Last week I attended my first OWASP-event and the event was hold i Gothenburg, Sweden. Before I read about this event I hadnt heard about SQRL (Secure Quick Reliable Login) but the enthusiastic presentation by the author himself, Steve Gibson got me hooked. I really like the idea of SQRL as a replacement for username and passwords and hopefully we will see and use this system everywhere in the future.
If you are not familiar in how SQRL works and why it is so good you can now watch the presentation on OWASP GBGs Youtube channel. It’s better to watch the author talk about it than me trying to explain it. So bring some popcorn and watch it.
This year’s amazing Security Fest has now come to an end. I’ve had two really great days where I learned a lot and got new inspiration and ideas to work with.
Christoffer Jerkeby – Load Balancer with RCE, Hacking F5
My favorite talk from this conference that I want to write a bit about was the super interesting talk by Christoffer Jerkeby about Remote Code Execution in F5’s Load Balancer, called Big-IP. Big-IP has a feature in the Local Traffic Manager that is called iRule which can be used to manage the network traffic. The language that is used for defining these iRules is a fork of the language TCL-8.4.
Christoffer provided two demos to show how these flaws can be
exploited. It can lead to MITM(Man-in-the-Middle), the ability to set
and remove any HTTP header, intercept and inject user traffic for any
session and termination of HTTPS.
This language has a few flaws that are not well known and they are
related to how the language expands variables and options. If the iRules
are not written correctly, which they in many cases aren’t because the
lack of knowledge of these flaws, the code will not work as expected to
say the least.
Since the flaws are in how the language was built it’s not something that F5 can fix and no patch will or can be released that will mitigate this. This means that the people who configure these load balancers need to analyze their code in depth. It’s not easy to do that but Christoffer shared some great tools that can be used to help with the clean-up process and help you find out if your code is vulnerable.
You can find the tools and read more about them on github: