We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Infiltrating Corporate Intranet Like NSA Preauth RCE

00:00
subtitles
off
playback rate
1
off
Englisch (auto-generated)
0.25
0.5
0.75
1
1.25
1.5
1.75
2
576p
 Cite
 Share
 Download Purchase
DEF CON
 Tsai, Cheng-Da (Orange Tsai) Chang, Tingyi (Meh Chang)

Formal Metadata

Title
Infiltrating Corporate Intranet Like NSA Preauth RCE
Title of Series
Number of Parts
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Computer security is now a public policy issue. Election security, blockchain, "going dark," the vulnerabilities equities debate, IoT safety , data privacy, algorithmic security and fairness, critical infrastructure: these are all important public policy issues with a strong Internet security component. But while an understanding of the technology involved is fundamental to crafting good policy, there is little involvement of technologists in policy discussions. This is not sustainable. We need public-interest technologists: people from our fields helping craft policy, and working to provide security to agencies and groups working in the broader public interest. We need these people in government, at NGOs, teaching at universities, as part of the press, and inside private companies. This is increasingly critical to both public safety and overall social welfare. This talk both describes the current state of public-interest technology, and offers a way forward for us individually and collectively for our field. The defining policy question of the Internet age is this: How much of our lives should be governed by technology, and under what terms? We need to be involved in that debate.SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to intranet. However, we found pre-auth RCEs on multiple leading SSL VPNs, used by nearly half of the Fortune 500 companies and many government organizations. To make things worse, a “magic” backdoor was found to allow changing any user’s password with no credentials required! To show how bad things can go, we will demonstrate gaining root shell from the only exposed HTTPS port, covertly weaponizing the server against their owner, and abusing a hidden feature to take over all VPN clients! In such complicated closed-source systems, gaining root shell from outside the box certainly ain’t easy. It takes advanced web and binary exploitation techniques to struggle for a way to root shell, which involves abusing defects in web architectures, hard-core Apache jemalloc exploitation and more. We will cover every detail of all the dirty tricks, crazy bug chains, and the built-in backdoor. After gaining root shell into the box, we then elaborate on post exploitation and how we hack back the clients. In addition, we will share the attack vectors against SSL VPNs to kick start researches on similar targets. On the other hand, from our previous experience, we derive general hardening actions that mitigate not only all the above attacks, but any other potential 0days. In summary, we disclose practical attacks capable of compromising millions of targets, including tech giants and many industry leaders. These techniques and methodologies are published in the hope that it can inspire more security researchers to think out-of-the-box; enterprises can apply immediate mitigation, and realize that SSL VPN is not merely Virtual Private Network, but also a “Vulnerable Point of your Network”.
00:00
SoftwareVirtuelles privates NetzwerkWeb 2.0
00:42
UsabilitySoftwareString (computer science)Hacker (term)Vector spaceIntegrated development environmentSystem callDivisorServer (computing)InternetworkingCASE <Informatik>Software bugRemote procedure callInformation securityCuboidAuthenticationCartesian coordinate systemObservational studyIPSecExploit (computer security)Web 2.0TwitterEnterprise architectureSoftwarePerturbation theoryVector spaceIntegrated development environmentBinary codeChainCore dumpCASE <Informatik>RootInformation securityPulse (signal processing)Cartesian coordinate systemFirewall (computing)Observational studyFocus (optics)Web browserIntranetSurfaceVirtuelles privates NetzwerkClient (computing)AuthorizationPrincipal idealBackdoor (computing)Transport Layer SecurityExploit (computer security)Demo (music)TwitterComputer animation
