"The Defender's New Clothes" - Eldar Marcussen

elder is a a great speaker and we're very privileged to have him uh eldar marcus and his talk title is the defender's new clothes so please welcome eldar to the stage g'day camera can you hear me out the back um right here today to talk about the defender's new clothes so i might recognize that title it's based on a fairy tale that i remember from my childhood about a vain emperor who gets swindled by these two guys to convince him that they can make magic clothes and the magic property of these clothes is that only intelligent people can see them and they're not actually providing clothes they're just pretending uh but no one wants to call out the fact

that the emperor isn't wearing any clothes because they don't want to be seen as low intellect until he has a parade and one day a small child says oh look the emperor isn't wearing any clothes and then the illusion fades and everyone can see that he's naked and i chose this bit of street art to help illustrate this where you know it's more he's walking around with a big cash suitcase i want to draw sort of a bit of a parallel between this story and how we maybe view um the defensive solutions we use to protect data and networks computers etc so when i say the defenders new clothes the clothes is essentially the solutions that we

implement defender is anyone who has an obligation or a desire to protect data systems using these solutions and so here are some of the examples where we have firewalls web application firewalls access controls antivirus etc and so i want to talk a little bit about how maybe we put too much trust in these systems so yeah some of the things that people often don't consider when we talk about defensive solution is the level of privileged access they often have right um your antivirus might be running in kernel space um you know things like effectiveness can be hard to measure so we might have to just take it on blind trust that it works we've seen recently that a lot of

security software have had cbes and remotely exploitable bugs in them so how do we know how secure the supply chain development practices of the software is we again we kind of fall back and trust so you might want to ask yourself um you know what's something on your network that basically has access to everything right you might have a a nessus box that has every vlan truncated to that box if that box were to be popped you have a flat network a great question that i like to bring up is you know how do you measure the effectiveness of your web application firewall i have not yet heard a good answer if you think you have a good methodology

for measuring how effective your wife is please have a chat to me after i'd really like to hear some different approaches and like i said we put in security solutions or software in privileged positions how do we then secure these solutions and i am going to get a little bit snarky today i might call out some specific vendors it doesn't mean that all their solutions are bad you know your mileage may vary a great example from pen testing and we're working in consulting uh we'd go in we do an internal pen test we find that the management interface of your network switches your email gateway etc that's all available on the internal network as opposed to

under its own management lan and very often we'd find them with default credentials so you know you got you buy an expensive piece of security software don't change the default credentials um those security controls don't work at that point right that's that's sort of why it's important to not just go up it's solution x we are secure um but rather think about this problem a bit differently so i want to start with a story um [Music] of um a pen test where we were going up against some defenses the story basically goes like this remote hacker wants to get into the juicy data that's sitting on the website and there's a wife in the mid

right so the hacker might not be able to get in because security at this point bypass it you know for those who don't know you can take like the fab icon md5 hash it look it up and show them and like access the server directly as opposed to going through the web not a case here but before i get into the the story there's a couple of things that i want to cover that i don't really have a good segue for so i'm just going to drop them in here a little bit awkwardly um so first i want to talk about access control and i don't really have anything related to this but it's something i found very recently

um and the why the reason why it's interesting is because i'm going to show you a little trick and this little trick will basically get all of you everyone in this room who knows this trick will instantly achieve apt status nation level hacking capability from this one trick i kid you not and i found this when i'm looking at this aws load balancer that was trying to prevent access to the documentation for an api so behind the load balancer this it's a container or a web server whatever that has the documentation for the api on the web server and it's meant to be there to be accessed by internal systems but not through the internet so the load

balancer is the gateway between the internet and the container and so we want to block access to this specific url and so we see here it's doing a text pattern if the url is api docs return a 401 you're not allowed to access this okay so this is what happens you go to the domain.example.com forward says api docs you get a 401 but then you're like well it's text matching what if we make it a little bit different but same same you get a 200 okay and that is the trick this is what i call the power of slash i might say this a couple of times through this presentation you know i might i might try to get you

guys involved so when i yell power off slash you can get power of slash back how about that so so that's that's like this one trick and uh we'll we'll come back to this trick the next thing that i kind of wanted to cover um is sort of waffs and some of the more advanced techniques or in ways in which graphs are not necessarily effective because it's relevant to the story so a great weft bypass is foreign coding and whether that's an intentional feature because sometimes people have functionality that clashes with web rules and the solution is just ah just basics before encoded straight through um and we've seen that a few times that you know just

people basically foreign code something you don't have a payload add the sql injection and it just it just works one of the negative things with this is you'd like your waff to block you know a wasp top 10. and one of the things that one always top 10 is object injection or insecurity serialization and serialized data is almost always basics before encoded so that's like a whole category of always top 10 that the weft just goes dude too hard it's a feature we can't get rid of i'm not entirely sure and even if it did base64 netspooky recently released this base64 encoding mutation that manipulates the sequence of bits that you're encoding to invoke padding

in the base64 so all the bits are basics before you see down in the corner there they all the code to not spooky but they're different so that's also not something i've seen in use but it's a nifty thing and it might get you past some controls in the future so besides base64 there's another always top 10 that you'd like your waff to block crosstalk scripting right everyone's favorite web bug pops up some alert boxes or steals a session because javascript is turing complete if you're injecting into a javascript session there is literally nothing the web can do to block you writing some incomprehensible code that actually executes javascript so the one i've been using and i

guess i should say this my probably my biggest regret with giving this talk is that most of the things i'm going to show will probably be ineffective within a month right so i'm going to have to come up with some new techniques so i use fragmentation where i assign an object into a variable and then use that variable and the usual sort of keyword matching doesn't happen i break up the string into multiple write operations right crosstalk scripting also robin recently published this idea of split exercise that uses multi-line comments to manipulate multiple injection points into sort of a running running comment from within an injected point into another injected point that's pretty good you should check that

out i'll also come back to this technique a bit later and like i said turing complete unicode friendly you can you can encode javascript in all manner of things so here we have a cuny form unicode encoded javascript and yeah you can't exactly text filter for this stuff now there there are some that are saying things like langsack and they'll have automatically detection of which language you're injecting uh etc and and that's going to be the next generation i haven't had a chance to play with it but i'm pretty sure you can write a a ruby javascript slash html slash gif polyglot string and and get around that sort of stuff anyway um so yeah that's sort of the pretext

um not directly relatable but gives you sort of an understanding of um how i think about waffs in particular like i do a lot of web stuff so back to the story testing this website find a directory traversal and now you might say but although it's a waf it blocks directory traverse and sometimes there's a couple of things that generally can't block very well the first one is relative traversal the reason why they can't block relative traversal very well is because having a dot dot slash index php or dot slash robot txt as a parameter can be valid like if you have a logout url that does a redirect that could be a valid argument so it's

kind of hard to block that the one i didn't expect to work was the non-traditional traversal that just sailed right past i'm like okay well i would have expected that someone had written slightly better rules um multipatr reversal where you have multiple parameters being concatenated into one string i don't think we'll ever be able to [Music] detect from like a web perspective because the context is so specific to the individual page but i just wanted to show you that i'm not lying right so here we have cloudflare with like there's no vulnerability here right you just put random parameters in the query string and it goes well i'm a wife and i'm seeing something that i consider

malicious i'm going to block it regardless of what the backend functionality is so we do the slightly password and goes no that's a traversal you're not allowed i said okay well what if i add the power of slash the power is that yeah they say yeah sure go ahead read my files um and again picking on cloudflare cloudflare is a half a billion dollar a year revenue company i would think that they could hire maybe someone to try to bypass the run rules for a small amount of money compared whether they actually do that and it just wasn't effective in this case i'm not sure but i would like to think that when you're paying a lot of money

for security you actually get some security so of course this was interesting and fun and you know wrote a tool to do this um travis i'm gonna i forgot to hit push and get up i'll do that after my talk so this afternoon that'll be up um so now we can leak to false you know primarily we're doing the relative traversal reading the source code we identify lfi but we don't have a file to include okay well we can't just upload like a php shell because the web says no so we look around find some some other expert primitives if you if you want to call it that um i find that one of the one of the

pages it writes user data to a log file it has file rotation so that's very handy because if you if you mess up like you say that you're trying to inject piece by piece and then it blocks like one of them and then now your code isn't your code anymore because you're missing a chunk being able to have that file rotated out so you get a clean injection slide super handy very very happy that they had that feature um it's browser accessible so we could also access the log file directly and verify what we injected to see whether or not something gets encoded etc um but you can't just go and slap a php string in there because

