Tal zeltzer

Talk : Virtually Secure, Analysis to Remote Root 0day on an Industry Leading SSL-VPN Appliance

Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses
we’ve experienced – EVER!

Bio :

Tal Zeltzer is an Israeli security researcher, reversing by day and hacking by night. Tal has a history of 0days behind him, ranging from his latest PCAnywhere findings to embedded systems and web applications. He spends most of his free time conducting research and developing research tools. He tweets under @talzeltzer and blogs at http://exploit-code.com