whoami
Alec Stuart Muirk
Network Security Architect
Firewall Engineer
Ruxcon attendee
Security hobbist
[email protected]�DISCLAIMER
This research is not related to my job or current
employer.
This is purely an exercise in security research and is for
educational use only
Each vulnerability has been reported to the vendor.
�Agenda
Firewall evolution
Firewall as the target
What is the Cisco ASA?
Hardware
Software
Super Mario Adventure!
�Agenda
Mario Super Adventure
cisco>enable
cisco#
#id
uid=0(root)
gid=0(root)
Jail break
Local shell access
Obtain SSL VPN User
Access
Device Compromise
&
Privilege Escalation
Pwn the Network
with
Hidden Config
�Firewall Evolution
Stateful
Inspection
Packet Filtering
IP Address
Port
Protocol
IP Address
Port
Protocol
Session state
IPsec VPNs
Application
Awareness
IP Address
Port
Protocol
Session state
IPSec VPN
Application
Protocol
Aware
UTM
IP Address
Port
Protocol
Session state
IPSec VPN
Application
Protocol
Aware
SSL VPN
Content
filtering
IPS/IDS
AV
Next Gen
IP Address
Port
Protocol
Session state
IPSec VPN
Application
Protocol
Aware
SSL VPN
Content
filtering
IPS/IDS
AV
Layer 7
application
awareness
�Firewall Evolution
Stateful
Inspection
Packet Filtering
IP Address
Port
Protocol
IP Address
Port
Protocol
Session state
IPsec VPNs
Application
Awareness
IP Address
Port
Protocol
Session state
IPSec VPN
Application
Protocol
Aware
UTM
IP Address
Port
Protocol
Session state
IPSec VPN
Application
Protocol
Aware
SSL VPN
Content
filtering
IPS/IDS
AV
User-defined input.
Next Gen
IP Address
Port
Protocol
Session state
IPSec VPN
Application
Protocol
Aware
SSL VPN
Content
filtering
IPS/IDS
AV
Layer 7
application
awareness
�Firewall Evolution
Cisco
ASA
IP Address
Port
Protocol
Session state
Application
Protocol
Aware
WebVPN
Content
filtering
IPS/IDS
AV
�Firewalls as the Target
Traditional reasons to pwn the firewall
Network access, sniff/MITM traffic etc..
My reason to pwn the firewall
Compromise of the firewall allows an attacker to
blend into the network
Security landscape is changing
Moving away from the walled garden
SIEM, IPS, DLP are the new black
Increased focus on detection and response
�Firewalls as the Target
Firewall rule-base shows us trust
relationships in the network
Describes expected network traffic patterns
A firewall rootkit could NAT intruder traffic to
match normal network traffic.
Bypass tiered firewalls and anomaly based IPS
�Cisco ASA Hardware
Cisco ASA is sold as a black box appliance
Underlying hardware is Intel
�Cisco ASA Legacy Hardware
Model
RAM CPU
Cisco ASA 5550 4GB
Pentium 4 3000MHz (32bit)
Cisco ASA 5540 2GB Pentium 4 2000 MHz (32bit)
Cisco ASA 5520 2GB P4 Celeron 2000MHz (32bit)
Cisco ASA 5510 1GB P4 Celeron 1600 MHz(32bit)
Cisco ASA 5505 512M AMD Geode 500Mhz (32bit)
�Cisco ASA 5505
SOHO/branch appliance = affordable
Supports the latest ASA releases
Runs the same firmware image as the higher
spec 32-bit appliances
32-bit exploit dev environment
�Cisco ASA Next Gen Hardware
Model
RAM CPU
Cisco ASA 5512-X
4GB
Multicore, enterprise-grade
Cisco ASA 5515-X
8GB
Multicore, enterprise-grade
Cisco ASA 5525-X
8GB
Multicore, enterprise-grade
Cisco ASA 5545-X
12GB Multicore, enterprise-grade
Cisco ASA 5555-X
16GB Multicore, enterprise-grade
�Cisco vASA
Virtual firewall (VMWare/KVM)
Supports the latest ASA releases
Runs the same firmware image as the higher
spec Next Gen 64-bit appliances
64-bit exploit dev environment
�Cisco ASA Software
Restricted CLI environment (Cisco IOS-like)
Non-exec mode
Exec mode (enable)
Config mode (config t)
Persistent storage is disk0: (config/firmware etc)
ASDM for GUI configuration
Java based
HTTP POSTs to exec/config commands
�Cisco ASA Software
show kernel process reveals underlying OS
�Cisco ASA Software
Cisco documentation shows open source
used inside the firmware
Open Source Used In Cisco ASA PDFs
Cisco will provide code as required by license (eg
GPL).