the wefts says no so we come back to one of the things that i talked about earlier code fragmentation if the web can't see the entirety of your code but rather just little parts that once in the log file becomes the whole it probably won't block the individual parts and again it seems to be sort of keyword operated so you want to make sure that you avoid the keywords if you can in this case we couldn't just do like line by line because there was a bunch of stuff in between but independently of robin we also came up with this idea of multi-line comments and uh turns out upon closer research that there's more than a handful of people

that have independently discovered this technique in the past but i'm the first one that i'm aware of that used it for php so we basically injected something like this you see at the start we start a php in between like all the user agent data and stuff and then we start a multi-line because php doesn't care about anything that's outside of the php tags and then the multi-line says that anything in between multi-lines within this php tag spanning multiple lines is to be ignored so then we end the multi-line comment insert a keyword start another multi-line comment and then that way sort of work our way down and we get a web shell injected into the log

again kind of tedious so we wrote a tool this one is live on github and basically just it takes a bit of php code apply some generic rules to split it out into little chunks that shouldn't ideally trigger wafts although i'm kind of surprised it didn't block the basics before the code but it didn't um and then fed this in piece by piece so now i have a traversal i have a local file include i've got a file that i control the content of the web server i can eval code because that's that's what i upload i didn't upload like a web shell i just gave a generic email so now i can basically foreign blob and

have that running but there's a problem i can run php code but i can't like access system resources that well and i can't run commands because the sys admin had applied hardening so these are the actual functions that were blocked on on the box and this is actually more comprehensive if you go out new google php hardening they'll give you a different list that is equally ineffective but it's different so this they've gone really hard on like no commands right like they've even disabled escape shell arg and escape shell command which are safety features not command execution um okay so at this point i sort of imagine that this is what the sysadmins thought would happen right

there's a waff there's hardening the hacker comes along and then oh no but that's not what actually happened right we're going to hack the planet because what happens is at each step of this journey i'm getting closer and closer to code execution running commands like if i were going to walk away i'd probably walk away at the first hurdle not like the fifth because i'm this close right you can taste it so there's a bunch of useful php functions that they haven't disabled right like they disabled rename and chmod but if i can file open and unlink a new mask i have all that functionality i just have to do more than one operation so we can sidestep hardening because the

php hardening only applies to php and this is a linux system with many other options so i chose to go with one that's very near and dear to my heart i wrote out a htaccess based web shell that executes commands through server side includes because php hardening doesn't apply to server side includes but the web is being difficult yet again i can't access htaccess files directly from the browser because the web says no no that's not low but that's okay we can curl exec to localhost from a base64 encoded lfi which has a base64 encoded payload through you get you get 30. so we win we have code execution but we still want more right running

commands is not like we want brute so run ps notice that there's this php script that keeps running us root pretty regularly so i'm guessing crunch up funnily enough there's a directory called chrome tab which has the same file name in it yeah it seems legit uh unfortunately chm1777 so i can just append a bit of code to it dump it see shadow to temple that was here crack the passwords and then find the person responsible for the box so that they can fix this stuff and that's sort of the end of the security in this story not the end of the security and you you might say is is this effective security we've invested a lot of money

in the work in the hardening uh monitoring actually crowdstrike was running on the box at the time it wasn't included in the report they provided to us turns out that someone had marked this as pen testing i guess because it said tmplw no one asked me are you doing this so um it's probably a human failure process at this point um but yeah it's it's hard to say whether or not it's effective sure i triggered some alerts in that process right um but then the question is what happens do you do the ip band me do they actually resolve the vulnerabilities quicker than i can get a new ip and get back up to the stage

that i was at because i wrote tools so this is like automated at this point getting back to where i was takes five minutes um but that's sort of the end of i guess waff and web security and hardening um your mileage my very so for the next part i wanted to look at some other areas of security um like detection and antivirus and whatnot um and before i get into that i i wanted to share two statements from twitter the infinite pool of wisdom and knowledge dave aytol tweeted this at the start of this year and for me this statement really resonates i i feel like this is true based on my own experience that a lot of people

