BG - A Fire In The Eye - Olli-Pekka Niemi & Antti Levomaki

and okay hello everybody we're really thankful that we can be here speaking today so we will be talking talking about the topic of the fire e so who we are my name is all pic I'm Chief research officer in ston and ston is a company in Finland we do fireballs and iigs and it was recently acquired by my Cafe and this my colleague an so been working in my team and together we've been doing all kind of a arated research and security

devices so in presentation we will discuss about some problems identify at detection techniques and time boxing the things Les ATT detection is very much becoming the Hot Topic in prvention and the cilities are often found there zero days and they found in zero days exploits in the wild so means that they seem based Things based in detection prevention systems un likely to catch these attacks so it seems to us detction systems are designed to this kind of attacks and they actually do provide some addition security but there are lots of problems in these techniques and ways how to bypass so if you're looking in the market leing product so the what are the capabilities there lot of State capabilities that you

can do by there's a lot of problem as well fire they are the ties that the system is tuning free and works Zero Hour packs maybe soon they be walking zero minut or whatever I don't know and then work APS and then walking all out boundex press call and basically say that they can modare and say that all the other system missing this so if you think about that we have device designed for cing zero Day stuff designed for a stopping AP I think that device should be very easily bypassed but unfortunately that is not the so how how it works the idea of the fire Appliance is just run all the file download from the web in the virtu

machine and then by running those files there you actually understand the file contain code in this case we also consider consider that the web pages of files so how the how the fire actually wants web pages of file it just runs a browser in virtual machine and and in the same we page is that the that the original download c will get and then see what happens there so what the idea is pretty solid there are still lots of drawbacks and and made at least made me to question how usable product is and how really is able to stop a attacks so to test the fire capabilities we look for an exploit that it could

first we of course thought that we would use a car but since it's not actually code it doesn't show the a anyway so then we selected this a m08 CD 20108 so that's uniz memory corruption vulnerability and in the the Explorer same vulnerabilities in in es6 and es7 as well be doing ising two and so when we exploited the vulnerability the the victim is actually connecting to the m web server and then we server give the explo the victim compromizing and the far right gives the other explo browser but it two to 4 minutes to run before it's given order so those two two to four minutes is simulating and running that and it has no clue what is happening

during that time and the actual exploor of course was not prevented because it's not really like in line but it only takes a copy of the web traffic and then once that the virtual machines inside so this is screens from the so you'll see there the export frer so what the other does is that it immediately opens the shell from the LI H using separate TCP connection so and the fire actually is able to detect the open shell but neveress the remote shell connection opened by the EXP it stays open even after this so this so of the shell that we have window system and the shell is actually op after after the fire is able to find

that there is an going on so it's not stopping that connection at all so it seems that during the time far is analyzing the mo T I've already been compromised on what the cont down uplo this time in so if we then run the export again so we use the same URL then we will get this all of local infection and the HTTP connection is actually terminated with RSD pocket so they are saying for our guys they if there is M URL if the system learns it then they can all those URLs and also those CL so that every other far device also able to block block this [Music] URL so this is just screen from from

firey and need should contr the the local infection well so if a different C try to access the M URL the connection will be terminated the same way so that is how use

cloud but if we change Ur at all then the actually won't defect it anymore so it changed you a little bit and instead of having a new local infection we get the export clure again and difference between local infection is that they doesn't actually prevent connection so if we just change URL then it do actually stop stop it any more and one character is enough Y when you say change the url do you mean just the domain change or you whatever URL so if you have a hostile server you're serving Mal if you use every type a different URL the I never prev okay sorry you have two Macintosh adapters of VGA up there or is mine I

have my own I don't know okay never mind all right so to be able to simulate the Vic the fire Capt data between the and Target so TCP stream data belong the HTP connection they are captured and replayed in the virtual machine so it takes a copy of the HTP connection and tries to par the part and server part and then inside the virtual machines is run its own internal web server that is actually serving the same m files files theal machines inside and how the virtual machine is choosing inside the fire is that the fire is actually looking for the for the headers of the client yeah so back to the question the same includ H