�Cisco ASA Software
Software Release Release Date Kernel Version
Cisco ASA 8.4
Jan 2011
Linux 2.6.29.6
Cisco ASA 9.0
Oct 2012
Linux 2.6.29.6
Cisco ASA 9.1
Dec 2012
Linux 2.6.29.6
Cisco ASA 9.2
April 2014
Linux 2.6.29.6
Cisco ASA 9.3
July 2014
Linux 2.6.29.6
�Cisco ASA Software
Unpack the firmware
Binwalk to extract the filesystem
Basic Linux environment with busybox
/asa contains the Cisco files
We want to see this filesystem in a running environment
�Cisco ASA Boot Order
BIOS
ROMMON
Firmware image
verification
execv(/asa/bin/lina)
BootLoader
Grub
Kernel
init
rcS
S59a
/asa/scripts/rcS
/asa/bin/lina_monitor
/asa/bin/lina
�Jail break to Shell
Method 1
CVE-2014-3391
Firmware asa842-k8.bin contains insecure
LD_LIBRARY_PATH /mnt/disk0/lib/
/mnt/disk0/ = disk0: (Cisco CLI land)
Create a trojan disk0:/lib/libc.so.6
Hijack libc-2.9.so @ execv()
Launch shell instead of lina
�Jail break to Shell
Method 1
Boot to Shell asa842-k8.bin
BIOS
ROMMON
Firmware image
verification
Launch a shell
via
hijacked execv()
BootLoader
Grub
Kernel
init
rcS
S59a
/asa/scripts/rcS
LD_LIBRARY_PATH=/mnt/disk0/lib/
/asa/bin/lina_monitor
/asa/bin/lina
/bin/sh
�Jail break to Shell
Method 1
We can use 842-k8.bin as a bootloader for
newer versions
Extract /asa from any firmware version (eg 9.1.5)
and copy to the device
Load 842-k8.bin, drop to shell
Replace /asa (842) with /asa (915)
Start /asa/bin/lina (v 9.1.5) in a controlled
environment
�Jail break to Shell
Start lina with gdb attached!
�Jail break to Shell
Method 1
Potential place to launch persistent rootkit
Image verification already completed
Subvert linux/lina before starting /asa/bin/lina
�Rootkit?
BIOS
ROMMON
Firmware image
verification
Hijack execv()
BootLoader
Grub
Kernel
init
rcS
S59a
/asa/scripts/rcS
LD_LIBRARY_PATH=/mnt/disk0/lib/
/asa/bin/lina_monitor
Rootkit code
/asa/bin/lina
�Jail break to Shell
Method 2
CVE-2014-3390
Shell access without a reboot!
Static analysis of /bin/lina (9.2) shows a fork/exec to
external /asa/scripts/pa_setup.sh
pa_setup.sh is called by CLI config mode command vnmc
policy-agent
Analysis of pa_setup.sh shows insecure use of CLI data as
shell parameters
We can run OS level commands from restricted CLI mode!
�Jail break to Shell
Method 2
Surround shared-secret in & to launch our shell
script!