03:13
Group actionSoftware bugShared memoryFocus (optics)Vulnerability (computing)Blind spot (vehicle)Non-standard analysisGroup actionLeakNichtlineares GleichungssystemSoftware bugDirection (geometry)IntranetVirtuelles privates NetzwerkComputer animation
04:21
Theory of relativityHacker (term)System callInternetworkingSoftware bugRemote procedure callVulnerability (computing)DivisorInformation securityVirtuelles privates NetzwerkSign (mathematics)PasswordTwitterComputer animationLecture/Conference
05:19
Computer programmingSoftware bugVulnerability (computing)Hacker (term)Dependent and independent variablesJSONUMLXMLComputer animationPanel painting
06:11
CodeComputer architectureHacker (term)Remote procedure callGastropod shellSource codeArchaeological field surveyService (economics)Enterprise architectureComputer architectureStatisticsBuildingFlow separationServer (computing)InternetworkingInformation securityPulse (signal processing)Gastropod shellInternet service providerFocus (optics)Source codeVirtuelles privates NetzwerkStack (abstract data type)Enterprise architectureJSON
07:27
Computer hardwareFile systemSemiconductor memoryLevel (video gaming)MehrplatzsystemGastropod shellCuboidKernel (computing)EncryptionBlack boxKey (cryptography)MiniDiscMultiplication signComputer forensicsMedical imagingComputer hardwareComputer architectureSemiconductor memoryBuildingLevel (video gaming)LeakAsynchronous Transfer ModeGastropod shelloutputKernel (computing)EncryptionReverse engineeringDirection (geometry)Source codeVirtuelles privates NetzwerkComputer fileView (database)PasswordNP-hardMiniDiscComputer forensicsVirtualizationComputer animation
08:53
Virtual machineProcess (computing)Set (mathematics)Kernel (computing)BootingOperating systemProcess (computing)outputKernel (computing)Direction (geometry)View (database)Program flowchart
09:29
Semiconductor memoryProcess (computing)Gastropod shellPoint (geometry)Scripting languageBootingPatch (Unix)Multiplication signComputer forensicsSemiconductor memoryKernel (computing)Computer forensicsProgram flowchart
10:12
Physical systemServer (computing)DemonVirtuelles privates NetzwerkGame controllerKernel (computing)View (database)Computer animationProgram flowchart
10:46
Computer architectureVector spaceExtension (kinesiology)Virtual machineCommunications protocolLatent heatWeb browserScripting languageVirtuelles privates NetzwerkFlash memoryProxy serverService (economics)Web 2.0Formal languageComputer architectureVector spaceExtension (kinesiology)MultiplicationCommunications protocolWeb browserJava appletScripting languageFlash memoryProxy serverPortable communications deviceComputer animation
11:59
CodeFormal languageInformationSoftwareString (computer science)Semiconductor memoryLibrary (computing)Type theorySensitivity analysisVector spaceFunctional (mathematics)Extension (kinesiology)Projective planeOperator (mathematics)Software bugInformation securityEncryptionDirection (geometry)Scripting languageVirtuelles privates NetzwerkFlash memoryOpen sourceDifferent (Kate Ryan album)Context awarenessCodeFormal languageImplementationInformationSoftwareSemiconductor memoryLibrary (computing)Type theoryFunctional (mathematics)Extension (kinesiology)Projective planeTape driveServer (computing)Software bugInformation securityPulse (signal processing)Communications protocolScripting languageSource codeVirtuelles privates NetzwerkPatch (Unix)Context awarenessStack (abstract data type)Computer animation
13:37
String (computer science)Type theoryIntegerFunctional (mathematics)Extension (kinesiology)Buffer solutionCalculationBuffer overflowFormal languageString (computer science)Type theoryFunctional (mathematics)Extension (kinesiology)Tape driveOperator (mathematics)Codierung <Programmierung>File formatBuffer solutionCalculationJSONComputer animation
