hacking appliances
play

Hacking Appliances: Ironic exploits in security products Ben Williams - PowerPoint PPT Presentation

Feb 12, 2023 •462 likes •1.1k views

9:22 AM Hacking Appliances: Ironic exploits in security products Ben Williams 9:22 AM Proposition There is a temptation to think of Security Appliances as impregnable fortresses, this is definitely a mistake. Security Appliance (noun) -

  1. 9:22 AM Hacking Appliances: Ironic exploits in security products Ben Williams

  2. 9:22 AM Proposition • There is a temptation to think of Security Appliances as impregnable fortresses, this is definitely a mistake. • Security Appliance (noun) - Poorly configured and maintained Linux system with insecure web-app (and other applications) 9:22 AM

  3. 9:22 AM Which kind of appliances exactly? • Email filtering • Proofpoint (F-secure among others), Baracuda, Symantec, Trend Micro, Sophos, McAfee • Firewall, Gateway, Remote Access • McAfee, Pfsense, Untangle, ClearOS, Citrix, Barracuda • Others • Single sign-on, communications, file-storage etc 9:22 AM

  4. 9:22 AM Are these product well-used and trusted? 2013 SC Magazine US Awards Finalists - Reader Trust Awards - “Best Email Security Solution” • Barracuda Email Security • McAfee Email Protection • Proofpoint Enterprise Protection • Symantec Messaging Gateway • Websense Email Security Gateway Anywhere 9:22 AM

  5. 9:22 AM How are they deployed? Web Email Remote Firewall Filter Filter Access or Gateway or UTM Security Management Other Appliances 9:22 AM

  6. 9:22 AM Sophos Email Appliance (v3.7.4.0) • Easy password attacks • Command-injection • Privilege escalation • Post exploitation http://designermandan.com/project/crisis-charity/ 9:22 AM

  7. 9:22 AM Interesting system in a Pentest PORT STATE SERVICE VERSION 24/tcp open ssh OpenSSH 5.1p1 (FreeBSD 20080901; protocol 2.0) |_ssh-hostkey: 1024 23:f4:c6:cf:0d:fe:3f:0b:22:ab:9f:7d:97:19:03:e2 (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: sophos.insidetrust.com, PIPELINING, SIZE 10485760, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http nginx | http-title: 302 Found |_Did not follow redirect to https://sophos.insidetrust.com:443/ |_http-methods: No Allow or Public header in OPTIONS response (status code 302) 443/tcp open ssl/http nginx | ssl-cert: Subject: commonName=sophos.insidetrust.com/organizationName=Sophos PLC/ stateOrProvinceName=British Columbia/countryName=CA | Not valid before: 2012-09-20 20:06:32 |_Not valid after: 2022-09-18 20:06:32 |_http-title: Sophos Email Appliance |_http-methods: No Allow or Public header in OPTIONS response (status code 200) 5432/tcp open postgresql PostgreSQL DB 8.0.15 - 8.0.21 18080/tcp open http nginx |_http-methods: No Allow or Public header in OPTIONS response (status code 302) | http-title: 302 Found |_Did not follow redirect to https://sophos.insidetrust.com:18080:18080/ 9:22 AM

  9. 9:22 AM Easy targeted password-attacks… because • Known username (default, often fixed) • Linux platform with a scalable and responsive webserver • No account lockout, or brute-force protection • Minimal password complexity • Administrators choose passwords • Few had logging/alerting • Over an extended period, an attacker stands a very good chance of gaining administrative access 9:22 AM

  10. 9:22 AM Really obvious vulnerabilities • Loads of issues • XSS with session hijacking, CSRF, poor cookie and password security, OS command injection… • So… I got an evaluation… 9:22 AM

  12. 9:22 AM Command-injection (and root shell) • Why do we want a root shell? • Reflective attacks (with reverse shells) • Admins can’t view all email, but an attacker can • Foothold on internal network 9:22 AM

  13. 9:22 AM Direct attack 9:22 AM

  15. 9:22 AM Attacker Reflective attack 9:22 AM

  17. 9:22 AM What do you get on the OS? • Old kernel • Old packages • Unnecessary packages • Poor configurations • Insecure proprietary apps 9:22 AM

  18. 9:22 AM Appliances are not “Hardened Linux” • It’s common for useful tools to be already installed • Compilier/debugger (gcc,gdb), Scripting languages (Perl, Python, Ruby), Application managers (yum, apt-get), Network sniffers (tcpdump), Other tools (Nmap, Netcat) • File-system frequently not “hardened” either • No SELinux. AppArmour or integrity checking • Rare to see no-write/no-exec file systems 9:22 AM

  19. 9:22 AM Meanwhile… Post exploitation That looks like a cosy shell… I think I’ll move in! 9:22 AM

  21. 9:22 AM Stealing passwords • Plain-text passwords on box • Steal credentials from end-users • Just decrypt HTTPS traffic with Wireshark • Using the SSL private key for self-signed cert 9:22 AM

  23. 9:22 AM Sophos fix info: Leave auto-update enabled • Reported Oct 2012 • Vendor responsive and helpful (though limited info released) • Fix scheduled for Jan 14 th 2013 9:22 AM

