>>Hi, Ya, it’s good to be back Nowadays, Virtual Private Network becomes more and more prevalent. For enterprise, SSL VPN is the most convenient way for their employee to connect the corporation network. For hackers, it’s also the shortest path to compromise your internet. So, today let’s take a look at how your SSL VPN could be wrong. Oh, before that, is there any NSA here? [Laughter] Okay, sorry for the title. Hi, I’m Orange, we are from DEVCORE research team in Taiwan. Another 0Dayh researcher and focusing on web application security. Apart from that, I’m also a speaker, CTF player and a bug bounty hunter. >>Hello everyone, I am Meh Chang. I’m a security researcher from DEVCORE and I play CTF in HITCON in 217 CTF team. I mainly focus on binary exploitation >>Here is the highlights today. We will discuss pre-auth remote code execution and both Fortinet and Pulse Secure SSL VPN. In the Fortinet case, we will show you the hardcore but reliable binary exploitation with a magic string to open the door. In the Pulse Secure, we will present all of back web hacking. And how we bypass the two, ah, bypass the two-factor authentication on Twitter and hack into their most important server. Last, but not least, we will introduce how we leverage a hidden feature to take over not only your SSL VPN but also all of your clients And this is the agenda, we first introduce the SSL VPN and why we focus on that? Most of the SSL VPN don’t provide a shell. We will elaborate how we jailbreak the clients and introduce the attack vectors to discover bugs Of course, we will have case studies and demonstration. And the last is the SSL VPN weaponization and recommendations. So, what is SSL VPN? Compared to the site-to-site VPN saturates the IPsec or PPTP. SS-SSL VPN is more is of use and compatible with any network environments All you need is just a browser Because of the convenience SSL VPN becomes the most popular remote SS way for enterprise SSL VPN are everywhere and protect the corporation access from internet exposure. They are trust to be secure and consider is the only way to your private network. But what if your trusted SSL VPN are insecure? They will become your virtual public network. [Audience laughter] Yes, public. So, that’s why we focus on SSL VPN, they are important but a blind spot. They are widely used by corporations of all size but only few vendor dominate the market. According to our survey on Fortune 500, the top three SSL VPN vendors dominate about 75 per cent market share. So, if you find a high impact vulnerability and one of the leading SSL VPN, you can hack the pre-net. The most important is SSL VPN must be exposed to our site, so it must have direct internet access. Due to its importance, if an NSA is hunting for SSL VPN bugs, such as the Equation Group leaks. SSL VPN is trust by large corporations, industrial leaders and tech giants. Such as the Facebook, Twitter and Marvel. Yeah, the logo is very cool. Even NSA use the SSL VPN. They are everywhere but usually forgotten, sometimes even hacker knows your SSL VPN more. For example, we disclosed a remote code execution on Palo Alto SSL VPN one month ago. We find a, we find a bug accidentally, however, while reproducing on the latest version, we failed. So, we start to doubt if this is a known vulnerability. We search all

over the internet but could not find anything related. There’s no CVE, advisory or any official announcement. Therefore, we believe this is a silent fixed 1-day. We surveyed all over the world and find-find Uber suffered from this. So, we reported their bug bounty program. This is not a fault on Uber, they also the victim. We also report this to the Palo Alto PSIRT, but we got the following reply. They do not CVE items found internally. So, that’s the reason why there’s no official advisory. Okay, this is fine. [Audience laughter] There is no CVE, so there’s no vulnerability. [Laughter] Anyway, Palo Alto still a sign CVE for that, just like after we publish older story. Once we decide to research into SSL VPN, the next question is how to choose the targets? We did a little survey on leading SSL VPN. As you can see even in the highest severity level CVE, the Pulse Secure and Fortinet are-are still the most secure one. We want to change the mission impossible. So-so we put our priority on Pulse Secure and Fortinet more. Pulse Secure is the most famous VPN solution in the world. And has the latest high-level CVE. It’s trusted by large corporations, service providers and government departments. Fortinet is more used by any users and med-medium sized enterprise. It’s common in Asia and Europe. Both vendors have little high-level CVE’s, so our mission is to find the most remote code execution on them So, let’s start hacking. To kickstart new research is always not easy. SSL VPN is a black box and closed source appliance They usually built their own architectures stack from scratch, and