14:22
CodeComputer architectureComputer programmingVector spaceBinary codeFunctional (mathematics)Table (information)ConsistencyLink (knot theory)Configuration spaceServer (computing)CASE <Informatik>Binary fileRemote procedure callDemonWeb pageObservational studyReverse engineeringJava appletSurfaceRegulärer Ausdruck <Textverarbeitung>Virtuelles privates NetzwerkComputer filePatch (Unix)Web serviceFront and back endsSymbol tableProxy serverStandard deviationWeb 2.0Game controllerTwitterMedical imagingCodeLogicComputer architectureComputer programmingParsingFunctional (mathematics)Table (information)ConsistencyConfiguration spaceServer (computing)CASE <Informatik>Remote procedure callAsynchronous Transfer ModeInformation securityPulse (signal processing)DemonGreedy algorithmWeb pageObservational studyReverse engineeringModule (mathematics)Java appletVirtuelles privates NetzwerkRegular expressionFront and back endsProxy serverPattern languageTwitterComputer animation
16:47
Functional (mathematics)ChainMemory managementSystem callInternetworkingSoftware bugRemote procedure callSystem administratorAuthenticationComputer fileBackdoor (computing)LoginBuffer overflowInterface (computing)ChainDew pointSoftware bugPasswordAuthorizationBackdoor (computing)JSONComputer animation
17:25
String (computer science)Functional (mathematics)Extension (kinesiology)MereologyInformation securityReading (process)Buffer solutionComputer fileTrailPasswordKey (cryptography)Web 2.0TwitterFacebookFormal languageInformationString (computer science)Product (business)Functional (mathematics)ChainExtension (kinesiology)Token ringUtility softwareSoftware bugVirtuelles privates NetzwerkComputer filePasswordBackdoor (computing)JSONComputer animation
19:31
Type theoryPasswordWebsiteProxy serverWeb 2.0Connected spaceCore dumpData storage devicePasswordProxy serverUniform resource locatorTwitterFacebookTelnetComputer animation
20:16
CodeParsingString (computer science)Computer programmingRewritingSemiconductor memoryConnected spaceFunctional (mathematics)Memory managementOperator (mathematics)DemonoutputBuffer solutionLengthBuffer overflowUniform resource locatorWeb 2.0ParsingCore dumpMemory managementBuffer solutionVulnerability (computing)Uniform resource locatorComputer animation
21:01
Data managementSemiconductor memoryLibrary (computing)Connected spaceMemory managementOperator (mathematics)Process (computing)Resource allocationData managementLibrary (computing)Connected spaceMemory managementOperator (mathematics)Process (computing)AdditionExploit (computer security)Computer animation
21:59
Computer programmingSemiconductor memoryDialectComputer configurationMemory managementCentralizer and normalizerServer (computing)Raster graphicsBuffer solutionBlock (periodic table)Object (grammar)Multiplication signComputer programmingDialectComputer configurationLimit (category theory)Centralizer and normalizerEmailData storage deviceRaster graphicsLattice (order)Object (grammar)Computer animation
22:43
Data structureInformationConnected spaceFunctional (mathematics)Memory managementTable (information)Pointer (computer programming)Data storage deviceBuffer solutionData structureInformationConnected spaceIdeal (ethics)Data storage deviceWeb pageResource allocationBuffer solutionComputer animationMeeting/Interview
23:28
Data structureConnected spaceFunctional (mathematics)Memory managementTable (information)Server (computing)Normal (geometry)Pointer (computer programming)Crash (computing)Address spaceMultiplication signBuffer overflowData structureConnected spaceRevision controlMassNormal (geometry)StrutVirtuelles privates NetzwerkBuffer overflowComputer animation
24:07
Data structureInformationFunction (mathematics)Computer programmingFlow separationConnected spaceFunctional (mathematics)Physical systemMemory managementTable (information)SubsetPointer (computer programming)Crash (computing)Address spaceBuffer solutionHoaxBuffer overflowData structureSemiconductor memoryConnected spaceMemory managementResource allocationBuffer overflowComputer animationDiagramProgram flowchart
