols and services they protect, if a gateway product is not secure in itself, it can be attacked directly and compromised.

If an attacker can gain control of the gateway of an organization, this is a very powerful position for further attacks; such as traffic-sniffing and powerful man-in-the-middle attacks, disabling network protections, and pivoting the attack to target other systems and users on the internal network.

We often take the security of security-software for granted, assuming that – because the software has come from a company that understands security, then the product is very likely to be secure.

This is frequently an incorrect assumption in regard to Security Gateway UIs, as usually the developers that design, code and test the UI are not “security” people, and are more focused on UI design, functionality, usability, supportability and branding, than on security.

There are a huge variety of web application attacks that have been historically used against public-facing websites and their users. Many of these attacks are transferable to web-based product UIs, and this can have a very interesting impact when applied to Security Gateway UIs.

Most of the serious issues I have found in Security Gateway products have been caused by one or more of the following:
  • Lack of input-validation (leading to attacks such as XSS and Command-injection)
  • Predictable URLs and parameters (and therefore CSRF)
  • Excessive privileges of running services
  • Direct file browsing
  • Session-management issues
  • Weak session-tokens
  • Password Guessing
  • Authentication bypass
  • Verbose information disclosure
  • Out-of-date 3rd party software
  • Arbitrary file upload
  • Standard installs with poor configurations
  • Trivial Denial of Service vulnerabilities

I am currently working to complete a white-paper detailing some of the common findings, and I have recently been informed that I have been accepted to speak at Blackhat Europe on this subject. I will release the white-paper at Blackhat, so more information to come...

... and if you are going to Blackhat Europe, I might see you there!