Valid config, shared-secret script will execute at boot
�The Linux environment
The Linux environment
ASLR disabled
/dev/mem access (CONFIG_STRICT_DEVMEM = N)
Modules enabled
gdbserver included
ptrace support!
No native networking
/asa/bin/lina is the firewall process
�The Linux environment
No native networking
�The Linux environment
LINA controls network interfaces
User space PCI drivers
Handles all frames/packets
No network access from Linux shell?
Some scripts need network access (/asa/scripts/)
References to LD_PRELOAD=libdsocks.so
�The Linux environment
libdsocks.so is Dante or socksify
Forces application connect() through a SOCKS proxy
Cisco CLI hidden commands, enable a socks proxy in
Lina
We now have network access from shell!
�Jail break to Shell
Method 2
Upload nc/socat
Change console shell to socat reverse shell!
�Jail break to Shell
Method 2
Cisco ASA 9.2.1 Reverse connect /bin/sh Demo
�Quest for Shell
�Jail break to Shell
Software Release
Shell Method
Cisco ASA 8.4.3 -9.1 Use 8.4.2 as loader
Reboot
Yes
Cisco ASA 9.2
vnmc policy-agent
No
Cisco ASA 9.3
vnmc policy-agent
No
�Shell Access!
Access to shell on our hardened appliance!
Reverse connect shell without reboot on our
target firmware (9.2.1)!
�Agenda
Mario Super Adventure
#id
uid=0(root)
gid=0(root)
Jail break
Local shell access
Obtain SSL VPN User
Access
�Looking for Remote
Cisco ASA has a patchy history
Two likely candidates for remote exploit
Application Protocol Inspection
WebVPN Services
�Remote Unauthenticated Vulns
(DoS/Overflow/Bypass)
CVE-2012-4659
CVE-2012-4643
CVE-2012-4663
CVE-2012-4662
CVE-2012-4661
CVE-2012-4660
CVE-2012-0356
CVE-2012-0355
CVE-2012-0354
CVE-2012-0353
CVE-2012-0358
CVE-2011-3304
CVE-2011-3303
CVE-2011-3302
CVE-2011-3301
CVE-2011-3298
CVE-2011-0379
CVE-2013-1152
CVE-2013-1151
CVE-2013-1150
CVE-2013-1149
CVE-2013-1193
CVE-2013-1199
CVE-2013-1195
CVE-2013-1138
Jan 11 Feb
CVE-2011-4006
CVE-2012-0378
CVE-2012-3058
Oct Mar 12 May
Jun
CVE-2014-2129
CVE-2014-2128
CVE-2014-2154
CVE-2014-2182
CVE-2013-6696
CVE-2013-6707
CVE-2014-3264
CVE-2012-5419
CVE-2012-6395
CVE-2012-5717
CVE-2012-2474
CVE-2012-2472
CVE-2010-4689
CVE-2010-4680
CVE-2010-4678
CVE-2013-5551
CVE-2013-5542
CVE-2013-5544
CVE-2013-5515
CVE-2013-5513
CVE-2013-5512
CVE-2013-5511
CVE-2013-5510
CVE-2013-5509
CVE-2013-5508
CVE-2013-5507
CVE-2013-3415
Aug
CVE-2013-3463
Oct Jan 13 Feb
CVE-2014-0739
CVE-2014-0738
CVE-2013-3458
Apr
Aug
Sep
CVE-2013-6682
CVE-2013-5568
CVE-2013-5560
Oct
Nov
CVE-2013-5567
CVE-2013-6691
Dec Feb 14 Apr
May
Jul
�Memory Corruption in Protocol Inspection
CVE-2012-0356
CVE-2012-4659
CVE-2012-0355
CVE-2012-0354
CVE-2012-4643
CVE-2012-4663
CVE-2012-4662
CVE-2012-4661
CVE-2012-4660
CVE-2012-0353
CVE-2012-0358
CVE-2013-1152
CVE-2013-1151
CVE-2013-1150
CVE-2013-1149
CVE-2013-1193
CVE-2013-1199
CVE-2013-1195
CVE-2011-3303
CVE-2011-3302
CVE-2013-5544
CVE-2013-5515
CVE-2014-2129
CVE-2014-2128
CVE-2013-5513
CVE-2013-5512
CVE-2013-5508
CVE-2013-5507
CVE-2013-1138
CVE-2014-2154
CVE-2014-2182
CVE-2013-6696
CVE-2013-3415
CVE-2014-3264
CVE-2012-6395
CVE-2012-5717
CVE-2012-0378
CVE-2012-2474
CVE-2012-2472
CVE-2010-4689
CVE-2010-4680
CVE-2010-4678
Jan 11 Feb
CVE-2013-6707
CVE-2012-5419
CVE-2011-4006
CVE-2011-0379
CVE-2013-5542
CVE-2013-5511
CVE-2013-5510
CVE-2013-5509
CVE-2011-3304
CVE-2011-3301
CVE-2011-3298
CVE-2013-5551
CVE-2012-3058
Oct Mar 12 May
Jun
Aug
CVE-2013-3463
Oct Jan 13 Feb
CVE-2014-0739
CVE-2014-0738
CVE-2013-3458
Apr
Aug
Sep
CVE-2013-6682
CVE-2013-5568
CVE-2013-5560
Oct
Nov
CVE-2013-5567
CVE-2013-6691
Dec Feb 14 Apr
May
Jul
�Looking for Remote
Vulnerabilities in Application Layer Protocol Inspection
DNS Inspection CVE-2013-5513
ESMTP Inspection - CVE-2011-4006
H.323 Inspection - CVE-2012-5419
HTTP Inspection - CVE-2013-5512
Instant Messenger Inspection - CVE-2011-3304
ILS Inspection - CVE-2011-3303
RADIUS Inspection -CVE-2014-3264
SIP Inspection - CVE-2012-4660
SCCP Inspection - CVE-2010-0151
UDP Inspection - CVE-2012-0353 (DNS/SIP/SNMP/GTP/MCGP/XDMCP)
SQL*Net Inspection - CVE-2013-5508
Most memory corruption vulnerabilities are classified as DoS
�Looking for Remote
Checkheaps most likely offering protection
DoS instead of code exec
Previous work on IOS checkheaps bypass
could be used in ASA land?
Michael Lynn BlackHat 2005
Expect more research in this space
�Memory Corruption in Protocol Inspection
CVE-2012-4659
CVE-2012-4643
CVE-2012-4663
CVE-2012-4662
CVE-2012-4661
CVE-2012-4660
CVE-2014-2129
CVE-2014-2128
CVE-2012-4661
CVE-2014-2154
CVE-2014-2182
Cisco Firewall Services Module and Cisco ASA 5500
CVE-2013-6696
Series Adaptive Security Appliance
DCERPC
CVE-2013-6707
Inspection Buffer Overflow Vulnerability
CVE-2014-3264
CVE-2012-5419
An unauthenticated,
CVE-2011-0379
CVE-2010-4689
CVE-2010-4680
CVE-2010-4678
Jan 11 Feb
CVE-2012-3058
Oct Mar 12 May
Jun
Aug
remote attacker could exploit
CVE-2012-6395
this vulnerability to cause a stack overflow condition
CVE-2012-5717
which could be leveraged to executeCVE-2014-0739
arbitrary
CVE-2014-0738
CVE-2013-3458
commands or cause an affected device to reload,
CVE-2013-5567
CVE-2013-6682
resulting in
a DoS condition.
