DeepSec 2016 – When your Firewall turns against you
iSpeech
This talk, held by René Freingruber and Raschin Tavakoli at DeepSec 2016, will demonstrate how attackers can compromise a company's network via their firewall system:
"It's a common misbelief that security tools are always secure. The aim of this talk is to show the audience the difference between a secure and a security product. First we discuss how we can remotely detect and identify the firewall system within the target internal network. After that we start a brute-force attack from the internet via the victim's browser against the internal firewall. We will show how an attacker can bypass different used CSRF protections to trigger actions on the firewall system. Finally, we are going to exploit a memory corruption bug (type confusion bug which leads to a use after free vulnerability) in the PHP binary on the firewall to spawn a reverse root shell."
René Freingruber has been working as a professional security consultant for SEC Consult for several years. He operates research in the fields of malware analysis, reverse engineering and exploit development. He also studies modern mitigation techniques and how they can be bypassed by attackers. In the course of that research he came across Microsofts Enhanced Mitigation Experience Toolkit and gave various talks about the (in)security of it at conferences such as RuxCon, ToorCon, ZeroNights, DeepSec, 31C3 and NorthSec. He also presented talks about application whitelisting at CanSecWest, DeepSec, IT-SeCX, BSides Vienna, QuBit, NorthSec and Hacktivity.
The main research field of Raschin Tavakoli is Web Application Security with a focus on penetration testing and vulnerability assessment.He has been working in the software industry for the past 15 years as application developer in areas like PKI and smartcard based security systems, enterprise web applications and mobile applications. Recently he specialized in web based application security and penetration testing. Raschin holds the Offensive Security Certified Professional (OSCP) Certification.
source
Gloss