don’t provide a shell to dive into. So, the Jailbreak is the essential step for researchers to turn the black box into the great box. As you can see, most of the SSL VPN only provide a restricted shell So, let’s talk about how to Jailbreak then. We are not hardware guys, so we start researching from the virtual appliance. All the virtual appliance can be classified into the typical one and the encrypted one. It’s trivial for typical one, so we don’t spend a lot of time here. You can just enter the single-user mode or mount a virtual disk on your box to modify the file system to get a shell. But what if you, what if the disk has been encrypted? We saw the booting process, we cannot see anything. So, today we will show you a trick to bypass the encryption. Here is the linux booting process. The common way in passed to break the encryption, is to analyze or reverse the v-vmlinuz kernel to get an encryption key. However, we focus on another stash. Here we give an example to show how memory forensics take us to the win. As we know, the booting process is stuff round the bios, reloader, and the kernel to drop the first process to initialize the operating system. In Pulse Secure, the initial process show you’re point. Press enter to view or update your appliance settings. And once we press the enter, the initial process spawned another process to allow you modify and view the settings. So, we suspend the virtual machine at this time And scan the entire memory to do the memory forensics on the host or s. From the memory forensics, we observe that the spawned process is a Perl script. The name is disconfig dot pl. And since it can be the weak point of whole booting process. So, it’s time to show the magic. We will just patch a few bytes to pop out a shell. We patch the memory and repress the dsconfig dot pl to the bin SH. Once the

modification is done, the only thing we need is just press the enter. And we got a shell. Now, [Applause] thank you. So, now we have the full control of the system and can do further debugging and analyzing. >>Okay, so now we can start hacking SSL VPN’s. But where’s the bug? There are many daemons running on the server. They’re usually complicated and hard to analyze Digging at the correct place, is important for us. So, we propose attack vectors, specific for SSL VPN’s. We’ll talk about a special feature called WebVPN It’s powerful, but also vulnerable sometimes. We got lots of bounty from this feature. It’s like our slot machine. The next one is the native script language extensions on SSL VPN’s, and how they can be dangerous. And we also introduce our multi-layered architectural problems. Why VPN is a convenient proxy feature It’s portable and clientless, it proxy’s all kinds of traffics through the web browser. It supports various protocols like HTTP, FTP and RDP. It also handles many web resources, such as WebSocket, JavaScript and Flash. We don’t need to install any software, only click on the browser and we can connect to all the services. Sounds powerful, right? Apparently, it’s not easy to implement this feature. Some of them choose to implement by themselves However, protocols and web resources handling are prone to memory bugs. Think about it as a VPN processing as SMB or Flash You know how hard it could be Also, this requires high security awareness. For example, we filed some Debug functions in sensitive data, we filed encryption and information exposed carelessly. Some winners decided not to reinvent the wheel, they modified frontend open source project directly But they copy the code, and also copied the bugs. This kind of software are hard to maintain, update or patch. Or, some winners choose to call existing libraries. But the winners often neglect to update these libraries. We file Libcurl and Libxml from over ten years ago Implementing Web VPN is very not easy. This is the most serious attack vector we’ve found under SSL VPN’s. During our research, we’ve found out most SS-SSL VPN’s have their own native script language extensions. Like PHP extensions retaining C, or Perl extensions retaining C plus plus. Winners like to use these extensions to do encoding, decoding or all operations to improve efficiency. Which may be vulnerable. And it’s really prone to type confusion between different languages. As we know, string operation is always difficult for C. Like buffer size calculation, dangerous functions such as drink copy, or misunderstood functions. For example, do you really know how the return value of a-a snprintf should be? Can you exceed the buffer size? Actually. It’s possible, so a calculation like this can-will cause an image overflow. The type of list extensions are also confusing Although they seems so thin, but do you really know what type it is? Do you know if you’re using safety? Who knows, and this may cause serious problems. The last one, is the multi-layered architectural problems. When there are different standards for processing the same thing, the inconsistency between them will get you problems. Such as the attack surface on reverse proxy and JavaWeb backend. The talk from Orange in DefCon last year. And here we gave another case. This is also an ssl control bypass. It’s on C web server in RESTful backend. The regular expression, that plus matches too much, so we can leverage this to match the dot dot slash to access the

