Enemy At The GatesFINDING 0-DAYS IN VIRTUAL APPLIANCES

Chris Hernandez(piffd0s)@Defcon831

$whoami

• Penetration Tester for Veris Group

• Vulnerability hunter in spare time

• Addicted to learning all things security related

• certs= “OSCE, OSCP, CEH, Sec +, MCSE. etc”

• echo $certs > /dev/null

• Infosec dwarf standing on the shoulders of giants

Background• Vulnerable VMs are fun & a great way to learn

• Metasploitable / Mutillidae only takes you so far

• OSCP / OSCE labs are great

• Lab services and training cost $$$

• Tutorials are great (Corelan)

• No tutorial to follow on a pentest

• Still a consumer of other peoples work / time / effort

• CTFs can have a steep barrier to entry / short timeframe

EIP: What comes next?• Lots of virtual appliances out

there

• Some secure, some not so much

• No guarantee you will find something

• Might make you feel l33t if you do

• Might make you feel like a n00b if you don't

Why a virtual appliance?

• Test a method for finding vulns

• Potentially low hanging fruit

• Typically Linux box managed through a web interface

• Misses regular patch cycles / forgotten?

• Easy to download .ovf template or .vhd file

• Actually used in the enterprise

• Low barrier to entry

Download VM

Find 0-day

Become Infosec Rockstar

$methods• VM has web interface: use automated & manual tester (burp)Run automated tests then dive in and manually test parameters

• Test for os / privesc issues http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

• Look for files to read / write / modify, can you sudo run anything, any files running with additional privileges?

• Trial and error (lots)• Research previously disclosed vulnerabilities (don’t duplicate work)• Or use an advisory to build a working exploit

Examples:

Cryoserver 7.3.x (current version)

“Secure” email archiving solution.Comes in appliance, software, cloud and service provider form.

Blurb from cryoserver: The Cryoserver™ email archiving solution allows organisations to collect, store and save every email and instant message in a secure, tamper-evident repository. Users can sift through catalogued data quickly and easily – where email and attachments can be found in split seconds.Safely stored and never edited, the Cryoserver archive allows forensic eDiscovery of an organisation’s entire email history. The stored data is readily available for any need in a Legal Procedure, Dispute Resolutions, HR investigations,

Subject Access Requests, Freedom of Information requests, Regulatory Compliance or Data Protection.

Potential Issues with Cryoserver

• Comes packaged with default “support” service account.• Password documented in admin guide. • Support account only used to setup IP on device, all

administration through web interface (forgotten about)• Ssh on by default• Customer not prompted to ever change service account

password• Service account is essentially a linux user account (very

few permissions)• Compromise could lead to invalidated forensic data?• Steal all t3h emailz! Read all t3h passw0rdz!

Cryoserver Privesc-Exploit:

Starting with limited “support” user account: have the ability to sudo exec /bin/cryo-mgmt.

Bash script to execute management functions

Cryoserver Exploit:

No permissions to modify cryo-mgmt. Not to worry… other scripts called by cryo-mgmt.

No permissions to that either

But! /etc/init.d/cryoserver is called by cryo-mgmt (option2)

Cryoserver Exploit:

/etc/init.d/cryoserver

Lets add our attack (reset root password to known password)

EXECUTE CRYO-MGMT. + OPT 2

ROOT!

DEMO

Examples:

Piler 0.1.24 (current vm version)

“advanced open source email archiver”

“Piler helps you to provide relevant information in a timely manner in case of legal discovery, audit or other events.”

Issues with piler:

lack of input sanitation on most form fields leading to XSS…

Evil kitteh is reading ur emailz

Piler privesc-exploit

-piler user can execute searches & update account -search & account fields do limited input sanitation-admin can audit user behavior resulting in script execution

Piler privesc-exploit

execute malicious search

or malicious settings update

Admin executes audit…

To steal session…

1. Attacker injects malicious XSS into “theme” param

2. Attacker receives “callback”With cookies

3. Attacker browses to referrer site +Modifies cookie: becomes admin

DEMO

QUESTIONS?