Please consider donating:


BlackHatEU2013 – Day1 – Hacking Appliances

The second talk I’m attending today is presented by Ben Williams, who’s going to talk about “Ironic exploitation of security products”. He explains that, as a pentester/researcher for NCC Group, he gets the chance to do fun pentests and break a lot of stuff.  In the past year, he was able to work on auditing various security appliances, more specifically the web interface of these products.  Most of the vulnerabilities were very easy to find, which is quite interesting because these appliances are supposed to protect us.   We all assume these products are impregnable fortresses.

Ben explains that he has looked at Email/Web filtering appliances, Firewalls, gateways, UTMs, Remote Access systems and others (single sign-on products, etc) and found lots of bugs in most of these products.  Interestingly enough, some of these appliances were awarded as “best products” in the 2013 edition of SC Magazine.

Some of these systems are very valuable to an attacker.  If a firewall is compromised, this is a big issue. In a lot of cases, these appliances sit at the perimeter of the network and have the management interface exposed to the internet as well.  Ben explains that the placement of these appliances in the network obviously impact how easy it can be for an attacker to take advantage of a flaw.

To demonstrate what can be found in some appliances, Ben starts by using a Sophos Email Appliance as an example.  He was fortunate enough to come across this appliance during a pentest and discovered that it had the  admin UI exposed to the internet, as well as port 22 and 25.  He used Burp Suite to look at the authentication process of the appliance and attempted to brute force the authentication.  He found the password and was able to log in.  By itself, this is not really an exploit, but it allowed him to continue to audit the appliance itself.

A lot of appliances, Ben mentions, have default admin user accounts and passwords.  These appliances usually don’t prevent brute forcing of accounts or account lockout policies.  Usually, the device lacks password complexity requirements.  During his tests, he even discovered that some appliances didn’t even have proper logging/alerting.   In other words, even with a brute force attempt, attackers might have a good chance to get into the device, even if it takes days, weeks or months to find the password.

After gaining access to the admin interface of the mail appliance, he found loads of additional issues, including XSS with session hijacking, CSRF issues, even OS command injection bugs.  Game over.  After all, with command injection, an attacker can not only get a shell, but he also gets access to all emails, even the ones that the admin can’t see from the appliance UI.  On top of that, he might even be able to access the internal network from the appliance.  Going from a normal shell to root shell on this particular device was trivial.

From an OS perspective, Ben explains, you can find old kernels, old packages, unnecessary packages, poor configurations and insecure proprietary access.   Most vendors claim that their appliance is running a “hardened” linux, but that doesn’t seem to be the case in some cases, he continues.  After all, he has found compiler/debuggers, scripting languages, application managers, network sniffers and other tools such as mmap/netcat on certain devices.  Some devices didn’t have DEP/ASRL enabled.  In any case, that’s not we would consider to be a “hardened” device.  If you can use a sniffer for example, you can simply read all emails on an email appliance and gain access to company secrets, extract passwords, etc.   If such tools are not available, it might actually be possible to just download the package from the internet, compile it on the device and use it.  Ben demonstrated that he was able to ftp the mmap source into a device, compile it, and use it to map the internal network.

The issues found in this particular device were reported to Sophos and got fixed in Jan 2013.

The ironic thing about appliances is the fact that the mentioned vulnerabilities are fairly common.   Almost all products he audited had Easy password attacks, XSS with session hijacking bugs, allowed for password theft, non-hardened OS (although vendors still claim otherwise), unauthenticated version disclosure.  The majority had CSRF of admin functions and/or provide OS command injection and privilege escalation.

Several appliances had stored out-of-band XSS and OSRF bugs (for example, in emails), or even allowed direct authentication bypass.   Some were very easy to DoS or had important SSH misconfigurations.   In short, most of the OWASP top 10 issues were discovered on a variety of devices.

Ben continues his talk by explaining he was able to find some issues in the Citrix Access Gateway.  He discovered that, after enabling SSH, and attempting to login to the device using  ssh admin@ip_address, the device was still asking for the username.  In fact, the login prompt was just a restricted shell, without password, then asking for another login.  By using the -L SSH parameter, he was able to set up port forwarding inside his SSH session, allowing him to gain access to the UI (which was not exposed to the internet).  By combining port forwarding settings, it would even be able to attack hosts behind the gateway.   As a secure Remote Access Gateway, this is definitely not wanted behaviour. This issue was fixed just a week ago. (CVE 2013-2263)

Triggered by an issue he found in research from 2011, where he was able to own an email filtering product by using a malicious email, he decided to attack products by using traffic designed for the product.  He found out-of-band XSS and OSRF issues on 3 anti-spam products, allowing you to attack the users/admins using a specially crafted spam email.

On top of that, Ben found various issues with backup&restore functionality present in some devices.  If you combine this functionality with a CSRF issue, you might be able to upload a manipulated backup file, apply it to the device (including your “special” configuration) and get a root shell.  After all, restoring a backup is a high-privilege operation on the device. Ben looked at Symantec Email Appliance (9.5.x) for a couple of days and discovered Out-of-band stored XSS (delivered by email), XSS (reflective and stored) with session-hijacking, easy CSRF, SSH with a backdoor account + privilege escalation to root, the ability for an authenticated attacker to modify the UI.  By combining various attacks (Out-of-band XSS + OSRF), he was able to upload a SUID binary and got a reverse root shell back from the appliance. As soon as the admin looks at the logs, the series of attacks were triggered and the shell was delivered.

The Trend Micro InterScan Messaging Security Virtual Appliance was also found to be vulnerable to a series of bugs, allowing an attacker to collect passwords to the device by injecting scripts into the device using specially crafted email messages. To trigger the attack, the user simply needs to visit his spam quarantine page on the device.  The Trend Micro issues were reported in April 2012, but are still not fixed.

Ben explains that, while doing this research, he also noticed that some vendors seem to be very cooperative in the process of handling reported vulnerabilities. Typical turnaround for fixes still appears to be 4 to 5 months, but most of them seem to care and actually fix the bugs.  After a bug gets fixed, the admins still need to apply the patches, which – we all know – doesn’t alway happen.  For vendors, Ben concludes, it’s a good idea to increase efforts in terms of Secure Development Lifecycle, product security testing or just simple pentesting against their own devices.

About 80 to 90% of the appliances Ben looked at, appeared to be vulnerable one way or another.  He received variable responses from vendors. Some bugs got fixed in 3 months, others have not been fixed.

From an evolution point of view, companies tend to shift towards virtual appliances and cloud services. Vulnerabilities found in these services might affect ALL customers at once. After all, the UI needs to be accessible from the internet by design, which also allows the attacker to “test” the security without having to download software or buying an appliance himself.

Ben finishes his talk by explaining that there were some rumours about backdoors that may or may not have been part of Huawei device, and mentions “why would you need a backdoor if the UI is vulnerable”.

Finally, from a defence point of view, Ben stresses that you should avoid enabling the admin interface on an untrusted network and apply patches when they become available.  Using a different browser with a no script plugin might actually help avoiding the abuse of XSS and CSRF issues.  Make sure only trusted IPs can access the devices (instead of all users) and change admin passwords.



© 2013, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Comments are closed.

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!


Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?

Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories