"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.

Similar documents
Locking down a Hitachi ID Suite server

Building A Secure Microsoft Exchange Continuity Appliance

A Decision Maker s Guide to Securing an IT Infrastructure

Society for Information Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

CYBERTRON NETWORK SOLUTIONS

Client logo placeholder XXX REPORT. Page 1 of 37

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

STABLE & SECURE BANK lab writeup. Page 1 of 21

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

Installation and configuration guide

What is Really Needed to Secure the Internet of Things?

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

Penetration Testing Report Client: Business Solutions June 15 th 2015

5 Steps to Advanced Threat Protection

Achieving PCI-Compliance through Cyberoam

DATA CENTER IPS COMPARATIVE ANALYSIS

Metasploit The Elixir of Network Security

Xerox Mobile Print Cloud

Mobile Configuration Profiles for ios Devices Technical Note

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Goals. Understanding security testing

IBM Advanced Threat Protection Solution

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

WEB ATTACKS AND COUNTERMEASURES

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Connectivity to Polycom RealPresence Platform Source Data

The Electronic Arms Race of Cyber Security 4.2 Lecture 7

How To Protect A Web Application From Attack From A Trusted Environment

Mobile Device Strategy

A Workshop on Website Quality, Accessibility and Security April 2, Websites & web-enabled applications Hosting and Security

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Security Services. 30 years of experience in IT business

Industrial Security Solutions

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

Information Technology Policy

FORBIDDEN - Ethical Hacking Workshop Duration

Appendix to; Assessing Systemic Risk to Cloud Computing Technology as Complex Interconnected Systems of Systems

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Network Segmentation

Common Cyber Threats. Common cyber threats include:

Industrial Security for Process Automation

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

How To Manage Web Content Management System (Wcm)

How We're Getting Creamed

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Reducing Application Vulnerabilities by Security Engineering

GFI White Paper PCI-DSS compliance and GFI Software products

SCADA Cyber Security

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Installation and configuration guide

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Learn Ethical Hacking, Become a Pentester

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Mobile Application Security Sharing Session May 2013

End-user Security Analytics Strengthens Protection with ArcSight

FortiAnalyzer VM (VMware) Install Guide

Virtualization System Security

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

Tracking Anti-Malware Protection 2015

How users bypass your security!

Agenda , Palo Alto Networks. Confidential and Proprietary.

Cloud Security:Threats & Mitgations

Fighting Advanced Threats

HP IMC Firewall Manager

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Table of Contents. Page 2/13

Data Management Policies. Sage ERP Online

OSMOSIS. Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris

BlackBerry 10.3 Work and Personal Corporate

Data Breaches and Web Servers: The Giant Sucking Sound

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Integrated Threat & Security Management.

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

What Do You Mean My Cloud Data Isn t Secure?

Deep Security Vulnerability Protection Summary

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

05.0 Application Development

IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT Conference- July 2015 MIKE.ZUSMAN@CARVESYSTEMS.COM

iviz Security Inc (In) Security in Security Products 2013

Transcription:

Pwned Bulletin Septemeber 2014 Volume - 6

1 index 02 executive summary 03 responsible disclosures 04 smartermail 0-day xss vulnerability 07 siemens simatic S7-3000 exploit 09 network compromised using Microsoft work document 11 fortigate 310b multiple vulnerabilities 13 corporate laptop backdoor 15 about us

executive summary 2 We at CCFIS deliver penetration testing services and while delivering those services we have found some 0-day exploits. In this bulletin, we have showed that how easy it is for a hacker to compromise in your network ever after implementing best security solutions. Unfortunately if your security systems or firewalls are not detecting any attacks or not alerting you about any attack, this doesn t always mean that you are not being attack, may be you are being attacked and these security solutions are not detecting or blocking it. Developers and solution providers are working 9 to 6 to develop the solution but hackers are working 0 to 24 to hack the solutions. Every Web Asset, Hardware device or Application Solution can have vulnerabilities. We at CCFIS find those vulnerabities and report to the organization in our responsible disclosure program. List of our responsible disclosures are attached in next page. It is recommended for everyone to take needful actions when any vulnerability is reported to your organization s assets. Detailed penetration testing report can be shared on request. Please drop a mail at info@ccfis.net and with your intent and purpose and we will send you detailed report after verification. "The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards."

responsible disclosures by CCFIS 3 and many more..

smartermail 0-day xss vulnerability 4 Most of us use SmarterMail as mail server for our organizations and business. It has all smart features and almost everything to run your business smoothly. One client who was very much concerned about his mail server contacted us and explained that he have already implemented 256 bit SSL certificate, so is there anything else he needs to do to secure his mail server from their rival companies. We initially checked for vulnerabilities in Microsoft OS installed on server with enterprise level email security & antivirus. On later stage, we found that everything was updated and OS was equipped we were given two dummy accounts to check vulnerabilities inside the email application. Unfortunately, we weren t able to find any vulnerability that can be exploited directly but we found several major XSS based 0-days which might be used for gaining few more access. We reported these Vulnerabilities to SmarterTools as Responsible Disclosure and also decided to share same with our readers.

