Date post: | 10-Jun-2015 |
Category: |
Documents |
Upload: | slideseces |
View: | 116 times |
Download: | 2 times |
Full Disclosure Vulnerabilities (0-days)
By Alex Hernández aka alt3kx
Date: 14.08.009Copyright (c) SybSecurity.com
Research Labs 2009
AboutAlex Hernandez aka alt3kx
Currently researcher contributor Spain, Germany, USA,
Amsterdam, Argentina, Australia, Belgium, Canada, and
Mexico.
He has also coded some exploits, mainly for the pen-
testing task. The last public exploit published on security’s page like milw0rm, securityfocus ,Packetstorm.Devision Security Labs Neurowork Spainwww.SybSecurity.com MX-AR-ES
Content• Aruba Networks (WiFI Router) 0-day
– CSRF & Hijacking Session (cookies)– Exploit & PoC video
• TriB0x (VoIP asterisk) 0-day– SQLi and LFI– Exploit & PoC video
• Cisco VPN client 0-day – Denial Of Service (DoS)– Exploit & PoC video
Aruba's networks were designed from the ground up to
meet these requirements – and more. Our wireless
solutions make add, move, and change costs evaporate.
In fact, wireless networks built on our adaptive 802.11n
technology cost just 10% of a comparable wired build-
out, allowing you to rightsize your network while upgrading efficiency and productivity.
www.arubanetworks.com
Aruba 200 (WiFi Router)
Cross Site Request Forgery
Yes everything is vulnerable to CSRF…
Vulnerable POST Form (upload shell)
• Videos PoC (Proof Of Concept)
Firmware Vulnerables
• Software Version ArubaOS 3.1.1.4 • Build Number 16439• Label16439• Built On 2007-10-09 15:47:42 PDT
• Software Version ArubaOS 3.3.1.23 (Digitally Signed - Production Build)
• Build Number 20304• Label 20304• Built On 2008-12-22 16:37:36 PST
Trixbox es una distribución del sistema operativoGNU/Linux, basada en CentOS, que tiene laparticularidad de ser una central telefónica (PBX)
por software basada en la PBX de código abierto
Asterisk. Como cualquier central PBX, permite
interconectar teléfonos internos de una compañía y
conectarlos la red telefónica convencional (RTB - Red telefónica
básica).
SQLi Trixb0x
Web-meetme
What is it:
• Web-MeetMe is a suite of PHP pages to allow for scheduling and managing conferences on an Asterisk PBX. Add rooms and specify)
Some Screens Config 1
Some Screens Config 2
SQLi Web-MeetMe Video…
The power of ‘ Bypass Auth ' or 'a'='a
LFI (Local File Inclusion)
• Directory Traversal… video.
Response Trixbox & Dan Austin?
Vulnerable Versions
• Web-MeetMe_v3.1.0.tgz• Web-MeetMe_v3.0.tgz
Patches… Not Yet…
Cisco VPN Client Local Denial of Service (DoS)
“cvpnd.exe”
Overview
• The Cisco Virtual Private Network (VPN) Client establishes an encrypted tunnel between a local system and a Cisco VPN concentrator. The tunnel provides data integrity and confidentiality, allowing users a secure connection to a corporate network otherwise from a public non-trusted network.
Description
• A Denial of Service (DOS) attack on the win32 VPN client platform, can be exploited locally and collapse the VPN client through the "cvpnd.exe" service running with "SYSTEM" priviledges.
Technical details
The Cisco VPN Client for win32 gets installed as a Windows service called "Cisco Systems, Inc. VPN Service" or "CVPND", and its binary is associated to: C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe. C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
By defect, the CVPND service gets executed with "SYSTEM" priviledges
Cisco VPN Client
Default PATH Win2k
Default PATH Windows Vista
Exploit Code 0day
• Video…
Response CISCO?
Yep, CISCO r0x
Omar Santos osantos [at] cisco [dot] com
PSIRT High Risk!
Bug ID es CSCsz49276PSIRT ID es PSIRT-0676131279Relese 27 Agosto 2009 (Credits Alex Hernandez)
Thank u!
ahernandez [at] sybsecurity [dot] com
Research & Papers:http://www.sybsecurity.com/en/laboratory/