parameters or it's the U itself or includ parameters you know any that you change one Char is not oh you included the parameter right yeah

yeah so it's possible to get the p app out out of the fire system so there is a possibility to download uh the internal peup and then there's also Poss to download the peup that's actually happening in the network so here are two different PS so this is original p and we see that they using using this this one and then yeah this again so this us user actually is from the virtu machine front inside the fire fire right so they they a little different and and what what what the virtual machine that selected by the fire it depends on on the user as so if somebody would be using a browser that is not

installed in fire what happen nothing it wouldn't look on that connection at all so it can only detect the attack against those browsers that it has installed so that's the fire is not really in line and doesn't analyze threats in real time contr ples and all the files pass through the device and device only takes a copy of the fire and you then analyze it that the fire wasn't exploit Target you get compromised before the fire knows it was exploer so it canot prevent the attack but it can give you some visibility of what's happening in your network basically it's more like a s ideas and not device is PR an so we've been looking for several

methods of how to F bi fire analy go quickly and the simples method is is really simple if you run just HTTP 09 server so your server isn't giving any headers at all the fire had no clue and everything we pass will not detect any of the explo so this is maybe the simplest simplest way how to EV it so here you can see that request and then respons everything so you can do that with NE then of course you canot do anything to SSL TS so really is not in line you cannot do all so H really good way of hiding hiding mes and because it would be implemented there maybe it could open RSA by really

open open connection to or proxy it is not then there is a the HTTP for variation so of course it doesn't actually D identify HP traffic so just changing the for something something else so but def is using for 80 and 808 and a good way way to BU device is to we server in 4 for three because that is open m and so yes have you verify the at chunk chunk and coding now they can they can can cover the H chunk and cod on that I don't know I we haven't tested yet chunk and cod I don't know if there probably I don't know but you don't need that kind of triak because there are so many more

simple method like using the old 0.9 server already changed for then we try something else so I we try to do some TCP set B stuff so basically we have a a we server that able to send allu and then send in a wrong order and that kind of stuff and so by using small TCP segment sizes we able to 18 so segment B by Dev it does do some some TCP but it's still Bas so this act so we should be able to see see that small and we are out of [Music] order and next we would like to do a live demo if the demo class are us we have a connection to HS and a couple

okay let's see yeah we have a turn your mic on is your mic turned on

better still speak up okay so here's the here's the GU from our test Network some this from yesterday

so we this so so let's see see it before the

okay

okay so we We R running exp server no Evas suggest

so we should

we should give a few minutes see see

that while we wait how many people use fire in the

crowd on thege of

so it take a couple of minutes and then we will be able to see see that they it detected the attack but it would apply the segmentation then the be seen and then there other F that in learns that there is a man URL there are some us that we past the EUR filter for

it seems con slow presentation it's a little difficult Dem because everything happens happens a little laggy

sorry break up

okay so there is your tation so then other method controlling the TCP client so TCP server can actually control the size of the segments sent by the client so the server May liit the window size used to access communicat from the so you notice by using a smaller window size than the size of the URL the fire URL filter by back completely and I think that we also use a MSS option to do the same and actually you notice that if you if the manage URL is just BL enough so it's actually longer than a TP segment that is enough 5 F so this is also pi and in this p you be able to see see

that the windows are really small but is two so this actually for is s is forcing the client to send the TCP segments of size two then we have a another me soting into exploit so the actually is the starting request different URL so the op is just sending this vering URL via email and that URL static and then quiet by clicking that URL goes to that static side which actually then redirect it in another side and the redirection URL is unique every time so because fire is only looking for the final final URL uh the cloud cloud based stories about URLs become basically useless because every URL is every time different and you don't know how to store the original