privileged pages. Okay, so here is the special attack vectors, we found on the SSL VPN’s Following, we’re going to talk about two case studies. We will show we get pre-auth remote code execution on Fortigate and Pulse Secure. Here is a disclaimer, all the CVE’s mentioned below have been reported and patched by Fortinet, Pulse Secure and Twitter. So, please go update your SSL VPN’s as soon as possible. Look, case one is Fortigate. We first jailbreak the Fortigate and look into the binaries. We try to list the binaries in stash backend, we found they are all symbolic links. Point to stash bin slash init. Just like this snapshot Fortigate compiles all the programs and the configurations into one single binary. This makes the, init program really huge and annoying. Like, the big file of init is up to 500 megabytes with 85000 functions and they are all stripped, no symbol. It contains plenty of function tables to manage it’s programs. Including the web daemon. Through our investigation, we found the web service is modified from apache But it’s the apache from 2002 So, the web server running on your SSL VPN, is actually as old as your grandmother. [Laughter] Compared to the admin page, the user login interface is the only one that definitely exposed to the internet. It looks like this, a simple looking page no other buttons or functions. So, we’re gonna exploit do the interface without authentication. We will talk about three bugs today. First is the Pre-auth Remote Code Execution Chain, we combine two bugs. A Pre-Auth arbitrary file reading to login and a Post-auth heap overflow to get a shell. We also introduce an interesting bug, the magic back door, which can modify any users password with a magic key. Let’s start with the file reading part. It was a function used to show corresponding language for users. It concatenates strings directly with the dot dot slash filter. But adjacent extension appended automatically. So, it’s things like we can only read json files. Think about it, can we remove the json and read any file we want? The answer is yes, we can utilise the feature of snprintf. According to the main page, it writes at most sites minus one. The bar size is fixed here, so we only need to make it fit the buffer size. Like this We fill it up with slashes. So, the parse after snprintf becomes like this. The appended json exceeds the buffer size and is stripped by snprintf. Then we can read whatever we want. After getting arbitrary file reading, we found something interesting We call it a SSL VPN mystery. It appears in many products, not only Fortigate but Pulse Secure or other vendors. The mystery is they hold an excessively detailed session file, on the SSL VPN. The file is called SSL VPN web session. What’s the content? Session token, of course. IP address, sure, username indeed, plain text password. [Laughter] Are you kidding? [Laughter] Yeah, you should never store any plaintext passwords. We really know how this become popular, let me guess. Maybe they learned it from Google, or Facebook or Twitter. Who knows, just kidding. Anyway, these plaintext passwords are really convenient We don’t need to crack password anymore and we can login easily Today, we’re going to utilise the Web VPN feature. As you can see, it’s the pro os menu protocols. Let’s try the HTTP We only need to type url and we can connect to the website through Web VPN. And we look at the url, we can see that we’re

still connecting to the SSL VPN So, it proxy’s the whole website for us. And if we look into elements, we can find the url of resources are also from SSL VPN It rewrites all the urls for us As you can imagine, this involves in hair string operation. So, here is a heap overflow. It occurs in JavaScript parsing. And it’s simply because lack of length check while memory copy. The buffer is only zero x 2000, but the input string is unlimited Generally, we do some heap function to overflow a nice target and control a program counter and do code execution But the situation is difficult in Fortigate, we found something destabilizing. First of all, the web daemon handles connections with epoll. So, it’s a single straight process. And the main process and libraries use the same heap. It means, all the memory locations of all the operations, in all the connections are the same heap So, the heap is really unstable Moreover, there are some operations regularly triggered They interfere the heap arrangement and is uncontrollable. Therefore, we