Shot With Your Own Gun: How Appliances Are Used Against You

All right. Good afternoon. I am Chris Camp. This is Bides Las with your own gun. How appliances are used against you. Uh this is my first presentation. Skip Duckwides. We're both contestants. Uh I do not speak for anyone but myself. I do not speak for my company. And all of this research was done at home, not during work. So why am I giving this talk? People probably argue with that first point. Uh but what we're seeing, I've been a pentest in about four years. Enterprises are starting to get better. We're seeing a lot more system administrators coming out to conferences like this. Um and then we hear a lot of conversations between and managers basically measuring their security

department based on what appliances they actually own. So, we're going to talk about how uh those appliances can can actually be the reason that the bad guys get in. What this talk is not um because I've been to a lot of conferences but never talked before. One of my pet peeves is when someone gets up and just craps on vendors. Uh I don't intend on to do that. I probably won't bring up a vendor unless I have to. Uh Mostly the talk is going to be generalized. Any of the stuff that I found or did I'm pretty sure most of the people have done. So I'm just going to try to point you in the direction and see if you can go back

to wherever you work and find some of the same vulnerabilities. So that's what we're going to talk about. It's going to be very brief what the actual uh things that you can do to secure your network are with the vulnerabilities of these appliances. Mostly because put your money up front. Once you buy it, it's yours. It's not much you can do with it. Uh we didn't actually test any of the appliances for what they're supposed to do. So like if it's a proxy, I didn't test to see if it's actually proxy. I just looked at vulnerabilities in the appliance itself. uh use the word appliance probably 50 times already, but we're not talking about killer toasters. Talk about

network appliances, stuff that's actually sitting on your network uh doing some sort of task. Normally rack mounted, but a lot of companies are selling them as virtual machines. So they generally have one purpose uh either a firewall, some sort of IDS, security appliance, network monitoring appliance um or policy. So some of the appliances may seem obscure when I bring the list. So I just wanted to point out that uh there are a lot of organizations that are using these appliances. So these are from the vendors websites, the actual organizations that uh and I just picked ones from different uh different areas. So you've got schools, government, and uh big corporations. So what are the vendors

claiming? So I'll leave this up for a minute so you can read it. Uh, I had maybe 20 or 30 great examples of the kind of stuff these vendors are claiming. But anytime you say that your product blocks both known and unknown attacks with 100% accuracy, you're probably destined for failure. Uh, not to mention when your product also has its own vulnerabilities. So, it may do that. Again, we didn't test what it actually does. It may protect other things, but it doesn't protect itself. the the the bottom one is probably the biggest problem is the marketing behind these products say that it's plug in and forget power thing on it's ready to go and it doesn't require

any kind of manual intervention. So when you take people out of the equation sometimes it's good but sometimes really bad. So these are the types of appliances. Um the one under remote access MRB kind of started this all uh when I got started one particular customer uh had those appliances that type of appliance deployed at every location. We figured out that there was a backdoor account in it. So we were constantly getting in to this one Linux based appliance but we didn't know what we could do with it. So, I bought one on eBay a couple years ago and I spent a lot of time building a kit against that specific thing so that we can use it in

future assessments. And the rest of them have pretty much been uh after that the Google search appliance that's the thing that started me buying a lot of them on eBay was a couple months ago. Rob Fuller gave a talk that was based on a tool that he put out over the top of a Google search appliance. So, I I kind of had tech He had a Google search, so I wanted one. So, I bought one and then I bought a lot more stuff. All right. So, I guess this talk could be titled how how to spend a couple thousand sides. But where did the appliances actually come from? Uh, a variety of different places. Most of

them came from eBay, but I did find some interesting stuff on Craigslist every once in a while. Uh, I live in the metro DC area, so the stuff that I bought on Craigslist was most interesting. We'll talk about that in a minute. Uh, another cool thing is you get fully functional demos from the actual company. So, if you wanted to go to Cappy, you could download their email and web security virtual appliance, the entire VM, and have a fully functioning virtual machine to look at before you actually purchase it. And if you've never seen the virtual appliance marketplace, if you're a pentester, it's like a great practice. You can go out there and just download