CVE-2013-6691
CVE-2013-3463
CVE-2013-5568
Cisco Vulnerability
Alert 27107
CVE-2013-5560
Oct Jan 13 Feb
Apr
Aug
Sep
Oct
Nov
Dec Feb 14 Apr
May
Jul
�Looking for Remote
CVE-2012-4661
Stack-based buffer overflow
ASLR disabled!
GDB/IDA attach to serial console
/asa/bin/lina_monitor -g -s /dev/ttyS0 -d
�Bug Hunting
CVE-2012-4661
Disclosure shows issue in DCERPC inspection
Static analysis shows some memcpy
operations to a fixed sized buffer
Focus on ISystemActivator / RemoteCreate
Instance RPC Messages
Fuzz the protocol parameters
�Bug Hunting
CVE-2012-4661
Windows RPC WMI ISystemActivator
ISystemActivator: BIND
ISystemActivator : BIND-ACK
RemoteCreateInstance : REQUEST
RemoteCreateInstance : RESPONSE
RPC client
Buffer overflow triggered by
malformed RCI RESPONSE packet!
RPC server
�Bug Hunting
CVE-2012-4661
�Looking for Remote
CVE-2012-4661
Overwrite EIP with xlarge oxidbinding info
Unfortunately string content is restricted to
valid IP address string characters
ASCII 0-9 (0x30-0x39) and . (0x2e)
Partial overwrite / ROP opportunity?
Our princess is in another castle!
�Looking for Remote
WebVPN Portal another likely target
CVEs related to Web Services (XSS/Bypass/Gain Privs)
CVE-2014-2128
CVE-2014-2127
CVE-2014-2126
CVE-2013-5511
CVE-2013-5510
CVE-2013-5509
CVE-2014-2120
CVE-2014-2151
CVE-2013-3414
CVE-2012-0335
CVE-2011-3285
CVE-2010-4680
Jan 11
May 12
Jul 13
Mar 14
Apr
Jun
�WebVPN
Popular remote access method
A web server on your firewall?
Two web services
WebVPN Portal / AnyConnect Gateway
ASDM services (launch ASDM/ handles ASDM
GUI config via POST/GET)
Assume no access to ASDM services!
��Provides access to
internal web resources.
Intranet server etc.
Cisco ASA acts as a
proxy HTML rewriter.
Embeds returned
content into the
WebVPN portal.
�Provides access to
internal resources.
Launches Java applets.
Cisco ASA proxies the
SSH/RDP/Citrix
connections to the
remote server
�WebVPN
Lots of server side processing!
Embedded Lua provides server side functions
Scripts are stored as plaintext blobs in lina
binary
`strings lina` reveals 86 Lua scripts
Plenty of complied Lua also..
Code review of server side Lua shows us
some interesting bugs
�Some code here
�WebVPN
CheckAsdmSession(cookie, no_redirect)
Checks to see if file $cookie exists
Validates session if file exists!
Where is CheckAsdmSession() used?
WebVPN Customization Editor!
Used to edit look and feel of WebVPN portal
�WebVPN
���WebVPN
�WebVPN
Preview Button actions:
Creates /asdm/OneTimeRandomCedValue
POST the Customization contents
launches a URL to view the preview
https://interface.mgmt.net/+CSCOE+/cedlogon.html?obj
=DfltCustomization&preview=logon&f=logon&pf=logon&
ced=B96AD3A7653629D48087D20058041F32
ced value is used as CheckAsdmSession(file,1)
�WebVPN
cedlogon.html can also be accessed as:
https://interface.internet.net/+CSCOE+/cedlogon.html
Set ced= to a known file across all versions
ced=../../locale/ru/LC_MESSAGES/webvpn.mo
CheckAsdmSession(../../locale/ru/LC_MESSAGES/web
vpn.mo,1) always returns true
Session check is bypassed..
We can request a preview of our own content
So what?
�WebVPN
CVE-2014-3393
Older versions of ASDM did all customization
through web browser
The code still remains in current versions!
This includes the ability to save the preview
content!
