Lost in Translation presented at HITBSecConf Malaysia 2013

by Luiz 'effffn' Eduardo, Joaquim Espinhara,

Summary : We all know, English has been the universal language for several years now. Companies have been offering their security products and assessment tools in different countries. Most of these products might have GUI interface, configuration wizards and reporting capabilities in different languages to support their global customer-base. But at the end of the day, what is under the hood ends up being the same, no matter what language a given product has been configured for.
With this in mind, we have started performing some tests with both attack and defense tools used/sold globally, and problems have been found. The great majority of these tools, internally, only “speak” the English language. And when a target system, protected or analyzed by these products, is not configured to work in the English language, answering to queries or providing error messages in any foreign language, these security products will actually end-up falling short in their basic functionalities, from detecting attacks to failures in applications for example.
As a proof of concept, we have created two testing environments, one in English and another one in our native language, Portuguese. And we ran known open source and commercial scanning tools against these two environments. The end results were somewhat scary, the detection rate for the environment in Portuguese was up to 75% lower than the one in English. And the same happened to some defense/ protection tools in the same environments.
This issue could lead to many problems, from an offensive side allowing attackers not only to infiltrate a system but also to use a possible language change in a target system in order to improve post-exploitation capabilities, or, from a defensive side, “avoid” the detection of certain vulnerability(ies), amongst other implications.
Lastly, this talk will not demonstrate any new bypass techniques, but will be showing attack examples in real environments that are protected by products that have the problem previously described.