all these virtual machines, just fire them up and uh and go to town. So, how expensive are the appliances? They're really not that bad. I tried to stick to under $150. Occasionally, I had to go above it. The MRB uh is bottom one. See, buy it now for $79. If you've not seen this best offer on eBay, it's awesome. So, I lowballed on a ton of stuff, just $50, $100 less than. And occasionally they sold it to me. I told them what I was doing. Hey, I'm doing research. I'm going to look for vulnerabilities in this product. And most of the time they just said, I don't care. Sold it to me. All right, that picture doesn't come

out real well on the screen, but uh it started pretty easy. I have a little rack that was pretty much empty when I started and then that got full. and I don't live alone. So, someone got very upset with me when appliances started getting stacked all over the house. So, I started hiding them underneath the couch when she told me I couldn't buy anymore. All right. So, how did I test them? I started by actually imaging the hard drives because most of them came configured already and I I wanted a backup in case I broke any. Um, I also read the documentation. A lot of times I read the documentation before I bought it. When you read the manual, you'll be

surprised at the uh the number of vulnerabilities that you can pick out or the potential vulnerabilities just reading the manual. So, in some cases, I had to restore them back to factory settings because they were overly configured. Uh and then I placed them on a just a standalone network. And I went through a pretty standard pen tests. Uh nothing fancy. I used a lot of NAP and NYSE scripts. uh I use metas-ploit and I would log in with default credentials and look for ways to actually get at the host OS. I want to root on the host OS remotely. [Music] So kind of upfront, why do these vulnerabilities that we're going to talk about, why do they exist? uh command

injection for the most part I found lots of command injection vulnerabilities on many of the appliances but when I reported them to the vendors they said it's lateral privilege you had to log in through the web interface as admin so you should be able to do admin type functions in their opinion so they dismissed it as not a vulnerability and I'll show you one of those examples uh others vendors just classify them as features. And I'll show you a demo of one of those features. And but the bottom line is if you can gain if a if a hacker gains access to the admin interface of an appliance, they're pretty much going to be able to get to the underlying

OS. So the the big stumbling block when I was pitching this talk to some people was, well, how do how do you get the password? And I guess when you do this for long enough, you you just don't even acknowledge things like that. Uh you can get the passwords pretty easily. At the bottom is one specific I I'll actually show you in the demo the problem with that appliance, but they limit the length of the password and complexity to the point where it's almost impossible to pick a password that isn't in every dictionary out there. uh default passwords and backdoor accounts are actually very common as well. And then building a custom dictionary for just appliances has been

effective for the last couple years. All right, so what did I actually find? So the gray market stuff, you guys all know used IT equipment is going to have stuff on it whether they try to wipe it or not. And in no case did any of the appliances that I bought on eBay, no one made any effort to wipe any of the data off of them. So I found passwords, enterprise passwords, admin passwords, uh infrastructure, basically their internal IP schemes. Uh on some of the uh the proxies, you could see where HR requested a report of a certain employees browsing habits and all of that stuff is still on there. And surprisingly, even the demos that are

available on the vendor's websites, even they had things that probably shouldn't be on a brand new fresh appliance. So on the left is just proxy logs. Uh these are just some examples. Basically, it's a financial institution of some sort that deals with mortgages. So they're requesting access to different mortgage calculators. And on the right, some scan results. So you got Solaris 8, Nine. Probably not good. All right. So, more scan results. And from what I could tell the on the on your left there, you can uh see at the bottom decom. So, they've got boxes that had the decom vulnerability on their internal network. And this appliance was pulled out of production and sold on

