Appliances powered by FireEye’s Malware Protection System (MPS) are now deployed in almost half of the Fortune 500. Until now public research about these appliances was limited to discussions about potential bypass methods.
In this talk we will present the architecture of MPS from an attackers point of view and demonstrate a complete remote compromise using vulnerabilities we discovered during this research.
We will analyze the different components of MPS, show how FireEye’s famous virtualization execution engine works and discuss the attack surface available to an outside attacker.
The presented vulnerabilities range from command injections in the management web interface over local privilege escalation vulnerabilities to exploits that allow a full compromise of the system by simply sending a malicious file over the network and exploiting bugs in the analysis process.
All discussed vulnerabilities have been disclosed responsibly to the vendor and all are patched in the interim.