We can use ced bypass to customize the
WebVPN !
via the internet facing web service!
�WebVPN
Content can be customized to serve clients
some malware!
Inject some BEEF .js
Clients expect Java applets to be served
(RDP/SSH plugins)
Clients expect .exe to be served (updates for SSL
AnyConnect client)
Hijack the login form!
�WebVPN
Exploit Process..
Request Preview of our requested Customization content
Request Preview Save of requested Customization content
�WebVPN
Request Preview With Customization Contents
Request Preview Save Save Cotents
�WebVPN
Request Preview With Customization Contents
Request Preview Save Save Cotents
�WebVPN
Request Preview With Customization Contents
Request Preview Save Save Cotents
�WebVPN
Scrape the current login screen Customization
Request Preview With Hijack Contents
Request Preview Save Save Cotents
Catch creds on HTTPS listener service
Form submit sends us clear-text username/password combos.
Javascript injection in portal sends session cookie.
Customization is reboot/upgrade persistent (flash stored)
�Metasploit CED Exploit demo
�WebVPN
Credentials stolen..
Remote VPN user access gained!
�Agenda
Mario Super Adventure
cisco>enable
cisco#
#id
uid=0(root)
gid=0(root)
Jail break
Local shell access
Obtain SSL VPN User
Access
Device Compromise
&
Privilege Escalation
�Network Reconnaissance
CVE-2014-3398
Remotely detect the ASA firmware version..
https://webvpn.ip/CSCOSSLC/config-auth
Returns firmware version number
i.e "9.2(1) VPN Server internal error."
Write an nmap nse script!
�WebVPN
�WebVPN
Network Reconnaissance shows two Cisco
ASAs!
High Availability / Redundant pair
Typical enterprise configuration
Maybe we can attack this?
�Failover
Two modes:
Active / Active
Allows both ASA to pass traffic
Requires multi-contexts (not supported by
WebVPN)
Active / Standby
Supported by WebVPN
����Failover
Failover Link Provides
NAT Tables sync
TCP/UDP connection tables sync
ARP table sync
VPN Session sync
Dynamic route table sync
WebVPN configuration (Customizations)
Config / command replication
�Failover
Three proprietary protocols on Failover link
IP Protocol 8
TCP/UDP/NAT table sync
IP Protocol 105
HELLOs , config sync, file replication, command
replication
IP Protocol 9
WebVPN session and content sync, also syncs
ASDM sessions
�Failover
As an unprivileged SSL user we can send
packets across the fail over link to the
Standby firewall!
We can send IP Proto 105 packets and IP
Proto 9, IP Proto 8 dropped
Standby firewall will accept packets from any
source!
��Failover
IP Protocol 105 Config Sync Packet Format
CRC
Field Length
No replay protection!
Config command sync
No authentication!
Sequence Number?
This packet configures
hostname MyCiscoASA on the standby ASA
�Failover
Cisco allows to run commands from active to
standby firewall (or vice-versa)
Eg. failover exec standby show version
Commands run as user enable_15 (root)
�Failover
IP Protocol 105 Failover Exec Packet Format
CRC
Field Length
Execute command
Sequence Number?
�Failover
CVE-2014-3389
As an unprivileged SSL VPN user we can send
custom IP 105 packets to exec commands on
the standby firewall!
No authentication!
Cisco default no logging standby
SNMP/Syslog is disabled by default on Standby
�Failover
Demo scapy script sending commands to
the standby firewall
Fail-over command injection:
First download a copy of running config
Upload some of our own config
We will create a user on the Standby firewall in
order to send exec commands to the Active
firewall!
Login to standby and execute command on
active!
��Failover
Cisco recommend that failover be secured by
either:
failover key
failover ipsec preshared-key
�Failover
failover ipsec preshared-key
Starts an IPsec VPN between ASAs, all the
sync/exec packets are encrypted..
A logic flaw exists..