eBay. seems like it was maybe off off of their network three months. So, if they haven't patched since 2003, they probably haven't patched that. On the right, you can see that they're pushing almost 1500 vulnerabilities per site. Uh that same organization and the top is some logs, just internal IPs. uh the passwords kind of how how I was able to extract the passwords besides getting into the database on the back end of a lot of the appliances is this is something we see a lot they don't store the passwords very securely so when you put in your enterprise password for it to interact through LDAP all it takes is to rightclick and view the source of the page with the

little dots and at the top up there you'll see that line that's their actual domain slash the username and underneath is their actual password. And this came from an appliance that was probably in production not too long ago. All right. So, here's an example of what was on a virtual machine. Uh, so this is a clean appliance that I downloaded and it shows kind of how the vendor thinks, how they set the root password. Um, a lot of them set a static root password and give it to you, which is Xlink, so you can change it. In this case, they don't give you the password. They use this activation script. So, you download it and activate the product. It

pulls out your serial number and then adds them. If everyone could see, you know, it's setting the root password. What that actually means is they're taking the 10 digits in the serial number, adding them all together. So that gives you 91 possible combinations. Uh 90 one zero through 90. And it's pretty easy to generate all of those passwords. So not having the root password in this case did not matter even though I I specifically asked the vendor, can I have it? And they said no. But that'll pretty much uh they're struggling to fix that. So I won't say who it is. All right. So, why why would a company put their appliance out on on

the on eBay without wiping it? Well, can everyone tell what that is? It's a rivet. It's not a screw. So, they've actually riveted the case so that you can't take the hard drive out. So, in this case, what I can tell from the story, and this is one of the Craigslist ones, he was an IT guy. Google gives you a new appliance when your service runs out. like so they just said, "Yeah, take it home. I'll He" He was like, "I'll wipe it and put it on eBay." Well, once he saw it was riveted, he was like, "Well, I'm not going to drill in it." So, he put it on Craigslist. I actually talked to him a little bit about why he

didn't after I had it in my hands. Why don't you take the hard drive out? And he told me he didn't want to drill in. And then he told me, "Well, I tried to boot into an alternate OS, which is pretty smart, but it's got a BIOS password on it. So, what the vendor is basically saying is we don't want you to remove the data or we value our product, our code more than your data. So, what if I couldn't get in? Um, I would disassemble the appliances, uh, image the hard drives. Um, like I said, that's one of the first steps. You could actually take the virtual machine hard drives and mount them pretty

simply. Um, I dumped all the hashes and cracks. I think I only cracked about 40% of the default ones that weren't provided. And then I looked through all the uh the source code. And there was one particular vendor, I'm not going to say who it is, but props to the vendor that's actually encrypting their virtual hard drives in a way that is not easy. So, about those rivets, uh, a drill made pretty short work of them. so that we can get inside. Uh, but how would an attacker get in? Because obviously they're not going to walk in with a drill, walk into your server room, yank out your appliance, and maybe they will. I I don't think that that

that's realistic. They're more than likely going to get in through the web interface because that's what's going to be listening. Um, there's a difference between web interfaces, I guess, and admin interfaces. a lot of them are listening on multiple HTTP uh ports and they're more than likely going to try default passwords. We've if you're a pentester, you know, default passwords will get you into something near in nearly every enterprise. So, we'll talk about some things you can find in uh and move from that point. Uh backdoor accounts in one of the demos, I'll show you what that looks like. Uh and log aggregation on a lot of these things is broken. So, they don't really

feed into your enterprise well. So brute force against an appliance is not going to show up in your Windows logs. So a lot of times it's just sitting off to the side and it can be hit. Um there's other problems. They might ship with their own vulnerable uh like FTP. The technical support procedures might allow for password resets. Uh exposed database ports are bad, especially when they don't give you what the SA um or admin password on the back end is. And then a lot of I don't know many people know about this but like DRA and the HP ISO uh there's a lot of really interesting things you can do with the default passwords if those are left on and stuff