5 Stored XSS (Notes) Vulnerability (Steps to reproduce): In SmarterMail there is an option to add Notes. In details Box give a JS code as ><img src=x onerror=prompt (document.domain);> and save it. Now when a user opens notes saved by him, this JS code will execute and XSS will pop up. Reflected XSS (Compose Message) Vulnerability (Steps to reproduce): Select New Message and click on the option to insert link. Then in place of URL, write any URL for example ccfis.net Then again select that URL and edit it with payload - ><img src=c onerror=prompt(document.cookie);>

6 Reflected XSS (Image Attachment) While attaching an image named "><img src=x onerror=prompt (document.cookie);>.jpg in SmarterMail using web version, an alert in generated allowing user to inject any arbitrary code that will be executed in server. Issues were reported to SmarterTools 4 weeks ago and the patch for the same is yet to release. Recommendations We cannot recommend the best mail sever as developers are only working 9 to 6 to develop the solution but hackers are working 0 to 24 to hack the solutions. The best practice is to perform periodic vulnerability assessment and penetration testing of your mail server.

7 siemens simatic S7-300 exploit Siemens Simatic S7-3000 is modular mini PLC system for the low-end and mid performance ranges. These appliance are used in manufacturing plants, assembly lines, hospitals and wherever automation required. After reading about Critical Infrastructures, CIO of a major hospital contacted CCFIS team and asked if we can audit their network. After audit, we found some major vulnerabilities in their network and on later stage those vulnerabilities were fixed and network was secured. After few months, we were called again to audit their SCADA system. We found that hospital was using Siemens Simatic S7-3000 PLC system and had deployed it in their network to automate and control their system efficiently.

CIO mentioned that they purchased it in 2012 and after that its configuration and setting were never changed or modified. Even the security hardening wasn t performed on device. While performing penetration testing, we found this device vulnerable to Remote Memory Viewing exploit. Through this, an attacker can view data on memory of PCL. Exploit code for this vulnerability was written by Dillon Beresford in 2012 with OSVDB-ID: 73645. With this exploit, our pen-testing team were able to compromise the Siemens Simatic S7-3000 and were able to dump the device memory. As the organization requested to not to disclose much information and attack methodologies and hence we are sharing only limited information. Another reason for sharing only brief information is that misuse of these attacks may lead t o m a s s destruction. Recommendations: 8 If you have implemented any SCADA based appliance then make sure you have updated its firmware and implemented best security practices. For self-vulnerability assessment of your SCADA appliances you may use Nessus plugin http://www.tenable.com/blog/ new-scada-plugins-for-nessus-and-tenable-pvs A periodic vulnerability assessment or penetration testing from any third party outsider vendor is recommended to ensure complete security.

9 network compromised using microsoft word document Few months back CCFIS team was conducting penetration testing of an IT firm. The organization was using multiple layer of security with properly configured firewall, latest updated antivirus, IDS/IPS and whatnot. Inside network they had already created active directory with proper security policy for all users, central update server and almost all best security practices. Organizations was also ISO 27001 certified. They also trained their employees about cyber security & threats and hence even the weakest line in security chain i.e. the human part was also secured by trainings. During penetration testing of the network, our team didn t found any major exploitable vulnerability through which they can enter into the network. And as per client s requirement, this has to be a complete blackbox testing. The company had an online job portal, through which they were posting current opening and receiving applications through portal. One of our team member, took advantage of MS14-017. The vulnerability was the Microsoft word RTF Memory Corruption RTF Zero-Day Attack CVE-2014-1761 which allows an attacker to run arbitrary code into client s machine. He immediately binded in house developed backdoor which was less detectable by most of antivirus engines and submitted job application and uploaded his resume which was malicious RTF document.

10 Next morning exactly at 9:41 AM, we got reverse connection from a system which belonged to HR department of that organization. When someone from HR checked their ERP and clicked this malicious resume, our exploit worked perfectly fine and established a reverse connection to our server. Later on with this one compromised system using pivoting we found that many more servers and systems were vulnerable to publically knows vulnerabilities. This vulnerability and attack methodology was reported to organization so that they can protect their network from these types of targeted attacks. Recommendations Security is not a onetime investment, it s more of a regular practice. To secure your network, you need to keep checking for possible tiny flaws that may lead to a bigger vulnerability. Make sure, every software and systems are properly updated of your network. ERP or any such system through which you are receiving any files outside your network, should must be sandboxed before bringing directly to production internal network.

