DEFCON 15: MQ Jumping

Speaker: Martyn Ruks Senior Security Consultant MWR InfoSecurity

Every day billions of dollars pass through middleware, the unglamorous component of most enterprise applications. Middleware may be unglamorous, but even if billions of dollars doesn't interest you, it's bound to attract someone's interest sooner or later. Often security is addressed in the front-end web server and back-end database but the other components are often ignored. The reason for this can be a lack of understanding of the risks or lack of knowledge of the middleware products and how they can be attacked. One important property of a multi-tier environment is the ability to reliably pass data between authorised system components and therefore messaging software is often required. A popular and widely deployed example of such a component is IBM's Websphere MQ (formally MQ Series).

This software can be run across a number of platforms including Microsoft Windows, commercial and Open Source UNIX platforms and IBM \u2019s z/OS and i5 Operating Systems. Companies use the technology to pass messages between application components and it is widely deployed across a wide range of industry sectors including Finance, Retail, Healthcare and many others. During penetration tests conducted by MWR InfoSecurity against its clients it has been discovered that the security features provided by the product are either not utilised correctly or are not suitable for their intended use.

This presentation will uncover the truth behind Websphere MQ security as it is deployed in the real world and will look at how the software can be abused by an attacker resulting in remote code execution. The talk will focus on methods for analysing the security controls that can be used to protect an installation of MQ and the limitations of each of them. Following on from this section of the talk a number of methods will be presented for compromising both the message data and the Operating System through the MQ service. This will culminate in a demonstration of some of the attacks presented in the talk, followed by a discussion about the methods that exist for protecting an installation and ensuring that security breaches do not occur.

For more information visit: http://bit.ly/defcon15_information
To download the video visit: http://bit.ly/defcon15_videos

Category:

Science & Technology

Tags:

• security
• software
• components
• deployed

License:

Standard YouTube License