like uh the Google search appliance the big yellow one ships with a DRA card in it because it's a Dell 1950. All right. So how do you get default passwords? Uh there's tons of websites. You can go to the vendor's website and pull down the actual manual or you can just click something like in this case first-time user and it'll tell you and a lot of them do that. All right, so baked in vulnerabilities on the left you'll see uh a metas-ploit module going against a vulnerable FTP service that came with this appliance. Uh it did come with that vulnerable service but it also came with this really sweet physical security feature. I guess you can fight off

ninjas with the device. So the sport procedures, uh, almost all the appliances had SSH open. Uh, a lot of them had extra SSH ports. So you would hit it on a standard SSH port and it would be standard SSH. You'd hit it on another port and it would have another accounts in this case admin admin which gave you this Cisco like type menu which on the back end it was just a a Pearl script that was emulating that kind of menu but one of the things the the Pearl script was running as root and one of the things the Pearl script could do in this case was actually set the password of the root accounts on the

appliance itself. So even though this vendor did not provide the root password, you could reset it going through this other uh other interface. So you're going to want to scan if you get a new appliance, scan it on all ports because some of them are listening on really crazy ports. Uh I don't think it's a good idea to have an appliance running on Microsoft Windows, but a lot of companies I guess do. So a couple of them actually uh were running on Windows. So they would have instead of SSH RDP open uh and listening on 445. So you could pass the hash um or in this case you'll see that the company, this is a used one,

the company actually set a decent admin administrator password because it's not stored in LM. It's only stored in NT. So it's more it's 15 characters or more. But the support account which is also an administrator is stored in LM because it's so short. So you could easily crack the LM hashes with Rainbow Tables and then just RDP into the appliance itself. All right. So here's uh another Windows one. I'm actually on the box in the screenshot, but you could do it remotely as well. uh MSSQL 1433 was listening so you could just connect and then XP command shell was enabled so you could run system commands through the database ports uh when they set the

password to a really easy dictionary word uh the user defined functions within my SQL can be handy and you can take uh root access through those database ports as well. All right so the DRA All right, Dell remote access console sh again ships with a couple appliances. One in particular, Google search appliance. If you go to media and down to CD DVD, you can actually mount a virtual ISO. So you can mount and boot to you can pass the console through the the web interface. You can boot I wouldn't recommend backtrack, but you could boot any small Linux dro and get physical access to the underlying OS, the hard drive, pull the hashes down, pull whatever data off it, and then

reboot it. Obviously, it's going to be loud and it's going to take the appliance down, but it's more than likely not being monitored anyway. So, we've had success with this particular attack. The default username and password is root Calvin on those. Okay, so HD was just talking about this. The F5 appliance was one that I looked at. This was a public disclosure by someone else and there's a metas-ploit module available for it. But I'll show you how easy it would have been to discover that this particular vulnerability and I'll let you know hopefully in the next few weeks disclosure will come out on another couple products that have done the same thing. So the the main problem with this

is the appliance ships with the private key available. Uh so you can actually buy one. There was one for $9.99 uh buy it now and pull that off or you can do what we did which was just download it. To this day you can download it from F5 right now and it still has the private key on there and then you can SSH in as root. Did anybody go to HD's talk? How many F5 appliances were on the internet? 2.1 million. All

right. All right. So, we're going to use Grub and set the uh the init to Bensh so that we can boot into single user mode. And then we're going to search around and just look for this particular private key. Because they didn't put it where private keys would typically be. They're not in the root directory or sitting in SSH or or anywhere like that. We're going to start with going to SSH and look at the authorized keys because that's how we know that that private key is allowed to log in. So now we know enough about that. So Skip's logic was well, hey, we can we can figure out what directory that key sits in, and it's probably

sitting in the same directory. So to easily find it, just use

find and give it a second. There we go. ID RSA.pub pub is probably sitting with the private key. So, does anyone have any questions so far? Nope. All right. So, there's the key that matches. So, now we'll do an ls on that directory.

