You are on page 1of 47

Addition by Subtraction: How

Networked Devices Affect your Security

Chris Campbell

Network security can be improved by removing
security appliances and other devices which
introduce unnecessary risk.

Who am I?
Chris Campbell (@obscuresec)

Former Army Signal Officer

Security Researcher/Penetration Tester
Spoken at Derbycon, BlackHat, Shmoocon Firetalks,
PowerShell fan and contributer to PowerSploit

Who do I speak for?

I do not speak for anyone but myself
This research was individually conducted and
should be considered free-search

Who are you?

Penetration Testers

Story Time
You never forget your first

Attack Diagram

Still Out There

ShodanHQ shows that they are exposed

What I Learned
Just because a product solves a security
problem doesnt mean it is secure.
Anyone can find vulnerabilities.
These types of devices are a perfect place to
hide from incident handlers.

Started Collecting

Remote Access Appliances

Cososys Endpoint Protector

McAfee Email and Web Gateway
EdgeWave Iprism Web Proxy
ForeScout Counteract
Barracuda Spam & Virus Firewall
Servgate Edgeforce M30
Celestix Scorpio RAS3000
Qualys Qualysguard Scanner
Bluelane Patchpoint

MRV LX Series Console Server

Avaya ASG Guard Secure Access

Network and Monitoring Appliances

Infoblox Trinzic Network Services
Riverbed Steelhead
ManageEngine Opmanager
Alert-on-Failure (AOF) Enterprise
Mutiny Technology Mutiny

Security and Firewall Appliances

Other Appliances

Google Search Appliance

Symantec Opscenter
InfoBlox IPAM
EMC Clariion
F5 Big-IP Appliance

Craigslist, eBay and borrowed from friends
Fully-functional demos from vendor's
Virtual appliance marketplace

Arent appliances expensive?

Storage Issues

Testing a New Device

Image (backup) HDDs and RTFM
Put in lab network (isolated)

Port scan with NMAP/NSE scripts

Look for known vulnerabilities with services
Login with default credentials
Looked for ways to gain root OS privileges
Identify features that could be used by an attacker

Before we move on, lets get real!

Your enterprise goes from this

To this

With 1 of these

Reasons to Attack Appliances/Devices

Powerful Linux OS
Ability to leverage Python, Lua, Ruby and Bash
Tools like Netcat, Nmap, TCPDump and others
Privileged network segment
Difficult IR environment
Admins probably dont even have root access
Best place to persist in an enterprise

What is an appliance?
Could be virtualized, but typically:

Out-dated server hardware (cheap)

Open-Source Operating System (Linux)
A few security tools
Web Application to manage and audit

Why your boss buys them

blocks both known and unknown attacks with
100% accuracy.
provides complete security protection against all
protected against compromise by any potential
operates without human intervention or manual

Example 1: Network Monitoring

Examine Open Ports

SSH is open, but we dont know the root
HTTP has default passwords

Where to find the default password?

What if I change the password?

Backdoor accounts with default passwords
Many appliances limit length and complexity
Lots of tools to brute-force (e.g. Fireforce)
Custom dictionaries are effective

Now What?
Easiest vuln to find is Cmd Injection
Commonly in troubleshooting utilities
Great for persistence on RO file systems

But how do you get Root?

Use Curl to pull down payload and execute

Since webapp is running as root we can

Thanks Juan!

Example 2: Security Appliance

Scan and Enumerate

Vulnerable FTP service
Web interface for
SSH is enabled but no
credentials provided

Different Approach: Ask

Support Procedures
Documentation revealed that remote access
was possible for remote support
Is the password static or derived?

What does it mean?

Script calculates sum of
each number in 10-digit
serial number
91 possible outcomes

SSH in and sudo to root!

Example 3: The Other Security

Isolate and Scan

Remote Access?


Monitor the Device

Where are my passwords going?

Free Features!

Im sure my passwords are safe.

What to do from here?

Privileged Network Location

Server segment or VLAN could be trusted
Attack enterprise with PTH-Suite

Attacks against Administrators

Full access to servers is way worse than a normal XSS

Think malicious iframes or Java applets on every page

Admins arent browsing with elevated privileges are they?

Keylog /capture credentials

Domain Authentication
Password reuse to other networked devices

What is better than a XSS vuln?

XSS Features!


Don't immediately trust the vendor

Especially those that claim to stop unknown attacks with 100%

Look at their security track record on security sites

Securityfocus, exploit-db and osvdb are a good start

No vulnerabilities disclosed != good sign

Assess your current appliances and evaluate demos of all

networked devices before purchasing

Ask to see previous security test results from the vendor

Use a systematic approach but think like an attacker
Look for vulnerabilities like those documented by OWASP
Document potential vulnerabilities and share your findings
Think about how you will sanitize and dispose of the device

Recommendations (2)

Segment them from your enterprise

Many organizations drown in data from continuous monitoring

Eliminating unfamiliar and untested architectures could improve
your overall posture: If you dont need them, get rid of them

Train yourself and your team

Do internal training (e.g. brown-bag lunches)

Attend and participate in security conferences like Blackhat and
Read security blogs

Demand control

Ask if the vendor gives you root control before purchasing

Ask how the appliance stores passwords
If they don't, don't buy it
Until we make real security a financial priority, vendors wont fix

What did you do with that hardware?


Thanks to Matt, Josh,
Juan, Carlos, Skip & the
whole BsidesPR crew!