06-05, 11:15–11:55 (Europe/Stockholm), Main stage
Vulnerabilities in commercial-grade SSL VPN devices have been all too common in the past few years. An internal research project aimed at comparing the security level of these devices identified that SonicWall devices tend to have fewer reported vulnerabilities while displaying relatively poor security practices. This pushed us to perform additional research into SonicWall devices and determine the reason behind this counter-intuitive conclusion.
This presentation will go through how we dissected the Secure Mobile Access device in search for vulnerabilities which resulted in the discovery of multiple CVEs which when combined can allow a remote unauthenticated attacker to fully compromise the device.
- Introduction (~ 5 mins)
1.1 Background info on who I am
1.2 Vulnerabilities in SSL-VPN devices
1.3 Results summary of our internal comparison of SSL VPN devices project - Analysing the SMA 500 (~ 10 mins)
2.1 Obtaining the firmware
2.2 Assessing the attack surface
2.3 Obtaining root access
2.4 Presenting the file system and important processes
2.5 Searching for vulnerabilities with some custom tooling which will be released - Vulnerability analysis (~ 20 mins)
3.1 Memory corruption vulnerability search
..3.1.1 Multiple heap overflows
..3.1.2 Multiple stack overflows
..3.1.3 Present mitigations in place to prevent exploitation
3.2 Apache configuration analysis
..3.2.1 Path traversal through DocRoot confusion attack
..3.2.2 Extracting session identifiers and logs from the device
3.3 Authentication analysis
..3.3.1 Discovery of Certificate-based authentication bypass
..3.3.2 Discovery of OTP-based MFA bypass
3.4 Further binary exploitation
..3.4.1 Further stack overflows in custom Apache module can be exploited while byassing exploit mitigations to execute arbitrary code on the device.
..3.4.2 Full POC and demo
3.5 Analysing the patches (~ 3 mins) - Conclusions & Takeaways (~ 2 mins)
Alain Mowat is the Head of Research & Development at Orange Cyberdefense Switzerland. He joined the company (then called SCRT) in 2009 as a penetration tester and subsequently led the offensive security team in the same company for many years until turning towards R&D. While still performing various engagements throughout the year, Alain is also dedicated to exploring new approaches to be used by the offensive security industry to better secure client infrastructures.
Aside from these activities, Alain was an active member in the 0daysober CTF team that finished 3rd at DEFCON CTF in 2015 and has responsibly disclosed vulnerabilities in multiple products such as Citrix NetScaler, SonicWall, Barracuda, Twitter and McAfee.
Alain is also responsible for giving various security-related trainings at Orange Cyberdefense Switzerland and has presented at several conferences, such as Insomni’hack, where he is also one of the organisers, Secure IT VS, CyberSecurity Alliance, SIGS and Area41.