All right. Now, let's see what we can do with the key. So, how would this actually work? So, we have the key because it's been disclosed. So, you're doing a pent test. So, you're typically going to do an end mapap scan to to go ahead and look. In this case, I know what IP it's sitting on. So, just scan it. There it is. It says big IP in the

title. Got a little fancy with uh with this demo. All right, so we have the SSH key. And again, like I said, there's a metas-ploy module that automates this, but it it really is as simple as copying the actual key to a directory on the box. There's the key that we found. So, I'm just going to move the key to the temp directory. And then we need to set the permissions on the key because SSH will freak out if you don't. And then we're going to SSH using the key into the F5 appliance or one of any of the 2.1 million sitting on the internet listening.

Yep. So, it really is that easy. So, just to prove that we're root, we'll catch something like Etsy shadow. Yeah. So basically going back to uh going back to the root password that's predictable uh that basically works the same way. Uh you could just try each one of those going across the internet and you could find I don't know how widely deployed that particular appliances but the vendor is very upset about that. All right so we already talked about who exposes this stuff. You can get on Showdown HQ. Uh I think HD was uh demoing another product that does the same thing and you can find these exact appliances all over the internet. So do you think the

organizations even know? Does anyone in here have appliances sitting on the internet? I mean a lot of times until a pentester or someone actually gets in, they don't even know that it's sitting there. One of those is one that comes with a backdoor account you can't get rid of. So, I'm pretty confident that if uh if I were a bad guy, I could log in. So, let's talk about features. And this is what gets a lot of people. Even if we can't get root on the underlying OS, these appliances come with really cool things that we can actually use against the organization. We saw port scan results before. So, we can scan, we can do anything an attacker would want to

do. can do packet captures uh and pull down the actual authentication. They come with shell utilities. So like through the guey you can through the web interface you click a button and it pops up Java and then you have root on the actual underlying OS. So my question is are these features even necessary? So, if you get something that has features that you don't want, like if you've got something that has nothing to do with scanning, why would it have a network scanner built in? In this case, you can capture PECAPS and pull them down and analyze them. So, in multiple cases, we were able to gain credentials just by running this and pulling down

the pcaps and pulling out what was inside. Here on this appliance, you can just enable SSH and log in. So that brings up another point. What's it using on the back end to actually do those port scans? Of course, it's using end mapap. So when you get to the underlying OS, end mapap's going to be there and so is TCP dump and so is netcat. So is anything else that you would actually want to attack their box. So basically by purchasing these appliances and putting them out there, they're giving you a pentest workstation for you to work from, especially if they're a Windows organization. You can get onto a Linux box through these appliances and do any of the stuff that

you would want to do, including set up a uh outbound SSH and uh tunnel. So how would an attacker actually get root from the web interface? Uh we talked about the command execution features. I'm going de I'm going to demo one in a moment. Uh other command ejection vulnerabilities which I think are on the next slide. We've already talked about the the SSH and TNET SQL injection. A lot of them did not have obvious SQL injection. A lot of them were hiding behind this. Does anyone know what that probably is? If you just look at it, it came up instant instantly. I put a single tick in and bam that popped up. It's client side. So, it's only for the most part

they're faking the funk with client side filtering. Um, pretty easy to pop burp open and uh get around that stuff. So, if you go on exploit DB, you'll find thousands or hundreds of vulnerabilities against these appliances. I think the biggest problem, the reason that they're not more of them is because there's so few. Some of these vendors are only selling a hundred or 200 of these customuilt appliances. So people like us aren't getting their hands on it. So that's kind of what I wanted to point out. The bigname people are getting hit. So Barracuda and uh Semantic and Macaffy uh they get hit because they're commonly deployed. The other ones aren't. So they're full of

vulnerabilities. So if you're dealing with a small vendor, you're definitely going to want to take a look at this. Most of the command ejection that I found stemmed from setting the IP address on the appliance. It seemed like all of them are struggling with how to do this because if config typically requires root privilege. So they allow this even though some other places they don't. They allow this to run as root. So you're not going to get anything returned back here. So a good way to to to find out if this is working is to ping yourself. So just adding a semicolon and ping in the middle of that built if config, I was able to

