Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploiting e-mail sandbox backdoor it with one evil e-mail Nikolay Klendar bsploit gmail.com.

Published byAshley Lynch Modified over 6 years ago

Similar presentations

Presentation on theme: "Exploiting e-mail sandbox backdoor it with one evil e-mail Nikolay Klendar bsploit gmail.com."— Presentation transcript:

1 Exploiting e-mail sandbox
backdoor it with one evil Nikolay Klendar bsploit gmail.com

2 Who am I Head of IT Security at Offensive Security Certified Expert
Not a bug hunter Hobbies: programming kitesurfing, snowboarding

3 DDEI Implementation scheme
Access to Web UI could be restricted

4 Source Code Analysis

5 WhiteBox Analysis. Admin UI RCE
Conditions: No authentication required No CSRF protection

6 Multiple RCEs /hidden/firewall_setting/firewall_setting.php
/hidden/db_export/db_export.php /hidden/network_dump/php/network_dump.php /hidden/kdump/php/kdump_setting.php /hidden/url_extract/url_extract.php /hidden/url_filter/url_filter.php /hidden/postfix_setting/postfix_setting.php /admin/php/network_setting.php /report/report_ui/php/report_setting.php /usandbox/import_native_sandbox.php /php/screenshot.php /php/syslog_setting.php /detections/download_pdf.php /detections/write_new_html_with_svg.php get_filesize.php ajax_checklicense_AC.php

7 Potential vectors of compromise
Direct request from management network Place <img src=“ at own site and wait for admin Something more interesting?

8 GrayBox Analysis. HTML injection

9 Possible attack scenario
1. Attacker: creates an with malicious content (link or attachment) and puts exploit in to subject 2. Admin: opens Dashboards->Trends tab. Exploit runs without additional user interaction 3. Reverse shell from SandBox to attacker C&C => full compromise with root privileges

10 Connecting Sandbox to C&C

11 Critical Patch -in-trend-micro-deep-discovery- -inspector-ddei-2-5

12 Conclusion 16 RCEs with CVSS 10 were reported and confirmed by vendor
Harden even security systems Implement source code analysis in SDLC Join to HCFB security team: bsploit gmail.com

Download ppt "Exploiting e-mail sandbox backdoor it with one evil e-mail Nikolay Klendar bsploit gmail.com."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
A Survey Of Web Security Aviel D. Rubin Daniel E. Geer Jr. “...with an internationally connected user network and rapidly expand Web functionality, reliability.

A Survey Of Web Security Aviel D. Rubin Daniel E. Geer Jr. “...with an internationally connected user network and rapidly expand Web functionality, reliability.
Mitigating Malware Collin Jackson CS142 – Winter 2009.

Mitigating Malware Collin Jackson CS142 – Winter 2009.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.

Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Chapter 4 Access Control Manage Principals operations in system.

Chapter 4 Access Control Manage Principals operations in system.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Bill Gates’ RSA 2006 Keynote presentation Questions and answers.

Bill Gates’ RSA 2006 Keynote presentation Questions and answers.
High Accuracy Attack Provenance via Binary-based Execution Partition Kyu Hyung Lee Xiangyu Zhang Dongyan Xu Department of Computer Science and CERIAS,

High Accuracy Attack Provenance via Binary-based Execution Partition Kyu Hyung Lee Xiangyu Zhang Dongyan Xu Department of Computer Science and CERIAS,
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead

Similar presentations

Ads by Google