on the defensive side he specifically says instant response seems to think that attackers aren't very clever or good the flip side which i guess kind of confirms this was the discussion with malwa tech and i got to be fair to marcus this is out of context we were talking about whether or not people should believe release proof of concepts proof concept exploits rather than specifically whether or not the skill gap is that high but the essence of this is what he's saying is that there's so many state actors or non-state actors that can't do like even simple hacking right it's all just copy paste or using somebody else's tool they have no skills of their own

and that's something that i hear a lot so that's why it's in here and i'd like you to sort of think about this and see you know maybe which statement you agree with so that out of the way let's talk about detection rules um specifically um i looked at some systems but we'll start with one that i actually i actually don't know which piece of software this is what the detection rules are but we'll start up with a the infamous argel bagel block glyph attack you all you all know this one right no no one knows this one it is a problem and it's a real attack because there's this github issues that have been created about how their

enterprise a corporate security firewall goes crazy when the unit test contains this string and i didn't find somebody somebody sent this to me because they had done a little bit of digging around and they attributed to me having put this into one of my hd access shells specifically this one tries to cause a denial of service and apache by making the apache hd access power fail on something that is not valid apache syntax it could literally be anything i picked i got bigger glob glyph because when i was young and i played text adventures this is what you would get back if you entered an invalid command and i'm putting in invalid syntax to me

it made sense um and then someone on some defensive rule writing team has gone right there's a denial of service condition we're going to block this string maybe not googling what it meant first i don't know but i have now changed this file because i don't want to i want people to be able to use these strings in the unit tests without getting flagged by security so yeah the famous agribug right rule analysis how many here look at yara rules before running exploits on the red teams can't see any hands no didn't think so it's actually really good you should do it so this is a sigma rule for detecting exploitation against fortunate ssl bpmps

like i said a lot recently a lot of security software has been flagged with having vulnerabilities and we can see the highlighted section it's looking for basically two uri components um and they have to be in here like it has to match both because you can see it contains all and then there are two specific strings now if we make one of these strings not match there is no detection so again by the power of all right um yeah just just put some slashes in there you now you're apt there's no detection just cruise right through because they didn't patch that because they had virtual patching and everything is fine right you got something protecting your

end point please patch it immediately um not just sort of this one um but is this a one-off case totally this is another rule uh in this case it's vsphere which isn't strictly a security product although some people use it to contain legacy systems in a vm whatever again very simple string add some slashes bypass the detection okay yeah all right that's sigma we have a couple of examples obviously things like malware are in a very different category like web-based attacks are largely string based and so that makes the detection kind of dependent on string matching and difficult but i would like to think that you could write better rules here's a great example this is nsa cyber detection for web

shelves and they've got my handle there on on the line and again it comes back to this htaccess shell uh project where someone nsa just incorporated this rule from someone else um but they went i don't like this htaccess thing wire goal is in one of the comments so let's block that unfortunately if you actually go on google and you you search htaccess based web shell you will find a lot of like russian sites and stuff don't have my name in it so i think at this point we're like pandering to the lowest percentage of actors that would use this attack it also doesn't stop the more traditional hd access based attacks where you you make a gif file

execute as if it's php um just overall i think this detection is pretty poor so i actually asked i said hey you know i'm just a security researcher like i'm not it's a malware author you know you reckon you could maybe write a better rule and take my name off it and they're like no no it's in there because you know most non-estate actors are so bad and they just use the tools the way they are and so you know by leaving your name in the detection rule anyone who uses your tool are going to get detected and it just brings me this sort of full circle to this okay what if that's a target right like

if if you're writing rules for detection and your target is the bottom 50 60 whatever many percent you're basically just giving a free pass to anyone above that line if you wrote a proper detection tool it would get the top percentage as well as all the other junk board because the other people don't modify the files anyway so they're easy to detect but uh yeah so far no luck i'm still on the on the reaper all right um here's another yara rule um and this is for detecting backdoor and catalina and i included this because it highlights one of the the real problems with sort of string matching is it's looking for a file that starts

with xml less than 300 kilobytes in size it has the service name catalina it has a connect report defined right those are like the three things it's looking for us indicators and then it'll skip if there's a false positive entry and the first false positive entry is the connector string but with a xml html comment in front and of course because the matching will always match as close as possible so when you're looking for connector it doesn't have context it doesn't realize the connector is inside a comment so you kind of have to avoid this but it leaves us in a nice position where we can define our xml file say service catalina have our connector and then on the line