uh to confirm that command injection was possible. Uh you could do something silly like add a user just so you can SSH in. Say you have the root password. Uh better yet you could use wget to pull down a payload and execute it as root. All right. So, let's see what that looks like in one of my favorite appliances slash applications. All right. There's going to be a lot of stuff. I'm going to pause this. I'm a PowerShell freak and I contribute to the powersit macraver's uh powerslo project. So, I use a lot of PowerShell in here. So, I'm going to explain it pretty quickly. It's kind of confusing, but hopefully I'll do a decent job. So, we're scanning uh this

is sped up obviously by the blinking. We're scanning uh 1010 323 which will take a few seconds. Um and then we're going to discover that it has a web interface. So, there it is. So, we're going to go to the web interface and it's the one from the slides before. It says the username is admin admin. So, let's try that. And in this case, they're they've actually changed it which is pretty common, but that's good. All right. So, we're going to see what's different in valid username. And I'm going to use a Firefox plugin called Fire Force, which is really cool and easy way to do uh brute force attacks against the web interface. So, we're

going to type in the invalid username and password so it knows what's invalid. And then you're going to see me be because I set that admin password to something I did not think was in and speed up. and I couldn't even come up with a password that wasn't in my own dictionary. So, that's a fail on my behalf. But, you can't set anything but uh numbers and letters and up to eight characters on this particular So, it also came with these really fun baked in u back door accounts. So, when you update it, it added three admin accounts to to your appliance or server if you're running this on a Windows box. So, I actually spent hours the first

time I got into one of these on a pentest going through each and every every one of these things to figure out what I could use to exploit it. In the notification profiles, you could run a program or more interestingly, you can run a system command, which is a lot easier. In this case, I'm trying to demo a little bit of the powers stuff. So, we're going to do a simple program run as admin, not system, and then show you how to get to system on a 64-bit Windows box, which I've had uh Matt and I have had a lot of questions from pentesters who are trying to use it. So, this is uh Matt's inject shell code, which is just

a PowerShell script. It's actually just a function. So, if you go to the to the actual site and you download it, it's just a function. So, you have to call the function. So, what we're going to do, since this is a 64-bit box, and this payload doesn't work against 64-bit uh processes, it can't inject into them. We're going to start our own x86 process. We're going to start notepad hidden. And then we're just going to get that process ID and pass it as a parameter to inject shell code. And the stub is already built in for reverse HTTPS. You don't have to go deal with shell code or any of that stuff if you just want to use uh that. So it's

awesome easy way to bypass AV and application whitelisting. All right. So get encoded command is a script that I wrote uh that I will release soon that's based on Dave Kennedy's uh create command that he released at Defcon a couple years ago. And I just added the call x86 parameter so that it'll call the x86 version of PowerShell instead of 64-bit one. It encodes the entire command because we're trying to get around the execution policy. By default, PowerShell will not let you run PS1 files. So, just in case they haven't relaxed that, we're going to encode the entire command and pass it at the command line line by line. And you'll see that it actually works. So,

we're just going to take that entire encoded command, drop it in as an argument just because this is easier, and then we're going to define the full path to the actual um PowerShell that's sitting in SIS 64, which is the x86 version of it. So, I over complicated this demo um because I knew I was going to record it. can't really make out, but that's where the PowerShell uh execute the actual binary is sitting. So, we're going to paste that there. And then we're going to change the profile name because it won't run without a profile name. And then instead of saving because that would actually write to something, we're just going to hit test. So, that's going to take a minute

for it to pull down the stub and uh eventually it'll come back and say that the command completed successfully uh or freeze. But on the other end, we have our our handler set up and we've opened a session. Obviously, I practiced a couple times, but uh so we're going to interact with the session. It appears to be cut off a little bit, but we're going to get system, which is simple. And then uh a trick if you're a pentester, migrate. If you're in an x86 process on a 64-bit machine, migrate into a systemowned 64-bit process so that you get around all the token controls that are in server 2008. So we'll migrate into one of

those. I think I've migrated into conhost. And then we'll be able to do hash dump and and all the other things. So, we've got complete control of this box through the interface uh thanks to a backdoor account that they added with an update. So, if you configure the appliance and just allow the automatic updates, uh they pretty much helped you out there. All right. All right. So, we can go to a shell. You saw we were able to do hash dump. Go ahead and crack my password.

