I LOVE vulnerabilities like this! You win remote code execution over port 443, where you then win a free trip to the configuration of end-user policies, and as a bonus you will get an exclusive excursion to "perform other administrative tasks." Consider that this is software that touches every end-user workstation, and it’s a vacation I can wait to go on. The best part is that most people are giving this vacation away because, well, it’s on the inside of the network so I don't have to patch it. That’s when BEEF comes in handy to hook your browser, read your bookmarks and URL history, find the internal IP/Hostname of your CSA console, then hopefully get your browser to send the payload I need. At least that’s how I see it going down, and I will have a fancy drink with lots of umbrellas and fruit in it, just because that’s how I roll on vacation.
Further, many of the CSA Consoles we have encountered over the past few years have not been patched well at all. While we love the idea of white-listing, this shows some of the limitations of security monocultures. The idea is great, yet the execution can be flawed.
Further, I feel that many of these products tend to make us lazy. Much in the same way AV, Firewalls and IDS have made us lazy. Even though something like CSA or another application white-and-nerdy listing comes out we always need to assume there is going to be vulnerabilities in the product.
Now... We need to find a way to pull Paul off the ceiling and reduce his coffee vrs. cold medicine intake.
Originally on episode 231.