This is the video from my presentation at BlackHatEU 2012 back in May, which shows some typical examples of exploits I had found in the period from October 2011 to March 2012 (all of the issues in the demo videos have now been addressed).
(this video is around 40 minutes, and may take a minute or so to start depending on your connection)
If you are interested in the technical side, the white-paper that went with this presentation can be found here:
Since then I have continued my research project, and to-date have found around 80 exploits (most of which are in Security Gateways, though I have also started to look at some other types of appliances as well). Fixes and updates have been released for at least 25 of these exploits so far, though the majority are still in the respective vendor's patch-cycle (this means that these products are improving, which is a positive outcome).
Some vendors are very reactive, a few vendors (especially Symantec and Barracuda) don't seem to be able to turn around fixes within a reasonable timeframe (Symantec still have not addressed serious issues I raised with them back in January 2012 - despite me chasing them). The good news is that many vendors address issues within a couple of months or so, and some within a few days - which is excellent!
As for a briefest of summaries; this research is continuing to uncover more and more similar issues, showing alarming trends in the insecurities of security-product Web UIs. For example:
Almost all Security Gateway products had
- Unauthenticated information disclosure
- XSS with session-hijacking
- CSRF of admin functions
- Privilege escalation
- Direct authentication-bypass
- Stored out-of-band XSS and OSRF
A few had
- Gateway Denial-of-Service
- There were a wide variety of more obscure issues
Basically speaking, almost all of the Security Gateways I looked at could be compromised by an attacker, and used as an entry point to break into corporated networks.
More recently, and of particular interest I have been looking at ways of exploiting these systems via insecure backup/restore functions, using request forgery to perform arbitrary file-upload. I feel this is an interesting attack-vector because it usually results in a "root shell" - maybe I will do a post on that at some point to explain how the attack works.
Anyway, there are plenty more similar products out there, so I will continue looking. If you have any suggestions of products you think I should look at (especially security appliances) let me know.