cannot arrange the heap location carefully. That would just make a mess. And there is something even more ironic. Apache implements an additional memory management.So, there is no free until the connection end. We cannot arrange the heap in a single connection. The l-allocator also limits our export, it’s called Jemalloc. It centralize small objects. It calls a back of locating memory origin in the maintainless regions in a run with a bitmap This effectively reduce interference between small and large objects. Is-It also limits our target options. It’s hard to put small objects nearby our buffer. So, we’re stuck at that time and therefore we started to fast server and it crashed. And we almost control the program counter. And yeah, this is why we love fuzzing. We crushed a fountain table pointer in an SSL structure. This structure stores information of each connection It’s used for connection handling and is an ideal target for our hit export. First, every new connection allocates an SSL structure, so we can trigger it easily. And its size is close to our JavaScript buffer. And therefore it can be placed nearby our buffer with a regular offset. The most important is it-it has some useful structure members. It contains a function table pointer, called method and this is how we triggered the crash. But we found one even better, its a function pointer called handshake function. With this, the export can be much easier. We don’t need a whole function table anymore, we only need a function adjust. All the connections are on the same heap. So, we can mess up connections and overflow the SSL structure. So, we send lots of n-normal requests and attack the server with an overflow request in the meantime. if we look into a heap, there may be several SSL structures on the heap. For example, here are three SSL structures for three connections. In the SS structure, is like this. Some basic information in the function table. And the function pointer is now pointing to a SSL function, SSL accept. Now, if we retrieve a JavaScript parsing, in the JavaScript buffer is located ahead of this SSL structures. Then we can trigger an overflow and override the SSL structure members, like this So, now we fill up the SSL structure with capital A’s. And make the program crashes. What we need to do next is clear. We only need to forge the SSL

structure with a fake fountain pointer, like the address of system. So, when you make the connection, is trying to do handshake, the program executes whatever we want. Anyway, the heap is unstable, so we need to send fuzzy connections to meet the condition. The server may crash sometimes, but it’s fine Fortigate has a reliable watchdog. We just need several attempts taking about one to two minutes to get a shell. So, this is the whole details of how we achieve remote code execution Maybe some of you are not binary guys, so you may wonder, is there any other way to get into your server? So, why not find another door to make your life easier. We found a magic backdoor in the log-login page This function was originally used to update outdated password. However, they failed to authenticate. So, we can simply use this secret key, which is called magic to reset any user’s password. Now we’re going to demonstrate how we pop a root shell from the only exposed HTTPS port. We put our PHP export on the end HTTP server and SSR export. In order to control the parameters of this one, we first do a stack pivot and make our buffer become the stack. After that, we do an ROP chain to whole system. And here is the reverse shell command. We use Python to build a reverse shell. And we concatenate this strings to overflow the SSL structure. Now we can start hacking. In the first panel, we open a port to receive the reverse shell. And we start a fuzzing thread to build multiple no more connections. Then we attack the server. We first try to log username and pentex password from the web sesion. As you can see, we found a username, Meh And password, this is password for Meh. We can use this account to login and make the SSL VPN proxy our PHP export. We only need to wait a few seconds Okay, here we got the root shell. Thank you very much [applause] >>Okay, the next case we talk about is Pulse Secure Pulse Secure is the market leader of SSL VPN and was from a divestiture of Juniper Networks They are a Perl lover and build all the architecture stack from scratch. The architecture is old but stable and secure. And it’s worth to mention, Pulse Secure works all the process by LD Preload. Due to the, ah due to the monitor and security consideration. Ah, we will discuss this later. Here is the vulnerabilities we find. Among them we were introduced a pre-auth arbitrary file reading and the post-auth command injection. We chain these two bugs into the parse remote code execution. The first bug is a pre-auth file reading. Pulse Secure introduced a new feature called HTML5 Access since version eight point two. It can access the Telnet, SSH and remote desktop by browsers. In order to adapt a new feature, Pulse Secure create a new IF-condition to handle all static resources. Thanks to the new feature, the original strict validation has been bypassed So, am I affect by this? All Un- patch version accept the end of life version, are affected. Here

