Tuesday, 25 March 2014

Hacking Email Filtering Appliances and Solutions - talks and tools

I recently presented at Hackcon in Oslo Norway, and at IT-Defense in Cologne, Germany; on the subject of "Hacking Email Filtering Appliances and Solutions"

I briefly talked about some of the vulnerabilities I have previously found in Security Appliances, but talked in much more detail about recent research I have been developing for automated enumeration of email filtering services, products and policies (offensively, from the outside).

Specifically, I talked about the enumeration techniques, and how this information could be used by malicious hackers to improve the efficiency of attacks against organizations. This type of automated reconnaissance can be combined with Phishing attacks and to quickly find and exploit vulnerable systems and users.

Feedback from both these talks has been very good, and I am planning to release tools, and a white paper over the coming months.

I have been developing MailFEET, an enumeration tool with defense in mind, to enable organizations to identify weakness in their email filtering solutions. I have tested this tool with hundreds of domains, to find some of the most common policy bypasses, and we have used these techniques with several of our customers recently to help them identify and close such loopholes.

In terms of the loopholes, well, there are a lot, and I will probably talk about that more in a future post, but for a brief three bullet-point summary:

  • Most email filtering solutions do not block embedded executable code or scripts in office documents.
  • Almost all companies tested had no filtering for common encrypted attachments (password protected office documents or zip files for example).
  • A small but significant percentage of organizations had direct bypasses in their email filtering (i.e. in around 5% - 10 % of cases, it was possible to directly deliver to relays or mail-servers behind the filtering solution, by enumerating the relevant IPs from SMTP header information).

Tools I am currently working on include:

MailFEET - Mail Filter External Enumeration Tool - For finding vulnerable email filtering products, and flaws or bypasses in email filtering policy (written in Python and SQLite) - This just needs tidying up a bit before release.

DAPHT - Document and Archive Payload Hiding Tool - For automatically embedding test payloads in a variety of formats, to hide them from most email and web filtering solutions (written in C#).

WebFEET - Web Filter External Enumeration Tool - For finding vulnerable web filtering products, and flaws or bypasses in web filtering policy (early days of a work in progress - probably will be mainly JavaScript, PHP and SQLite)



Friday, 7 June 2013

Athcon 2013

I am just on my way back from presenting at Athcon 2013 – the premier IT Security conference in Greece.



It was my first time at Athcon, but I have to say that I was impressed. The organisers did a great job with the venue and facilities, and choosing speakers which had a great mix of content and technical depth.

I presented my research on “Hacking Security Appliances” (which I have previously presented at BlackHat Europe, and Dublin Source earlier this year). That’s probably my last time presenting that particular material, as I want to keep things fresh and I'm currently working on various ideas I have for interesting new research.

For reference my base slides and white-paper for the material are here:
https://media.blackhat.com/eu-13/briefings/B_Williams/bh-eu-13-hacking-appliances-bwilliams-wp.pdf
https://media.blackhat.com/eu-13/briefings/B_Williams/bh-eu-13-hacking-appliances-bwilliams-slides.pdf

I saw good solid presentations from other speakers including the following:

Max Sobell - Security of NFC wallets
Michele Orru - Using BeEf for custom shellcode and inter-protocol attacks
Jurriaan Bremer - Automated de-obfuscation of android apps and malware
Kostas Papapanagiotou - History of OWASP Top 10

(and also had a good meal out in Athens last night, with some of the other speakers, which was great fun)

Athcon also had a “capture the flag” (CTF) competition hosted by Symantec (unfortunately I didn't get time to take part, but is seemed to be very popular).

All in all a great conference that I would like to attend (and speak there) again.

Tuesday, 12 March 2013

BlackHat EU this week

I am looking forward to speaking at BlackHat EU again on Thursday of this week as I will be talking on the subject of "Hacking Appliances: Ironic exploits in security products" which is an area of research I have particularly enjoyed.

http://www.blackhat.com/eu-13/schedule/briefings-14.html

In short, I will be discussing some of the vulnerabilities I have escalated to various vendors of popular Security Appliances during 2012, and demonstrating how these vulnerabilities could be exploited in realistic scenarios.

 
There will be some root shell, for those of us who like that sort of thing, but I think the most interesting aspect is that most of the vulnerabilities were typical OWASP Top 10 type issues, or other fairly basic misconfigurations, which could be found and exploited in a few days using typical attack techniques.

People outside the Pentesting community find it surprising when I tell them that most popular Security Appliances I have looked at had fairly basic and rather easy to find vulnerabilities. Most of the products I looked at were popular and widely deployed, so the concerning thing is that companies using these products (and the vendors who produce them) were unaware that these products suffered from such issues.

In regard to the irony; I have certainly seen some ironic issues over the past 18 months, for example issues like:
• A URL filter which could be fully compromised with a malicious URL
• Email filtering products which could be fully compromised with malicious emails
• A single-sign-on system where all the credentials could be extracted in an unauthenticated way
• A firewall that could be fully compromised from the outside due to authentication-bypass
• A secure remote access gateway which could give unauthenticated external attackers free and easy access to the internal network

I showed some of these issues last year, I will be showing a few more during my talk on Thursday.
(by "fully compromised" I generally mean a root shell on the underlying operating system)


Wednesday, 27 June 2012

Symantec have fixed some exploits in Symantec Message Filter

Looks like Symantec have finally fixed some security issues I raised with them back in January 2012 for Symantec Message Filter 6.3.

It took them 6-months - so I am not impressed with their patching-cycle, or their focus on IT Security generally (this is supposed to be a security product after all).

Basically, as I described at BlackHat EU back in May 2012, this product-installer had versions of Tomcat and MySQL which were 7 years old, with default content and no patches (so the product had well-known third-party exploits right out of the box).

Additionally (which I felt I couldn't describe at the time, because it was 0-day) there were session-management and information-disclosure issues in the administrative UI, plus Cross Site Request Forgery (CSRF) of administrative-functions and XSS.

More detail is here:
http://www.symantec.com/security_response/securityupdates/detail.jsp?suid=20120626_00&fid=security_advisory&pvid=security_advisory&year=2012

The CVEs are:

CVE-2012-0300
CVE-2012-0301
CVE-2012-0302
CVE-2012-0303