Bug Hunting for the Man on the Street

This is a guest post from Vladimir Wolstencroft, to provide some details of his upcoming #TR15 talk.

What do you get when you combine a security appliance vendor, a bug bounty program, readily available virtualised machines, a lack of understanding of best security practices and broken crypto?
Ownage, a good story and maybe even that bounty…

Focusing on Barracuda’s numerous security appliances, this talk will detail bug hunting methods and the principles used to examine these machines:
Starting with a black box test and the challenges that this approach poses, to decrypting the firmware, getting system root, bricking the box, fighting the (de)activation methods, getting system root again, DOS’ing the VM host and finally using Barracuda’s own source code to find those vulnerabilities that otherwise would be invisible or impossible to find! There were also some unexpected outcomes that followed…

Selecting the mark for your bug hunting and vulnerability research analysis tends to pose an interesting challenge in itself. The testing performed needs to skirt the right side of the law and provide a target rich environment. Hopefully the vendors also make some sort of security claims or deal with some sort of sensitive data or information!

Fortunately the Barracuda set of products ticks all the right boxes — their appliances are designed to protect networks and systems and tend to be the perimeter defense points. They run a bug bounty program and have trial Virtual machines available for researchers and customers. They even run an underlying framework across their whole range of appliances, as the developers alluded in the source code:
“Someone who knows the secret on one Cuda knows them all”

How can a security researcher resist such a call to action?! Challenge accepted!

Furthermore, as these security appliances are meant to defend and protect their targets, should we not hold them to a higher technical standard than normal applications or, say, messaging apps? We shouldn’t expect to find things like hardcoded encryption keys or static salts, should we?!

Taking this into consideration, as well as the fact that there have been no Barracuda product vulnerabilities reported in the CVE database since 2008 and previous Barracuda research has been heavily redacted when it comes to POCs, Barracuda makes a pretty viable and worthwhile target for a bug hunting spree!

If you are interested in performing your own white box tests on their security appliances, finding some interesting bugs and perhaps even submitting a bounty of your own (and making their appliances that little bit safer), join me for my talk on hunting for bugs!

For everyone else, I quote one of the many source code comments that will be analysed in this presentation:
“As a final security measure we ask that you please stop reading now. ☺”.



Leave a Reply

Your email address will not be published. Required fields are marked *