Wednesday, 27 June 2012

Symantec have fixed some exploits in Symantec Message Filter

Looks like Symantec have finally fixed some security issues I raised with them back in January 2012 for Symantec Message Filter 6.3.

It took them 6-months - so I am not impressed with their patching-cycle, or their focus on IT Security generally (this is supposed to be a security product after all).

Basically, as I described at BlackHat EU back in May 2012, this product-installer had versions of Tomcat and MySQL which were 7 years old, with default content and no patches (so the product had well-known third-party exploits right out of the box).

Additionally (which I felt I couldn't describe at the time, because it was 0-day) there were session-management and information-disclosure issues in the administrative UI, plus Cross Site Request Forgery (CSRF) of administrative-functions and XSS.

More detail is here:

The CVEs are:


Thursday, 21 June 2012

More on Exploiting Security Gateways

Here is a quick update on some of my exploit-development research into finding exploits in Security Gateways.

This is the video from my presentation at BlackHatEU 2012 back in May, which shows some typical examples of exploits I had found in the period from October 2011 to March 2012 (all of the issues in the demo videos have now been addressed).

(this video is around 40 minutes, and may take a minute or so to start depending on your connection)

If you are interested in the technical side, the white-paper that went with this presentation can be found here:

Since then I have continued my research project, and to-date have found around 80 exploits (most of which are in Security Gateways, though I have also started to look at some other types of appliances as well). Fixes and updates have been released for at least 25 of these exploits so far, though the majority are still in the respective vendor's patch-cycle (this means that these products are improving, which is a positive outcome).

Some vendors are very reactive, a few vendors (especially Symantec and Barracuda) don't seem to be able to turn around fixes within a reasonable timeframe (Symantec still have not addressed serious issues I raised with them back in January 2012 - despite me chasing them). The good news is that many vendors address issues within a couple of months or so, and some within a few days - which is excellent!

As for a briefest of summaries; this research is continuing to uncover more and more similar issues, showing alarming trends in the insecurities of security-product Web UIs. For example:

Almost all Security Gateway products had
  • Unauthenticated information disclosure
  • XSS with session-hijacking
The majority had
  • CSRF of admin functions
  • Command-injection
  • Privilege escalation
Several had
  • Direct authentication-bypass
  • Stored out-of-band XSS and OSRF
A few had
  • Gateway Denial-of-Service
  • There were a wide variety of more obscure issues
Also, the majority had bruteforce password guessing issues (and though I considered this too basic for my research, this is also a big failure on the part of these software vendors)

Basically speaking, almost all of the Security Gateways I looked at could be compromised by an attacker, and used as an entry point to break into corporated networks.

More recently, and of particular interest I have been looking at ways of exploiting these systems via insecure backup/restore functions, using request forgery to perform arbitrary file-upload. I feel this is an interesting attack-vector because it usually results in a "root shell" - maybe I will do a post on that at some point to explain how the attack works.

Anyway, there are plenty more similar products out there, so I will continue looking. If you have any suggestions of products you think I should look at (especially security appliances) let me know.