is the payload for you to check your SSL VPN. When there is a spatial pass in the end of the url, the pass validation become loose. And, ah what can we get from this? We can get numerous useful informations, such as the server private key to decrypt the SSL connection. We can also get the information config, ah, we can also get the infor-important configurations such as the radius and LDAP password. And all user password hashed and sensitive cookies which are cached in the WebVPN Like Google, Dropbox and iCloud The last and most the important is the cached plaintext password. Yes, plaintext again For now, we get the credential, so we are able to access the corporation network easily However, our goal is to get co-execution for persistent and further actions. So, here we show a command injection and manage-management in the fast together. From this co-fragment, is very obvious and straightforward. If we can control the options,we can inject arbitrary command to this Perl function. And, of course, we can. We can control the options from the trouble shooting patch. So, it’s that simple? No, I don’t think so. In order to avoid potential vulnerabilities, Pulse Secure applied a lot of hardening on their products. Such-such as the system integrity check and the read only file system to protect the back door, fro, ah to protect from back doors in crontab or webloot. The most effective hardening is the DSSafe module, it’s like the safeguard to protect Perl from dangerous operations. The DSSafe is the Perl module, which is written in C plus plus. The module implement is on command parser. And hold several dangerous functions, such as the system, open and backstick. It also disallow numbers bad characters and re-implement the Linux I/O redirection in Perl So, due to the hardening, we cannot perform any command injection. We try several ways to bypass the hardening. Of course, the first come out of my mind is the argument injection However, the tcpdump in Purse Secure is too old. So, we f-failed because it didn’t support several juicy features, such as the postrotate command While examining the system, we find Pulse Secure stole the temporary cache in the directory. We tried to write into this directory. But we can’t use extend it out because it’s already directed to the new device. What we can do, is only abusing the set file argument But since there’s no way to generate polyglot file in both Perl and PCAP format. So, it’s time to dig deeper. We type into the DSSafe implementation to see is there anything we can leverage. We found a flaw in the command parser. When there’s a, when there’s a incomplete I/O redirection. The rest of the I/O part will be truncated. However, also we can re-control the sender out. We still can’t find any way to generate a valid Perl. So, let’s think out of the box. Standard Out is uncontrollable, but can we write a script by Standard Error? When you force the tcpdump to open a non-existent file, it will show the error, no such file or directory. From the error it seems we can parser control the message. We tried to pipe the extender error to Perl. Though we still get nothing. However, when we try to use another file name, such as the print one two three with a hashtag. We tried to pipe the extender error to Perl again and the magic

happens. The Perl print out the one two three without errors So, okay the Perl and the one Perl suppose to go to label, so the tcpdump done with a column becomes a label in Perl. And we use the hashtag to command the rest of the part. So, the extender error becomes a valid Perl now. This is our final exploit, we will explain the pay load one by one. The first is to map the tcpdump over the the non-existent file. The file will be part of the error message in-in extender error. And then we-we direct the extender error into the cache directory. Here in-in the file, ah set cookie dot thtml dot tcc. The rest is the in-complete I/O symbol. This symbol appears to come in parser to ignore the rest of the I/O redirection. Once our extender error has been written into the cache directory, we can just fetch the co-corresponding patch to ask it our command. By chaining these two vulnerabilities, we can get a reliable pre-auth remote code execution. We have report all of our finding to Perl Secure PSIRT. And this is the response from them. They fixed all the bugs we sent them. Their reaction is very quick and professional. It’s a great time to work with Purse Secure and they are such a really responsible vendor. After Purse Secure