The Standby will accept unencrypted packets
as successfully decrypted packets!
Cisco recommended setting failover IPSec
offers no security against command injection
attack!
�Failover
Use failover command injection to configure
secondary Cisco ASA without logging
Login to secondary ASA and exec commands
on the primary!
Both devices now compromised!
�Mario Super Adventure
cisco>enable
cisco#
#id
uid=0(root)
gid=0(root)
Jail break
Local shell access
Obtain SSL VPN User
Access
Device Compromise
&
Privilege Escalation
Pwn the Network
with
Hidden Config
�Owning the Network
We now have our SSL tunnel and have
compromised the firewall
Lateral movement phase of attack..
Probing the network directly will raise alarms
SIEM/IPS/Flow analytics etc
�Remote Shell and Hidden Config
Stolen firewall config shows us the access-lists
Access-lists describe trust relationships and
expected traffic flows
�SOURCE
DESTINATION
SERVICE
ACTION
ANY
DMZ_WEB_SERVER
HTTP
HTTPS
PERMIT
DMZ_WEB_SERVER
INT_DMZ_DATABASE
SQL_PORTS
PERMIT
ANY
DMZ_MAIL_SERVER
MAIL_SERVICES
PERMIT
DMZ_MAIL_SERVER
ACTIVE_DIRECTORY
AD_PORTS
PERMIT
�SOURCE
DESTINATION
SERVICE
ACTION
ANY
DMZ_WEB_SERVER
HTTP
HTTPS
PERMIT
DMZ_WEB_SERVER
10.55.55.55
INT_DMZ_DATABASE
10.11.11.11
[SQL_PORTS]
TCP-1433
PERMIT
ANY
DMZ_MAIL_SERVER
MAIL_SERVICES
PERMIT
DMZ_MAIL_SERVER
ACTIVE_DIRECTORY
AD_PORTS
PERMIT
�SOURCE
DMZ_MAIL_SERVERS
10.55.77.77
DESTINATION
ACTIVE_DIRECTORY
10.0.0.10
SERVICE
[AD_PORTS]
TCP-389
TCP-3268
TCP-88
TCP-135
TCP-6000-7000
ACTION
PERMIT
�Remote Shell and Hidden Config
Upload NAT rules to blend into network
Modify our source IP to match the expected
traffic
Pivoting without need to compromise
hosts
We could create a NAT entry for each rule in
the firewall
�SOURCE
NAT SOURCE
DESTINATION
SERVICE
ACTION
VPN_IP
192.168.100.1
DMZ_WEB_SERVER
10.55.55.55
INT_DMZ_DATABASE
10.11.11.11
SQL_PORTS
PERMIT
�SOURCE
NAT SOURCE
DESTINATION
SERVICE
ACTION
VPN_IP
192.168.100.1
DMZ_MAIL_SERVER
10.55.77.77
ACTIVE_DIRECTORY
10.0.0.10
AD_PORTS
PERMIT
�Remote Shell and Hidden Config
Demo adding NAT rules
Before and After nmap output
Bowser Inc. Log server showing traffic
�Demo adding NAT rules
Before and After nmap output
Bowser Inc. Log server showing traffic
�Remote Shell and Hidden Config
Rogue NAT statements are easily detected
We need to hide our config changes!
vnmc config jail break to launch a reverse
shell to Linux
Ptrace Lina to manipulate the firewall process
memory
We can change any function of the firewall
We can hide our NAT statements!
�SOURCE
NAT SOURCE
DESTINATION
SERVICE
ACTION
VPN_IP
192.168.100.1
DMZ_MAIL_SERVER
10.55.77.77
ACTIVE_DIRECTORY
10.0.0.10
6666
PERMIT
��Conclusions..
Your hardware firewall appliance is software
This software is becoming more exposed to user input
APTs will be targeting your network infrastructure
Should we expect a higher software standard from
security / network infrastructure companies?
�Questions?
