BSides Austin 2018 has ended
Back To Schedule
Thursday, March 8 • 3:30pm - 4:30pm
How (Not) to Patch Command Injection Bugs

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

In 2014 ZDI received a report of a command injection vulnerability in Dell's Sonicwall GMS Virtual Appliance. Normally this type of analysis is relatively simple. However, this analysis took a windy path from the JSP web interface through two XMLRPC sockets, to a binary, which delegated to shell scripts, which sourced yet another shell script that actually parsed attacker-supplied input. All this, just to make simple host modifications. Presumably, the code complexity drove the developers to patch this bug at the webapp level, instead of closer to the root cause. The resultant patch was immediately bypassed and the subsequent patch was also flawed.

A few months later, other researchers reported an additional attack vector involving direct communication with one of the XMLRPC sockets to trigger the same underlying vulnerability outlined in the very first ZDI report.

Ultimately, it appears the soft chewy center remains, but the crunchy outer shell has been significantly hardened, and thus, the hunt continues. This talk will detail the various patch attempts, how they failed or succeeded, and how they were analyzed, bypassed, and exploited with a Metasploit module we are releasing. We'll also discuss the much more comprehensive defense measures currently implemented by the developers.


Michael Flanders

Michael Flanders is a Vulnerability Intelligence Intern at Trend Micro's Zero Day Initiative. His focus includes analyzing and performing root-cause analysis on zero-day vulnerabilities submitted to the world's largest vendor-agnostic bug bounty program by researchers from around... Read More →

Joshua Smith

Kernelsmith is a senior security researcher and the "FuzzOps" Manager at Trend Micro's Zero Day Initiative. When he's not herding cats or managing infrastructure, they let him think he's still analyzing vulnerabilities submitted to the program.  He was a pentester in the United States... Read More →

Thursday March 8, 2018 3:30pm - 4:30pm CST
Lil Tex Auditorium