hacking appliances
play

Hacking Appliances: Ironic exploits in security products Ben Williams - PowerPoint PPT Presentation

Feb 12, 2023 •462 likes •1.1k views

9:22 AM Hacking Appliances: Ironic exploits in security products Ben Williams 9:22 AM Proposition There is a temptation to think of Security Appliances as impregnable fortresses, this is definitely a mistake. Security Appliance (noun) -

  1. 9:22 AM Hacking Appliances: Ironic exploits in security products Ben Williams

  2. 9:22 AM Proposition • There is a temptation to think of Security Appliances as impregnable fortresses, this is definitely a mistake. • Security Appliance (noun) - Poorly configured and maintained Linux system with insecure web-app (and other applications) 9:22 AM

  3. 9:22 AM Which kind of appliances exactly? • Email filtering • Proofpoint (F-secure among others), Baracuda, Symantec, Trend Micro, Sophos, McAfee • Firewall, Gateway, Remote Access • McAfee, Pfsense, Untangle, ClearOS, Citrix, Barracuda • Others • Single sign-on, communications, file-storage etc 9:22 AM

  4. 9:22 AM Are these product well-used and trusted? 2013 SC Magazine US Awards Finalists - Reader Trust Awards - “Best Email Security Solution” • Barracuda Email Security • McAfee Email Protection • Proofpoint Enterprise Protection • Symantec Messaging Gateway • Websense Email Security Gateway Anywhere 9:22 AM

  5. 9:22 AM How are they deployed? Web Email Remote Firewall Filter Filter Access or Gateway or UTM Security Management Other Appliances 9:22 AM

  6. 9:22 AM Sophos Email Appliance (v3.7.4.0) • Easy password attacks • Command-injection • Privilege escalation • Post exploitation http://designermandan.com/project/crisis-charity/ 9:22 AM

  7. 9:22 AM Interesting system in a Pentest PORT STATE SERVICE VERSION 24/tcp open ssh OpenSSH 5.1p1 (FreeBSD 20080901; protocol 2.0) |_ssh-hostkey: 1024 23:f4:c6:cf:0d:fe:3f:0b:22:ab:9f:7d:97:19:03:e2 (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: sophos.insidetrust.com, PIPELINING, SIZE 10485760, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http nginx | http-title: 302 Found |_Did not follow redirect to https://sophos.insidetrust.com:443/ |_http-methods: No Allow or Public header in OPTIONS response (status code 302) 443/tcp open ssl/http nginx | ssl-cert: Subject: commonName=sophos.insidetrust.com/organizationName=Sophos PLC/ stateOrProvinceName=British Columbia/countryName=CA | Not valid before: 2012-09-20 20:06:32 |_Not valid after: 2022-09-18 20:06:32 |_http-title: Sophos Email Appliance |_http-methods: No Allow or Public header in OPTIONS response (status code 200) 5432/tcp open postgresql PostgreSQL DB 8.0.15 - 8.0.21 18080/tcp open http nginx |_http-methods: No Allow or Public header in OPTIONS response (status code 302) | http-title: 302 Found |_Did not follow redirect to https://sophos.insidetrust.com:18080:18080/ 9:22 AM

  9. 9:22 AM Easy targeted password-attacks… because • Known username (default, often fixed) • Linux platform with a scalable and responsive webserver • No account lockout, or brute-force protection • Minimal password complexity • Administrators choose passwords • Few had logging/alerting • Over an extended period, an attacker stands a very good chance of gaining administrative access 9:22 AM

  10. 9:22 AM Really obvious vulnerabilities • Loads of issues • XSS with session hijacking, CSRF, poor cookie and password security, OS command injection… • So… I got an evaluation… 9:22 AM

  12. 9:22 AM Command-injection (and root shell) • Why do we want a root shell? • Reflective attacks (with reverse shells) • Admins can’t view all email, but an attacker can • Foothold on internal network 9:22 AM

  13. 9:22 AM Direct attack 9:22 AM

  15. 9:22 AM Attacker Reflective attack 9:22 AM

  17. 9:22 AM What do you get on the OS? • Old kernel • Old packages • Unnecessary packages • Poor configurations • Insecure proprietary apps 9:22 AM

  18. 9:22 AM Appliances are not “Hardened Linux” • It’s common for useful tools to be already installed • Compilier/debugger (gcc,gdb), Scripting languages (Perl, Python, Ruby), Application managers (yum, apt-get), Network sniffers (tcpdump), Other tools (Nmap, Netcat) • File-system frequently not “hardened” either • No SELinux. AppArmour or integrity checking • Rare to see no-write/no-exec file systems 9:22 AM

  19. 9:22 AM Meanwhile… Post exploitation That looks like a cosy shell… I think I’ll move in! 9:22 AM

  21. 9:22 AM Stealing passwords • Plain-text passwords on box • Steal credentials from end-users • Just decrypt HTTPS traffic with Wireshark • Using the SSL private key for self-signed cert 9:22 AM

  23. 9:22 AM Sophos fix info: Leave auto-update enabled • Reported Oct 2012 • Vendor responsive and helpful (though limited info released) • Fix scheduled for Jan 14 th 2013 9:22 AM

