backdoor it with one evil email Nikolay Klendar b sploit gmailcom Head of IT Security at Offensive Security Certified Expert Not a bug hunter Hobbies programming kitesurfing snowboarding ID: 776158
Download Presentation The PPT/PDF document " Exploiting e-mail sandbox" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Exploiting e-mail sandbox
backdoor it with one evil e-mail
Nikolay Klendarbsploit gmail.com
Slide2Head of IT Security at Offensive Security Certified ExpertNot a bug hunterHobbies:programmingkitesurfing, snowboarding
Who am I
Slide3DDEI Implementation scheme
Access to Web UI could be restricted
Slide4Source Code Analysis
Slide5WhiteBox
Analysis. Admin UI RCE
Conditions:No authentication requiredNo CSRF protection
Slide6Multiple RCEs
/hidden/firewall_setting/firewall_setting.php/hidden/db_export/db_export.php/hidden/network_dump/php/network_dump.php/hidden/kdump/php/kdump_setting.php/hidden/url_extract/url_extract.php/hidden/url_filter/url_filter.php/hidden/postfix_setting/postfix_setting.php/admin/php/network_setting.php/report/report_ui/php/report_setting.php
/
usandbox
/
import_native_sandbox.php
/
php
/
screenshot.php
/
php
/
syslog_setting.php
/
detections/
download_pdf.php
/detections/
write_new_html_with_svg.php
get_filesize.php
ajax_checklicense_AC.php
Slide7Potential vectors of compromise
Direct
request from management
network
Place
<img src=“https://ddei/vuln_script.php”> at own site and wait for
admin
Something
more interesting?
Slide8GrayBox Analysis. HTML injection
Slide9Possible attack scenario
1
.
Attacker:
creates
an
email with malicious content (link or
attachment
) and puts exploit in
to subject
2. Admin: opens Dashboards
-
>Trends tab. Exploit runs without additional
user interaction
3. Reverse shell from
SandBox
to attacker C&C
=> full compromise with root privileges
Slide10Connecting Sandbox to C&C
Slide11Critical Patch
https://
success.trendmicro.com/solution/1116750-security-bulletin-multiple-vulnerabilities
-in-trend-micro-deep-discovery-email-inspector-ddei-2-5
Slide12Conclusion
16 RCEs with CVSS 10 were reported and confirmed by vendorHarden even security systemsImplement source code analysis in SDLC
Join to HCFB security team: bsploit gmail.com