11 fortigate 310b multiple vulnerabilities CCFIS team works with a quote give us anything, we will find vulnerability. During a presentation, our client asked our sales guy that I am using FortiGate 310B and I am totally secure, why do I need a penetration testing service for my network? Our sales guy committed that your FortiGate device is not secure and our team can find vulnerabilities. Deal was final and we got task to audit latest updated FortiGate 310B. White testing the firewall, we found several major and minor vulnerabilities. Even we were able to reboot or shutdown the firewall without having admin or any credentials. Device was also vulnerable to Cross-Site Request Forgery. Basic functionality of firewall is to stop DoS and DDoS attack targeted to network, We have created an InfoSec lab from where we can simulate almost any attack. DoS and DDoS attacks were performed on firewall for stress testing and the device itself was found prone to DoS and DDoS attacks.

12 FortiGate has a Web Filtering Service called FortiGuard. This help network administrators to block certain category of sites in network. No VPN, torr or any other proxy based tool could bypass this fileting mechanisms. CCFIS team were able to bypass this filtering mechanisms using very simple technique in Opera web browser called Off Road mode or Opera Turbo. Even the data stored on CompactFlash card of firewall was not encrypted. In case of any physical compromise to network, these data can be extracted to reveal entire network architecture. These configuration data was deleted but with some basic forensics techniques, we were able to recover the configuration data again. Few more major vulnerabilities was found on firewall. All issues were reported to FortiGate India team. Fortinet India team immediately forwarded those vulnerabilities to Fortinet US team and they acknowledged the vulnerabilities and patch was released and was pushed to all Fortinet devices. Recommendations Use latest model of firewall or at least use the latest firewall OS Choose your firewall brand wisely and do some research before purchasing for some publically available vulnerabilities or exploit. While changing CompactFlash of your firewall, make sure that you have destroyed the previous one as this contains configuration file which can reveal network architecture information. And these data can be recovered even after deleting using some forensics tools.

corporate laptop backdoor 13 One of our client which is an educational organization, provide laptops to its students, faculties and other staffs for their educational and official work. MNCs, government and almost every organization order laptops is huge quantity and hence the vendor created a separate model specially designed for that particular organization. Few months back, a vendor reached CIO of organization and gave a laptop for PoC and feasibility testing. Later on this laptop was sent to CCFIS team to check for any possible vulnerabilities. We created a test scenario in our InfoSec lab. Firstly we restored the laptop to its factory setting and downloaded laptop drivers from vendor s official site. Only operating system and drivers were installed on that laptop. Then we connected this laptop directly with lease line and assigned live IP. Our network support team made sure that no other device was connected between or in the network. The PoC laptop was left for few days and all packets were captured using wireshark. After two days of packet capturing, the pcap files were sent to our attack analysis lab where every packet was analyzed by team members for any malicious packet.

14 After analysis, we found that this PoC laptop was connecting and sending data to a Chinese IP, and this Chinese IP belonged to an antivirus server. The question here arises that no antivirus or any other software was installed other than original operating system and device drivers. The same process was repeated on Windows XP, Windows 7 and Windows 8.1 and the result was same on every operating system. Hence we concluded that there isn t any fault in software part, it s the hardware which is creating connections and sending data to Chinese IP. This vulnerability was report to the laptop vendor. First of all they ignored and later on denied any involvement in this act. They concluded by saying that they only assemble multiple components purchased from different other vendors, they don t actually manufacture every part that are installed on laptop. This means that they need some more quality and security checking procedures. Recommendations Before distributing laptop or PC in your organization, check it for any possible backdoor installed in it by vendor. We can help in testing and share the testing procedure on request. We can also help in capacity building for creating such a test bench. Before signing contract from any vendor, check if vendor was involved in such activities in past or not. In our case, the vendor was already blocked by government agency of a country.

about us 15 Center for Cyber Forensics and Information Security (CCFIS) is a Research Organization incubated at Amity Innovation Incubator which is a Technology Incubator supported by NSTEDB, Ministry of Science & Technology (Government of India). Noida Office HQ : Amity Innovation Incubator, Block E-3,1st Floor, Amity University, Sector-125 Noida, UP-201301, India, Email Id: info@ccfis.net, Phone no: +91-120-4659156 Lucknow Office: 3rd Floor, AB - 6 Block, Amity University, Malhaur, Lucknow, UP - 226028, India Gwalior Office: Amity University Madhya Pradesh, Maharajpura (Opposite Airport), Gwalior Jaipur Office: Amity University Rajasthan, 14, Gopalwadi, Ajmer Road, Jaipur, Rajasthan Manesar Office: Amity University Haryana, Panchgaon, Manesar, Gurgaon, Haryana Disclaimer This report was prepared as an account of work done by CCFIS research and analysis wing. Neither the CCFIS, nor any of their employees, nor any of their contractors, subcontractors or their employees, partners or their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or any third party's use of this report or the results of such use of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Center for Cyber Forensics & Information Security

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information