25:18
CodeVideo gameConnected spaceFunctional (mathematics)Memory managementServer (computing)Remote procedure callGastropod shellWeb pagePasswordCondition numberBackdoor (computing)Connected spaceMultiplicationParameter (computer programming)Gastropod shellDemonAuthenticationFuzzy logicPasswordBackdoor (computing)Computer animation
26:19
Order (biology)Wave packetPhysical systemParameter (computer programming)RootGastropod shellReverse engineeringBuffer solutionStack (abstract data type)ChainPhysical systemRootGastropod shellHash functionPivot elementReverse engineeringAddress spaceHyperlinkNetwork socketStack (abstract data type)Demo (music)Computer animationSource code
26:54
Data structureString (computer science)Hacker (term)Connected spaceLeakServer (computing)RootGastropod shellSocial classThread (computing)PasswordProxy serverBuffer overflow2 (number)Web 2.0SimulationString (computer science)Connected spaceHill differential equationPhysical systemMenu (computing)RootGastropod shellInterior (topology)Address spaceGUI widgetPasswordStreaming mediaNetwork socketBuffer overflowOperating systemChord (peer-to-peer)JSONSource code
28:24
CodeComputer architectureMultilaterationInjektivitätProcess (computing)Software bugInformation securityReading (process)Computer fileVulnerability (computing)Stack (abstract data type)Computer architectureSoftwareInjektivitätNumeral (linguistics)Extension (kinesiology)Physical systemServer (computing)Information securityPulse (signal processing)Scripting languageBuffer solutionVirtuelles privates NetzwerkAuthorizationSpywareVulnerability (computing)Stack (abstract data type)Computer animation
29:27
Video gameOrder (biology)Validity (statistics)Revision controlException handlingSoftware bugRemote procedure callPoint (geometry)Reading (process)Web browserComputer fileCondition numberSinc functionComputer wormValidity (statistics)Fluid staticsRevision controlServer (computing)Information securityPulse (signal processing)Recursive descent parserWeb browserVirtuelles privates NetzwerkVulnerability (computing)TelnetComputer animation
30:14
InformationValidity (statistics)Sensitivity analysisConnected spacePublic-key cryptographyServer (computing)Hash functionPasswordHTTP cookieMessage passingCache (computing)Web 2.0CodeSensitivity analysisPhysical systemConfiguration spaceRevision controlChi-squared distributionRadiusGoogolHTTP cookieVulnerability (computing)Computer animation
31:06
CodeData managementSoftwareComputer configurationFunctional (mathematics)Group actionInjektivitätInterface (computing)Shift operatorSensitivity analysisComputer configurationSheaf (mathematics)InjektivitätAuthorizationCache (computing)JSONUMLXMLComputer animation
31:44
Order (biology)File systemParsingProduct (business)Flow separationInjektivitätPhysical systemCore dumpOperator (mathematics)Parameter (computer programming)Template (C++)Graphical user interfaceReading (process)Module (mathematics)Patch (Unix)Web 2.0ImplementationOrder (biology)Electric generatorFlow separationFunctional (mathematics)InjektivitätNumeral (linguistics)Extension (kinesiology)Physical systemResultantOperator (mathematics)Parameter (computer programming)Template (C++)State observerInformation securityPulse (signal processing)Kerr-LösungFile formatVirtuelles privates NetzwerkInterface (computing)JSONUMLXML
33:25
ImplementationValidity (statistics)ParsingLetterpress printingMereologyCore dumpStandard errorParameter (computer programming)Directory serviceError messageCuboidScripting languageComputer fileMultiplication signStandard deviationMessage passingCache (computing)CodeParsingValidity (statistics)Electric generatorComputer configurationInjektivitätPhysical systemResultantParameter (computer programming)Directory serviceError messageTemplate (C++)State observerInformation securityPulse (signal processing)Compilation albumControl flowFile formatState diagramMultiplication signInterface (computing)Computer animation