So hopefully this is apparent, but why should you care? All the stuff on your appliance, obviously anything that's on there, all the data can be had. It's sitting in a database. So by actually getting on the appliance, you can get into it um and get that data. The other interesting thing is if you're a pretty secure organization and you're actually monitoring outbound connections and you're you're on it, this can be a place that you're not really looking because a lot of these appliances are set up to call to the vendors and unless you have those IP addresses, it just looks like standard updating. So if they're able to get on the appliance or say have bought

the appliance on eBay and became familiar with how the appliance actually talks, you can basically walk that dog. We've been able to sit on appliances in pretty secure organizations uh because they thought it was just standard update traffic. Um and who would monitor something that's protecting all of everything all the time anyway? Right. Another thing is sometimes it's sitting in a privileged network location. So it's sitting in some sort of admin VLAN or it's multihomed and those that TCP dump interface that it has is able to grab other traffic. Um, and then you can turn it around. So if you're a pentester and you want a fun way to show this vulnerability, default passwords are bad. Uh, turn around and

start attacking the actual admins that are logging into to the appliance. So you can move from that into the enterprise pretty easily. So malicious iframes is a fun one. Uh, and I'll show you what that looks like. And uh, you can grab domain authentication through those uh, packet captures. All right. So this is a proxy but a lot of time it comes down to the branding whatever the branding feature is. See if you can call external uh HTML. If you can call an external image tag with the branding feature you can basically hook everybody that goes to every page. So in this case the top one is the authentication page. So you've got full control of the HTML

through the web interface. You can drop an iframe there and hook the admin as soon as they go to log in hook their browser. Uh, typically we use beef for that. Or more fun, the access denied. Every time someone goes to a bad website, you hook their browser. Uh, I had a uh admin very recently get really really upset. He was a really smart guy on it. um got onto a box and we were a able to actually man-in-the-middle from the appliance, but he we got all of his credentials because the certificates on these things either expire or they're not trusted. They're generally self-signed. So, he couldn't tell the difference when he was logging into the

appliance from we were man-ming from a different appliance. We were getting all of his credentials. So, this this actually is a uh a bad thing as well. And this is something Skip pushed me to put in here. Uh, this doesn't directly apply to the appliances themselves, but sometimes they're managed through a client application. So, the admin will install it on a Windows box. And one example, uh, I was talking to one of their engineers this morning actually, and uh, I brought this up and he it didn't seem to click. The the vendor by default it installs to the temp directory but with bad permissions. So it allows any user on the machine to overwrite it and the service

itself actually installs with bad permissions. So any user can stop it, overwrite it and start it again and then have system privileges. So that's definitely a uh a big vulnerability that that product brings. So now some uh defensive ideas because it really I can't come up with a simple solution. Don't immediately trust the vendor especially if it's a small vendor uh and especially if it claims to stop unknown attacks with 100% accuracy. Prove them wrong. Ask for a demo. Look at the product yourself. Look at the uh the track record. Go out to exploit DB. See what they see what their developers what mistakes they've made in the past. So you can look at a specific company and

see that they have a lot of say XSS vulnerabilities. Look for S XSS vulnerabilities in whatever product they're pitching to you. And if they have nothing disclosed, that's not a good sign. It might might not be a bad sign either, but you should definitely not take that as they're good to go because most of the vendors, most of the appliances that I looked at uh did not have vulnerabilities publicly disclosed. Uh you can ask to see previous security tests so you know where to start, but I wouldn't trust them. And uh use a systematic approach like do a standard pin test. Honestly, it's good practice just to download the VMs and just take a look at it and then

