12. Step #0 – Tools
Notepad / VIM / Whatever
Mind Mapper (FreeMind etc.)
Diagram Drawer (Visio etc.)
OS specific tooling (enumeration / debug)
13. Step #1 – Get shell
• Possible approaches
• Mount virtual disk image
• Live CD – add a user
• Single user mode
• Allowed functionality
• Allowed functionality
• Default username and password
14. Step #2 – Get root
• Possible approaches
• Mount virtual disk image
• Live CD – add a user
• Single user mode
• Product configuration issue
• Product configuration issue
• They allow a shell
• They made a mistake / overlooked
16. Step #3 – Enumerate
• Product functionality
• Technologies in use
• Processes
• Listening ports
• Process to port mappings
• Users processes are running as
• Mooch around the interfaces (*scientific)
• Dig into the database (if there is one)
18. Step #3 – Enumerate – Technology
• Linux
• Postfix
• Java
• Apache Tomcat 6
• Spring (web framework)
• Apache James (mail)
• Tanuk Software Wrapper (allow Java to run as a
daemon)
• Jetty web server (SOAP interface)
• Postgres
22. Step #3 – Enumerate – Listening Ports
Port Process Description Verified who
22 SSHD SSH daemon No need
25 Master Postfix mail transfer agent No need / experience
8080 Java Tomcat /etc/tomcat6/server.xml
8443 Java Tomcat /etc/tomcat6/server.xml
23. Step #3 – Enumerate – Listening Ports
Port Process Description / Function Verified how
5400 Java RMI for JMX /etc/djihzo/spring/services.xml
5432 Postgres Database server Obvious from the process
name
8005 Java Tomcat shutdown port Internet knowledge
9000 Java SOAP interface /etc/djigzo/djigzo.properties
10025 Java Mail content filter port /etc/djigzo/james/config.xml
/etc/james/smtp_server.xml
/etc/postfix/main.cf
10026 Master Postfix mail transfer
agent – mail reinjection
/etc/djigzo/james/config.xml
/etc/postfix/main.cf
15012 Java Wrapper /etc/djigzo/djigzo.wrapper.conf
58490 Java Unknown
38. Step #3 – Enumerate – Other Tools
Tool Purpose
checksec.sh Operating system and binary defense in depth
find File system permissions, SUID binaries etc.
tcpdump Sniff loopback adapter for database, SOAP and other IPC traffic
lsof List open files for a particular process or path
strace System call trace – see which system calls are being made by a
process
ltrace Library call tract – see which library calls are being made by a process
unzip For extracting JAR and WAR files containing the Java classes
JD-GUI Java decompiler for the Java classes
39. Summary so far
We have a shell and file system access
We have root on the appliance
We know the technologies
We know product functionality
We know roughly how it is built
We know what speaks to what
We have mooched around the interfaces
We have had a quick look at the database
44. What still missing
High-level: Logging, Platform defences
etc.
Low-level: Detailed functional flows
e.g. authentication, actions, commands,
mail transiting
52. So what’s next?
We now ‘test’, ‘assess’ and or ask the
architects / developers what has been
considered and any present mitigations
53. How do we summarize?
Threat Impact / Risk Mitigation Residual Risk
Malformed
PDF
document
Memory corruption
leading to arbitrary code
execution in the main
daemon or wrapper
process
Written in Java Denial of Service
55. Going deeper
• Rip into database
• Application passwords stored in clear-text
• File system contents
• Soap interface credentials in clear-text
• Certificates are dynamically generated
== a more complete real world threat model
56. Going deeper
• Grab the Tomcat configurations
• Work out the filter chains
• See which URLs don’t’ need authentication
• Chain URLs back to Java classes
• Grab the JAR and WAR files contain the classes
• Disassemble
• Review code
== a more complete real world threat model
59. Challenges
• Development may not have the deep threat /
mitigation knowledge
• Brainstorming with a security person helps here
• Organisations under estimate the effort, size and
complexity required to do threat modelling right
60. Conclusions
• Threat modelling requires good understanding of
security risks
• Developing a good threat model takes a lot of time /
effort and resource
• Enumeration of technologies and interfaces is key
• Think about possible attacks and how they are
mitigated
• Verify threats either statically or dynamically
… this presentation was only the beginning
61. UK Offices
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
North American Offices
San Francisco
Atlanta
New York
Seattle
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich - Germany
Zurich - Switzerland
Thanks! Questions?
Ollie Whitehouse
ollie.whitehouse@nccgroup.com