  24. 9:22 AM The ironic thing about Security Appliances • Most Security Appliances suffer from similar security vulnerabilities • Some significantly worse 9:22 AM

  25. 9:22 AM Common exploit categories • Almost all Security Appliance products had • Easy password attacks • XSS with session-hijacking, or password theft • Non-hardened Linux OS – (though vendors claim otherwise) • Unauthenticated information disclosure (exact version) • The majority had • CSRF of admin functions • OS Command-injection • Privilege escalation (either UI and OS) 9:22 AM

  26. 9:22 AM Common exploit categories • Several had • Stored out-of-band XSS and OSRF (for example in email) • Direct authentication-bypass • A few had • Denial-of-Service • SSH misconfiguration • There were a wide variety of more obscure issues 9:22 AM

  27. 9:22 AM Citrix Access Gateway (5.0.4) • Multiple issues • Potential unrestricted access to the internal network 9:22 AM

  28. 9:22 AM Erm… That’s a bit odd… ssh admin@192.168.233.55 9:22 AM

  29. 9:22 AM Where’s my hashes to crack? 9:22 AM

  30. 9:22 AM Port-forwarding (no password) When SSH is enabled on the CAG - port-forwarding is allowed ssh admin@192.168.1.55 ssh admin@192.168.1.55 -L xxxx:127.0.0.1:xxxx 9:22 AM

  32. 9:22 AM Potential access to internal systems! Attacker 9:22 AM

  34. 9:22 AM Rather ironic: Remote Access Gateway • Unauthenticated access to the internal network? • Auth-bypass and root-shell 9:22 AM

  35. 9:22 AM Citrix fix info: Affects CAG 5.0.x • Reported Oct 2012 • Fixed released last week (6 th March 2013) • CVE-2013-2263 Unauthorized Access to Network Resources • http://support.citrix.com/article/ctx136623 9:22 AM

  36. 9:22 AM Combination attacks • Combining multiple common issues 9:22 AM

  37. 9:22 AM Proofpoint: ownage by Email (last year) 9:22 AM

  38. 9:22 AM Out-of-band XSS and OSRF • I found 4 products with this issue • Three of which were Anti-spam products where you could attack users/administrators via a specially-crafted spam email • Out-of-Band XSS and OSRF has a massive advantage over CSRF attacks • Easy to distribute attack payloads • XSS cannot be detected and blocked by the admins browser • Minimal social-engineering or reconnaissance 9:22 AM

  39. 9:22 AM Backup-restore flaws - revisited via CSRF • Vendors deciding not to fix the backup/restore tar.gz issue • But… common feature, and high-privilege • Use CSRF to restore the attacker’s backup! • Spoof a file-upload and “apply policy” • Which results in a reverse-shell as root 9:22 AM

  41. 9:22 AM CSRF backup/restore attack 9:22 AM

  42. 9:22 AM Symantec Email Appliance (9.5.x) • Multiple issues Description NCC Rating Out-of-band stored-XSS - delivered by email Critical XSS (both reflective and stored) with session-hijacking High Easy CSRF to add a backdoor-administrator (for example) High SSH with backdoor user account + privilege escalation to root High Ability for an authenticated attacker to modify the Web-application High Arbitrary file download was possible with a crafted URL Medium Unauthenticated detailed version disclosure Low 9:22 AM

  43. 9:22 AM Out-of-band XSS and OSRF • Chain together issues in various ways • XSS in spam Email subject line, to attack the administrator • Use faulty “backup/restore” feature (with OSRF) to add arbitrary JSP to the admin UI, and a SUID binary • XSS - Executes new function to send a reverse-shell back to the attacker 9:22 AM

  45. 9:22 AM XSS Email to reverse-shell as root 9:22 AM

  46. 9:22 AM Rather ironic • Root-shell via malicious email message • In an email filtering appliance? 9:22 AM

  47. 9:22 AM Symantec fix info: Upgrade to 10.x • Reported April 2012 – Fixed Aug 2012 • CVE-2012-0307 XSS issues • CVE-2012-0308 Cross-site Request Forgery CSRF • CVE-2012-3579 SSH account with fixed password • CVE-2012-3580 Web App modification as root • CVE-2012-4347 Directory traversal (file download) • CVE-2012-3581 Information disclosure http://www.symantec.com/security_response/securityupdates/detail.jsp? fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00 9:22 AM

  48. 9:22 AM TrendMicro Email Appliance 9:22 AM

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark

Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark

Methodologies For Hacking Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark Carey is the Chief Scientist for Peak Security. Over 22 years of experience in engineering and security. - Keeper of

1.06k views • 103 slides
TESTING OF GAS APPLIANCES FLOW & GAS APPLIANCES LABORATORY MECHANICAL & AUTOMOTIVE

TESTING OF GAS APPLIANCES FLOW & GAS APPLIANCES LABORATORY MECHANICAL & AUTOMOTIVE

TESTING OF GAS APPLIANCES FLOW & GAS APPLIANCES LABORATORY MECHANICAL & AUTOMOTIVE SECTION (MAST ) Domestic Gas Cooker Register at Online Application System MANUFACTURERS ( Foreign/Importer ) MANUFACTURERS (Local) (OAS) website

481 views • 22 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
T URN OFF THE LIGHTS ? Melanie Derby and Emily Porter-Goff y y

T URN OFF THE LIGHTS ? Melanie Derby and Emily Porter-Goff y y

T URN OFF THE LIGHTS ? Melanie Derby and Emily Porter-Goff y y http://www.lightbulbmarket.com/product/050260_60-Watt-A-19-Philips-Light-Bulb Today Buy appliances Test energy usage of small appliances of small appliances T IME

335 views • 7 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

486 views • 27 slides
Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by

Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by

Customing Android: Looking inside the droids belly Embedded Android Appliances What do I mean by Appliances? appliance / pl ns/ Noun A device designed to perform a specific task, typically a domestic one. Digital Signage

1.04k views • 55 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides
Connecting IoT appliances securely to the cloud (eap-noob) Tuomas Aura, Aalto University,

Connecting IoT appliances securely to the cloud (eap-noob) Tuomas Aura, Aalto University,

Connecting IoT appliances securely to the cloud (eap-noob) Tuomas Aura, Aalto University, Finland joint work with Mohit Sethi, Ericsson, and others Connecting devices to cloud Cloud IoT appliances Internet User Authenticated key

528 views • 17 slides
ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING

ZIGDIGGITY ZIGBEE HACKING TOOLKIT AUGUST 7-11, 2019 http://zigdiggity.c om NEW ZIGBEE HACKING TOOLKIT FREE, OPEN-SOURCE WHAT IS ZIGDIGGITY??? + = RaspBee radio + Raspberry Pi ZigDiggity - GitHub Code http://zigdiggity.com BISHOPFOX

617 views • 23 slides
Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020

Hacking C# CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 19.08.2020 HACKING C# - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET

481 views • 37 slides
Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi

Ethical Hacking Finse 2019 Cyber Security Winter school Universitetet i Oslo Laszlo Erddi From Myself Associate Professor at UiO Teaching Ethical Hacking since 2012 Lecturer of the IN5290 Ethical Hacking at UiO Leader

878 views • 66 slides
Special Gas Venting Systems Proper System Design for Category IV Appliances Special Gas Venting

Special Gas Venting Systems Proper System Design for Category IV Appliances Special Gas Venting

Special Gas Venting Systems Proper System Design for Category IV Appliances Special Gas Venting Systems National Fuel Gas Code (NFPA 54/ ANSI Z223.1) Definition Gas vent for venting listed Category II, III, and IV appliances Venting

691 views • 48 slides
Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking

Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking

CLIMATE CHANGE IN HELTHCARE : Driving Innovation through the www.linkedin.com/pulse/climate-change-healthcare-lucien- hacking engelen GIB DE MEDEIROS, PH.D. Digital Hospital Transformation Forum at HIC 2017 Brisbane, Australia HACKING

644 views • 27 slides
Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking

Hacking Telco equipment The HLR/HSS Laurent Ghigonis Security researcher at P1 Security Hacking Telco equipment: The HLR/HSS Laurent Ghigonis P1 Security 2014, Hackito Ergo Sum - Security Conference What are we talking about ? A mobile

724 views • 59 slides
Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review

Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review

Mr. Robot, an Emmy Award-winning TV drama starring a vigilante hacker CS 88S Hacking in Popular Culture Week 2 Frank Chen | Spring 2017 Agenda Administrative Review last weeks material Hack Hollywood Hacking: The Good, The

718 views • 45 slides
Kitchen Appliances Philips Airfyer - Trade Presentation Updated Q4 2013 1 Agenda Marketplace

Kitchen Appliances Philips Airfyer - Trade Presentation Updated Q4 2013 1 Agenda Marketplace

Kitchen Appliances Philips Airfyer - Trade Presentation Updated Q4 2013 1 Agenda Marketplace Trends Consumer Update Product Review Retailer Review/Recommendations Confidential 2 Marketplace Trends Philips Kitchen Appliances has over 80

604 views • 25 slides
Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized

Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized

Hacking Russia: Inside an Hacking Russia: Inside an unprecedented prosecution of organized cybercrime Joseph Menn Agenda Agenda Why Russia matters (and differs from China) Why Russia matters (and differs from China) How three hackers got

557 views • 12 slides
Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de

Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de

Outline Google Hacking Privacy Searches Countermeasures Future Work Conclusion Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de Department of Computer Science, University of Mannheim (on leave to the

389 views • 21 slides
Ethical Hacking Philip Robbins August 31, 2013 Information Security & Assurance Program

Ethical Hacking Philip Robbins August 31, 2013 Information Security & Assurance Program

ISA 330 Introduction to Proactive System Security Week #1 Ethical Hacking Philip Robbins August 31, 2013 Information Security & Assurance Program University of Hawai'i West Oahu 1 Ethical Hacking Topics Introductions Syllabus

1.17k views • 88 slides

More recommend