Rust Won't Save Us: Finding and Exploiting 0-days in Security Appliances

  Friday, 23 February

  45 mins

ABSTRACT

Increasingly threat actors are moving off of Windows endpoints and into places less visible like appliances. An analysis of CISA’s Known Exploited Vulnerabilities from 2023, and recent years, reveals that threat actors are targeting and exploiting appliances with both known vulnerabilities and 0-days of their own.

This talk covers the vulnerability research process used to discover 16 vulnerabilities across three different security appliances in the Fortinet product line. From command injection, SQLi, file reads, and more, this journey started what I dubbed the 'Forti Forty', a goal (cut short) to find 40 CVE’s in Fortinet appliances.

Attendees can expect to walk away with a general overview of how to approach reverse engineering security appliances, methodology used in reviewing large systems and code bases, and the common pitfalls that developers make in these complex systems.