  24. 9:22 AM The ironic thing about Security Appliances • Most Security Appliances suffer from similar security vulnerabilities • Some significantly worse 9:22 AM

  25. 9:22 AM Common exploit categories • Almost all Security Appliance products had • Easy password attacks • XSS with session-hijacking, or password theft • Non-hardened Linux OS – (though vendors claim otherwise) • Unauthenticated information disclosure (exact version) • The majority had • CSRF of admin functions • OS Command-injection • Privilege escalation (either UI and OS) 9:22 AM

  26. 9:22 AM Common exploit categories • Several had • Stored out-of-band XSS and OSRF (for example in email) • Direct authentication-bypass • A few had • Denial-of-Service • SSH misconfiguration • There were a wide variety of more obscure issues 9:22 AM

  27. 9:22 AM Citrix Access Gateway (5.0.4) • Multiple issues • Potential unrestricted access to the internal network 9:22 AM

  28. 9:22 AM Erm… That’s a bit odd… ssh admin@192.168.233.55 9:22 AM

  29. 9:22 AM Where’s my hashes to crack? 9:22 AM

  30. 9:22 AM Port-forwarding (no password) When SSH is enabled on the CAG - port-forwarding is allowed ssh admin@192.168.1.55 ssh admin@192.168.1.55 -L xxxx:127.0.0.1:xxxx 9:22 AM

  32. 9:22 AM Potential access to internal systems! Attacker 9:22 AM

  34. 9:22 AM Rather ironic: Remote Access Gateway • Unauthenticated access to the internal network? • Auth-bypass and root-shell 9:22 AM

  35. 9:22 AM Citrix fix info: Affects CAG 5.0.x • Reported Oct 2012 • Fixed released last week (6 th March 2013) • CVE-2013-2263 Unauthorized Access to Network Resources • http://support.citrix.com/article/ctx136623 9:22 AM

  36. 9:22 AM Combination attacks • Combining multiple common issues 9:22 AM

  37. 9:22 AM Proofpoint: ownage by Email (last year) 9:22 AM

  38. 9:22 AM Out-of-band XSS and OSRF • I found 4 products with this issue • Three of which were Anti-spam products where you could attack users/administrators via a specially-crafted spam email • Out-of-Band XSS and OSRF has a massive advantage over CSRF attacks • Easy to distribute attack payloads • XSS cannot be detected and blocked by the admins browser • Minimal social-engineering or reconnaissance 9:22 AM

  39. 9:22 AM Backup-restore flaws - revisited via CSRF • Vendors deciding not to fix the backup/restore tar.gz issue • But… common feature, and high-privilege • Use CSRF to restore the attacker’s backup! • Spoof a file-upload and “apply policy” • Which results in a reverse-shell as root 9:22 AM

  41. 9:22 AM CSRF backup/restore attack 9:22 AM

  42. 9:22 AM Symantec Email Appliance (9.5.x) • Multiple issues Description NCC Rating Out-of-band stored-XSS - delivered by email Critical XSS (both reflective and stored) with session-hijacking High Easy CSRF to add a backdoor-administrator (for example) High SSH with backdoor user account + privilege escalation to root High Ability for an authenticated attacker to modify the Web-application High Arbitrary file download was possible with a crafted URL Medium Unauthenticated detailed version disclosure Low 9:22 AM

  43. 9:22 AM Out-of-band XSS and OSRF • Chain together issues in various ways • XSS in spam Email subject line, to attack the administrator • Use faulty “backup/restore” feature (with OSRF) to add arbitrary JSP to the admin UI, and a SUID binary • XSS - Executes new function to send a reverse-shell back to the attacker 9:22 AM

  45. 9:22 AM XSS Email to reverse-shell as root 9:22 AM

  46. 9:22 AM Rather ironic • Root-shell via malicious email message • In an email filtering appliance? 9:22 AM

  47. 9:22 AM Symantec fix info: Upgrade to 10.x • Reported April 2012 – Fixed Aug 2012 • CVE-2012-0307 XSS issues • CVE-2012-0308 Cross-site Request Forgery CSRF • CVE-2012-3579 SSH account with fixed password • CVE-2012-3580 Web App modification as root • CVE-2012-4347 Directory traversal (file download) • CVE-2012-3581 Information disclosure http://www.symantec.com/security_response/securityupdates/detail.jsp? fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00 9:22 AM

  48. 9:22 AM TrendMicro Email Appliance 9:22 AM

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark

Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark

Methodologies For Hacking Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark Carey is the Chief Scientist for Peak Security. Over 22 years of experience in engineering and security. - Keeper of

1.06k views • 103 slides
TESTING OF GAS APPLIANCES FLOW & GAS APPLIANCES LABORATORY MECHANICAL & AUTOMOTIVE

TESTING OF GAS APPLIANCES FLOW & GAS APPLIANCES LABORATORY MECHANICAL & AUTOMOTIVE

TESTING OF GAS APPLIANCES FLOW & GAS APPLIANCES LABORATORY MECHANICAL & AUTOMOTIVE SECTION (MAST ) Domestic Gas Cooker Register at Online Application System MANUFACTURERS ( Foreign/Importer ) MANUFACTURERS (Local) (OAS) website

481 views • 22 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
T URN OFF THE LIGHTS ? Melanie Derby and Emily Porter-Goff y y

T URN OFF THE LIGHTS ? Melanie Derby and Emily Porter-Goff y y

T URN OFF THE LIGHTS ? Melanie Derby and Emily Porter-Goff y y http://www.lightbulbmarket.com/product/050260_60-Watt-A-19-Philips-Light-Bulb Today Buy appliances Test energy usage of small appliances of small appliances T IME

335 views • 7 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

485 views • 27 slides
Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by

Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by

Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by Appliances? appliance / pl ns/ Noun A device designed to perform a specific task, typically a domestic one. Digital Signage

1.04k views • 55 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides
Connecting IoT appliances securely to the cloud (eap-noob) Tuomas Aura, Aalto University,

Connecting IoT appliances securely to the cloud (eap-noob) Tuomas Aura, Aalto University,

Connecting IoT appliances securely to the cloud (eap-noob) Tuomas Aura, Aalto University, Finland joint work with Mohit Sethi, Ericsson, and others Connecting devices to cloud Cloud IoT appliances Internet User Authenticated key

528 views • 17 slides
ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING TOOLKIT FREE, OPEN-SOURCE WHAT IS ZIGDIGGITY??? + = RaspBee radio + Raspberry Pi ZigDiggity - GitHub Code http://zigdiggity.com BISHOPFOX

617 views • 23 slides
Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020 HACKING C# - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET

481 views • 37 slides
Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi From Myself Associate Professor at UiO Teaching Ethical Hacking since 2012 Lecturer of the IN5290 Ethical Hacking at UiO Leader

878 views • 66 slides
WITH GREATFET+FD TROOPERS18 KATE TEMKIN & DOMINIC SPILL WHO WE ARE Kate Temkin (@ktemkin):

WITH GREATFET+FD TROOPERS18 KATE TEMKIN & DOMINIC SPILL WHO WE ARE Kate Temkin (@ktemkin):

OPENING BLACK BOX SYSTEMS WITH GREATFET+FD TROOPERS18 KATE TEMKIN & DOMINIC SPILL WHO WE ARE Kate Temkin (@ktemkin): Dominic Spill (@dominicgs): slayer of Tegras, destroyer of worlds cannot stop being extraordinary, on penalty of

861 views • 21 slides
Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback http://www.betterhostreview.com/wp-content/uploads/2013/08/ddos-attack.gif 2 DDoS Attacks http://blog.rivalhost.com/wp- http://en.wikipedia.org/wiki/Low

800 views • 36 slides
Visual Security Policy for the Web Terri Oda, Anil Somayaji Carleton University A note to PDF

Visual Security Policy for the Web Terri Oda, Anil Somayaji Carleton University A note to PDF

Visual Security Policy for the Web Terri Oda, Anil Somayaji Carleton University A note to PDF readers These are annotated slides: the second half of the PDF contains the slides with the notes. The notes with each slide are a rough

3.12k views • 82 slides
LECTURE 16 HIGHER-ORDER FUNCTIONS & EXCEPTIONS MCS 260 Fall 2020 David Dumas / REMINDERS

LECTURE 16 HIGHER-ORDER FUNCTIONS & EXCEPTIONS MCS 260 Fall 2020 David Dumas / REMINDERS

LECTURE 16 HIGHER-ORDER FUNCTIONS & EXCEPTIONS MCS 260 Fall 2020 David Dumas / REMINDERS Work on Project 2, due Oct 9 Project 2 autograder now open! / HIGHER-ORDER FUNCTIONS Last me: Funcons can be values Funcons can take

189 views • 16 slides
Risk-based Testing with Jira and Jubula Daniele Gagliardi @dangagliar Creative Commons

Risk-based Testing with Jira and Jubula Daniele Gagliardi @dangagliar Creative Commons

Risk-based Testing with Jira and Jubula Daniele Gagliardi @dangagliar Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported. 1 66 / Agenda The Theory What is it ? Why should I care ? The Practice The

974 views • 66 slides
10 years of Rijndael Vincent Rijmen Overview The AES process (participants perspective)

10 years of Rijndael Vincent Rijmen Overview The AES process (participants perspective)

10 years of Rijndael Vincent Rijmen Overview The AES process (participants perspective) Rijndael Security of Rijndael/AES Spreading of AES Stream ciphers: competitors? Conclusions The early years (1997)

939 views • 70 slides
Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata

Block Cipher Cryptanalysis: An Overview Subhabrata Samajder Indian Statistical Institute, Kolkata 17 th May, 2017 0/52 Iterated Block Cipher Outline Iterated Block Cipher 1 S-Boxes 2 A Basic Substitution Permutation Network 3 Linear

1.58k views • 113 slides
Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires

Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires

Anycast for Any Service Michael J. Freedman Karthik Lakshminarayanan David Mazires http://oasis.coralcdn.org/ Whats the replica-selection problem? mycdn ? Client needs to choose a good replica server Performance and cost

798 views • 56 slides

More recommend