35:43
ParsingMereologyCore dumpStandard errorDirectory serviceError messageComputer fileSymbol tableHTTP cookieComputer wormCache (computing)Physical systemState diagramHTTP cookieExploit (computer security)JSONComputer animation
36:28
System callSoftware bugRemote procedure callTraffic reportingPatch (Unix)Multiplication signSoftwareRevision controlDependent and independent variablesInformation securityPulse (signal processing)Module (mathematics)Virtuelles privates NetzwerkBootingAuthorizationPatch (Unix)Vulnerability (computing)JSON
37:05
Computer programmingInternetworkingResponse time (technology)Software bugPatch (Unix)LoginTwitterHacker (term)Revision controlDivisorInformation securityPulse (signal processing)Virtuelles privates NetzwerkSign (mathematics)Coefficient of determinationPatch (Unix)TwitterJSONComputer animation
37:40
MultiplicationPhysical systemSoftware bugGastropod shellIP addressAuthenticationPasswordMultiplication signVulnerability (computing)Mobile WebTwitterCore dumpRevision controlDivisorAuthenticationPasswordAuditory maskingProxy serverVulnerability (computing)Cache (computing)Default (computer science)TwitterComputer animationLecture/Conference
38:49
Data managementInjektivitätInformation securitySingle sign-onWeb 2.0Interface (computing)Game controllerConnected spacePiSystem administratorInformation securityPulse (signal processing)Codierung <Programmierung>Interior (topology)EncryptionJava appletVirtuelles privates NetzwerkSign (mathematics)LoginInterface (computing)XMLComputer animation
39:34
Data managementPhysical systemCore dumpHash functionComputer filePasswordMultiplication signCache (computing)System administratorInformation securityHash functionVirtuelles privates NetzwerkPasswordJSONUMLComputer animation
40:14
Data managementComputer programmingLevel (video gaming)InjektivitätQueue (abstract data type)System callSoftware bugRemote procedure callHash functionPasswordLengthInterface (computing)TwitterDrop (liquid)Computer configurationProgrammable read-only memoryConnected spaceLine (geometry)Content (media)Annulus (mathematics)Structural loadExtension (kinesiology)Metric systemMultiplicationPairwise comparisonProjective planeEmailLink (knot theory)Broadcasting (networking)Dependent and independent variablesMatching (graph theory)Error messagePulse (signal processing)AuthenticationInterior (topology)Casting (performing arts)Frame problemChinese remainder theoremDisk read-and-write headVulnerability (computing)Uniform resource locatorCharge carrierImage warpingVolumenvisualisierungValue-added networkComputer animationSource code
41:05
Order (biology)SoftwareFile systemPersonal computerTable (information)Parameter (computer programming)Installation artScripting languageBit rateExploit (computer security)Service (economics)Demo (music)Game controllerTwitterInstallation artScripting languageVirtuelles privates NetzwerkClient (computing)Demo (music)Computer animation
42:37
Data managementSystem administratorHash functionPasswordHTTP cookieInterface (computing)SoftwareLevel (video gaming)Category of beingIntegrated development environmentConnected spaceMenu (computing)Revision controlSystem administratorRepeating decimalInformation securityPulse (signal processing)Drum memoryHash functionInclusion mapSource codeVideo game consoleEvent horizonPasswordCanonical ensembleBlock (periodic table)Element (mathematics)HTTP cookieVulnerability (computing)Cache (computing)Demo (music)International Date LineDefault (computer science)Computer animation
43:31
Sheaf (mathematics)Wind tunnelLaptopScripting languageCalculationScripting languageXMLProgram flowchart
44:18
InformationConnected spaceNumeral (linguistics)Physical systemSlide rulePresentation of a groupAuthenticationSurfaceClient (computing)PasswordCalculationPublic key certificateMultiplicationPhysical systemCore dumpDivisorServer (computing)AuthenticationClient (computing)Public key certificateComputer animation
Transcript: Englisch(auto-generated)