below have a connector in comment because the execution the the tomcat parsing the xml file will accept the connector and then ignore the commented one so now we bypass the rules and we still have an effective backdoor and it just i don't know if it's if it's a case of we believe that attackers aren't good and they're not going to evolve their game we didn't have time to write proper rules we just needed something that worked most of the time i'm not entirely sure here's one from a local group a bit of guidance on um what was that f5 f5 traffic management interface um and again hard coded string add some slashes no detection and also across the pond uh the uk

variant uh have ioc detection for um this uh i can't remember it there's another security software um then you grab your access log add some slashes regex don't match there's no indicators of compromise anymore by the power of better better all right that's kind of it um yeah uh conclusion i'll i'm using somebody else's words for the conclusion so i'll get to that um in a minute but first so there's basically two new tools an update to an existing tool um and i will push it on the github this afternoon so um you can find that on my github vargo and a smarter man than me albert fleck he said this many years ago that

specifically huge revenues are generated in our industry with appliances that only work as long as the attacker has not looked at them and that very much is what i find to be to be true i don't i'm not saying you shouldn't buy a security software you shouldn't implement it it's not in my slide deck but john strand said something on twitter yesterday and he said don't laugh at the fences just because they can be bypassed the idea is to have overlapping defenses so that where one sort of fails another one picks up the problem and then of course your ability to detect combined with the speed of which you can respond is actually where your core capability is it's not

the blinky box that says i'm going to stop 100 of security with ai on the blockchain or whatever whatever the sales guy tells you right um yeah so that's that's the conclusion hackers don't care they don't care about your whatever right here we go three representing um yeah that's really it um you know maybe i should should add in conclusion that the one thing i've found is if instead of relying on security solutions from course of preventing any incidents from occurring is if you expect that at some point the security solutions will fail and the thing they're trying to protect gets compromised if you expect that quite often i find that people start engineering the networks different

we don't necessarily need you know an antivirus solution or a content designing solution here maybe we'll just spin spin up an immutable vm that converts what's on the screen to a gif and then puts it in an s3 bucket kills the vm um and you know through things like isolation um and access control firewalls are actually not in here because when they're managed well they actually do a decent job so there are other ways of dealing with with this rather than just sort of throwing the money at a solution because i remember seeing some screenshots of an antivirus vendor which will remain nameless where the sales guy promised black and white in writing that if you buy this solution it will keep

you safe from 100 safe from all hacking and social engineering attempts for all of the future sure so that's it thank you for having me [Applause] thank you very much for that talk eldar we have some questions on the slack and just so uh everyone knows go on the slack and ask some questions if you would like to ask eldar something and our other speakers as well uh the first question uh by theos is why is url normalization not more common url what normalization good question i don't know it should be i mean the first blood balancer problem would not have exactly uh happened if you know normalization or categorization had happened so yeah it should be i don't know why uh that's

uh that's good uh next question by pacifist is uh it's a question uh doesn't trying to make um actually secure waff policy um end up taking more work in terms of re-implementing app input sanitization surely that takes more work than just fixing the actual app itself is that true uh possibly but it can be done by someone who's not a on the development team potentially so you know the financial incentives might be different and we have another uh question by uh zephyr junction uh do you know of any waff systems that use regex's for their file paths rather than hard-coded strings it seems like it would raise the bar significantly reg exits are hard you might end up

introducing a denial of service all of the waffs that i'm aware of supports it and you could end up doing it i think a large reason and i'm not a waft person but my guess would be that processing regex is costly and can lead to denial of service conditions it's better to write a specific rule and we've got one more question by urban adventurer it's quite a long question but he asks and he starts off by saying to fix this last trick it will require matching one or more slashes and passing file paths with dots and slashes that means moving from string matching to regular expressions and this will increase cpu usage so my question

is the urban adventurous question is it worth accepting the risk of a waff denial of service through increased cpu utilization i think i just answered that before but i should add that if you do path normalization you don't have to go to the regex solution you can just normalize the path down to what it actually should be and then match it which would be the better solution well that's all the questions we have for let's thank eldar one more time for his tour by the power slash

you