release all the patches, we kept monitoring the internet to see the large corporations response time. Twitter is one of them. They are known for their bug bounty program and nice to hackers. However, it’s not good to exploit one day right after the patch released. So, we wait thirty days for Twitter to upgrade their SSL VPN. This is the Twitter SSL VPN. It’s just a simple looking patch. From the reconnaissance, we know the last time Twitter upgrade is in last December. So, Twitter is likely vulnerable. We have v-verified the bug and got a bunch of user credentials in plaintext However, we encounter some problems while trying to pop our shell from Twitter. Yes, the first problem is the two factor authentication. Due to the two factor authentication, and so we can get the plaintext password, we still can’t do anything. So, the first thing we need is to find a way to bypass that. We observe Twitter enable the roaming session. Roaming session is a feature to enhance the mobility. It allows a session from multiple IP locations. So, once we know that we download the database and force the session to bypass the two factor authentication. And finally we login to their system. The next problem is the SS control in management interface. As we mentioned before, we have a command injection here. However, for security consideration most of the corporation disable this interface on public. So, we need to find another way to access the interface. We leverage the Web VPN feature again to connect to itself. It’s just like the SSRF. We use the zero to bypass the SSI-SSI protection and access management in the fast And finally we got there However, the last problem is that we don’t find any managers plaintext password in cache Practically, most of the manager only look into their system at the first time. The only thing we have is the password hash in sorted in find crypt in sha256 format. So, we launch a 72-core AWS to crack the hash. And, ah

three hours later We crack the hash and success-successfuly log into their management interface We are lucky because the length of the password is only ten. And the first character is capital B. It’s in the very early stage of our cracking cue. We exploit our command injection and try to run the command ifconfig, and we got a shell. We report all our findings [applause] Thank you We report all of our finding to their bounty bug program. And got the highest bounty from Twitter. [applause] Also, we cannot prove that. It seems this is the first remote code execution on Twitter. Okay, the last is the bonus for you. Our company DEVCORE provides the most professional Red team service in Asia. So, let’s talk about how to make the Red team more Red. In a Red team operation, the personal computer is more valuable. So. in order to take control of all the clients, we need to weaponize the SSL VPN. There are several old school methods before, such as the waterhole attack and the replace VPN installer. But here, we propose a new method. It’s the logon script. Logon script is the feature in almost every SSL VPN. It can ask it the corresponding script to mount a network file system or change the loading table. So, here we will show you a demo, to show you that how we compromise all the VPN clients. Okay, this is our demonstration. As you can see, they exploit one argument, so we append our target right after the exploit. Here we got a username and hash of admin Also, we could not find a plaintext password. We can still change our cookie to the station id of admin. Okay, once our modification is done we can access the management interface And we have become the admin [applause] Thank you. Here we leverage the feature on the user laurels and the VPN tunneling We find a local script section Here you can see the logon script suppose not only Windows but also Linux and Mac OS. So, we use the calculator as our backdoor. And, once our modification is done, we change to the laptop of our victim [Laughter] Ya, it’s cute. The victim launch the Perl Secure agent. And try to connect to the SSL VPN with his username and password. And once the connection has been established, the calculator will be popped automatically. [applause] Okay, here we finish all of our slides. But how do we mitigate such attacks. Here we give several recommendations. The first is to, if the client sign certificate, we saw the certificate the malicious

connection will be dropped during SSL negotiation. The next is to enable multi-factors authentication, it can decrease numerous attacks service. And the last, remember to enable full log audit and subscribe the vendors advisory to keep your system updated. This is the end of our presentation, and here is our contact information. We will [applause] Okay. Okay, we will post all the detail right after our talks. So, please check that and let us know if you have any further questions. Thank you for being here again, thanks [applause]