uh most of the vulnerabilities that I've disclosed in this process uh were OAS top 10 type stuff. So, if you just look at that uh you're probably going down a good track and as soon as you find one, tell the vendor and have them fix it. Yeah. And also think about how you're going to sanitize. So ask them, are are you going to steal trap this appliance when you send it to me? How am I going to pull my data off? Ask them if they have any way to easily do that because it might devalue the product if you have to pull the hard drive out. So you'll see appliances on eBay that are used and selling for a couple thousand

dollars, but they have the hard drives in because the company took the time to be able to sanitize. And then segment them from your network so they can't be used against you. train uh train your team in web pen testing techniques uh these vulnerabilities passwords uh how to look on the network uh for these vulnerabilities and absolutely demand control. If they're not going to give you root the root password, you have no idea what that password is or how they're controlling it or how they're using it because you can't even review the logs on the the appliance itself. So, if you're sticking it on the internet, how do you know that your Google search appliance that Google is

not sshing into it on the inside of your network? You don't. So, if they don't fix this stuff, don't buy their products. And that's an easy way for all the vendors to get better. So, here's the support request that I sent in to one vendor asking, "Hey, can I please have the root password?" and they said unfortunately we cannot disclose these credentials due to our policy to protect our product so they could care less about my data they want to protect their product but that really didn't matter and multiple uh for multiple reasons I already had root before I sent them that email all right so thanks to uh all the people that allowed me to to give this

presentation thanks Meredith for letting Skip mentor me And uh you can join Skip and I at uh Black Hat tomorrow giving a talk on past the hash. Are there any questions? Did you ever like

uh in one case I did and actually in that case I found the vulnerabilities thanks to the firmware because it's a lot easier to look at uh the firmware itself and find vulnerabilities than the appliance. But in that case, I had to socially engineer them into thinking I had a service agreement because a lot of companies hide behind a service agreement. You can't get updates. You can't get access to downloads. So using a previous position that I had, I used that email address and I was able to get that firmware, but only in that one instance. Yep. responses.

A lot of them for the most part over 50% have responded that it's it's a feature that it's not even a vulnerability because you've had you had to log in. So they blame us for setting a bad password even though you can't set a sufficiently secure password on the appliance itself. So then I come back and ask them to change their password policies to allow that. Um, and a lot of times they come back and say the reason that they don't allow uh more secure passwords is because that introduces a security vulnerability. But we know what they're talking about. They don't want to filter input. So they don't know how to figure out what to do with a tick or a

semicolon. So they just say no, you can't use any special characters. But I some of them uh were very difficult and those that were difficult I just went through the USert and hopefully those advisories will come out um at some point in the next few weeks uh because it seems like a lot of them are not going to patch the products because they kind of treat them as end of life immediately after they release. So they've built the appliance, they release it, they're not going to do any updates. It is what it is, you have it. So in that case they can just say it's end of life and so dealing with the USert is fun because they will just say

okay it's end of life it's open it's out there and then at that point I'll do some uh blog posts on obscure sec.com and follow me on Twitter I have like eight followers any other questions

H like as in stores that have appliances sitting out there. Yeah, that's probably an interesting attack vector. If you could just go into Best Buy and they're selling some type of home appliance in the back and you can backdoor it or buy it and return it and just wait for someone else to to actually buy it. I'm sure they don't restore those back to defaults. That is an interesting attack. Hopefully, you're dealing directly with the vendor though on an enterprise appliance, but that would definitely affect your home. Say if you bought a router and someone backdoored it. Yeah. Every industry has their own appliances that are unique to that their industry. So that's why you've got to go

out and look what's in your environment. Uh these are just what I see. Typically the types of appliances that I see. There are probably thousands of them out there. All right. Thank you guys. [Applause]

triple iPhone 4S case.