St R so and this is actually strategy that is used by current [Music] Mal so here you see the redirect so web servers using this location H so

dri then there are other imitations when far is like only able to detect attacks against soft it is virtualizing so of means that I don't virtualize on OSX or and do detect any attacks against these operating systems and by default the box is run in three versions of Windows XP and two version of Windows 7 it's it's capable of running or our is of running a four virtual machines at the same time so we have selected one to to a Windows XP and one to Windows 7 and we have find there would be images available for 2000 or3 or me a and if he's not wanting these then he's analyzing these

important I also since our life to HS failed I have a lot of Peck apps that we can actually use and look into so you can see the same techniques [Music]

[Music]

are pick have got

would you speak more in the microphone speak speak more the microphone yeah actually I'll turn it back up a little bit before turn it down

but so this so this is the pick up of the play ACP 09 server so it this works every time and it's basically fast fast traffic through and doesn't do any

anal keep pleas speaking because I have no idea what volume is if hello hello hello turn all the way down so um I have no idea what I did what about now hello hello hello all right just to talk loud that's only I can say right now I don't know hello how the audio system works in um biggest track help me out basic mle SP payLo special

that one's off too much feedback with the body mic capture of the rece window stay close my my so every other packet is on zero window packet because we for two segment window for the [Music] client might be turn down or it might be off on might it so by doing the for TCP it will see that that prev so by controlling the rece window we can pass by pass the power device and then

so this is the the reduction case so first we see there initial connection to the St URL so that get reg [Music] and yeah at this and well this will then course make browser to cont to the export URL so and if the export URL is different every time then you fting every

[Music] time and then this is the C of the TCP segmentation so here we have a the server is actually using small TCP segment size and sending all all the segments in in out of order basically so qu pling bar as well but I think the bar can still open this yeah so same explo so there are quite many different network level diversion techniques that can be also used to bypass the analysis or

device so it seems for us that fire fire is actually unable to against any software that is not running so for example in test with our explo internet 6 and seven so the first the internet 6 and able to detect this and then we changed the V virtual machine version there it was not running Internet Explorer 6 anymore but it was running Internet Explorer 7 and then our attack against the I6 was successful of course but the far I didn't see it anymore and it didn't even try to see it and because we are using this Heap spray method in the attack if it tries to run the es6 attack with7 he will still been able to see see

the the Heat spray part and probably attack so it look more into it and so it used the the user agent agent in the browser to S what is going one inside there and if it doesn't have the same

browser so it see that the not tuning free but instead you need to tune your network so that you running all the same software fire or I don't know maybe there's some way of how how to change the install new software Inside the Fire but anyways Fire virtual machines are different and with your own machines are detecting the attacks and much protection so we have these conclusions here the device actually actually not not all device so all the files pass through the box and so the device take copy and then inject the copy where into theion machines has and if we apply Network level Evas if for example if it doesn't understand connection is HTTP then it of course

doesn't do anything for that connection so often it seems not that much of La preventing attack but sometime it might mitigate the impact because there are still some chances it is actually detecting attacks but the problem is that uh bad guys if they create explo and they Del if they want to BU fire it's really simple so and then the URL filter is Tri bypast so because they are saying that all the URLs are reported the cloud and then all the devices you learn this qu that's true but this you fil be PR much use so I don't think that really is preventing and zero days or stuff but some it can give you some visibility

especially if you're running a window so thank you did you put did you attempt to put the device in line at any point it was in line all all the time yeah it was in line yeah that's why your house and then your fter so we had all all updates in the system and running like latest vers and everything and and we need this test first time I think last January and the last time like yesterday so change that time to uh do any testing with something like an inline SSL decryption facility like anron something of that nature uh well we would like to do that but we don't have the device I mean we like to

look in security devices and see how how we can bre them but we don't have have that de that would be interesting

IAD too bad that people do the live demos connection so I think we finish a little early but thank you for everybody thank foring [Applause]