Think about managing your servers with an automated tool. Eliminate complexity and perform administrative tasks on remote machines in couple of clicks - this requires considerable trust in all the components of such solution. What could go wrong?
When working on my master thesis related to security assessment of black-box client-server applications, I needed a real system to test. We gained access to a software solution allowing remote administration of a broad range of server environments with one tool.
In this talk we will disclose some of the vulnerabilities we have found. This includes a way to compromise the systems in a managed environment by bypassing authentication and performing such unauthorized actions as remote password change.