Full Disclosure Vulnerabilities (0-days)

By Alex Hernández aka alt3kx

Date: 14.08.009Copyright (c) SybSecurity.com

Research Labs 2009

AboutAlex Hernandez aka alt3kx

Currently researcher contributor Spain, Germany, USA,

Amsterdam, Argentina, Australia, Belgium, Canada, and

Mexico.

He has also coded some exploits, mainly for the pen-

testing task. The last public exploit published on security’s page like milw0rm, securityfocus ,Packetstorm.Devision Security Labs Neurowork Spainwww.SybSecurity.com MX-AR-ES

Content• Aruba Networks (WiFI Router) 0-day

– CSRF & Hijacking Session (cookies)– Exploit & PoC video

• TriB0x (VoIP asterisk) 0-day– SQLi and LFI– Exploit & PoC video

• Cisco VPN client 0-day – Denial Of Service (DoS)– Exploit & PoC video

Aruba's networks were designed from the ground up to

meet these requirements – and more. Our wireless

solutions make add, move, and change costs evaporate.

In fact, wireless networks built on our adaptive 802.11n

technology cost just 10% of a comparable wired build-

out, allowing you to rightsize your network while upgrading efficiency and productivity.

www.arubanetworks.com

Aruba 200 (WiFi Router)

Cross Site Request Forgery

Yes everything is vulnerable to CSRF…

Vulnerable POST Form (upload shell)

• Videos PoC (Proof Of Concept)

Firmware Vulnerables

• Software Version ArubaOS 3.1.1.4 • Build Number 16439• Label16439• Built On 2007-10-09 15:47:42 PDT

• Software Version ArubaOS 3.3.1.23 (Digitally Signed - Production Build)

• Build Number 20304• Label 20304• Built On 2008-12-22 16:37:36 PST

Response Aruba Networks?

• Not Yet• support@arubanetworks.com

Trixbox es una distribución del sistema operativoGNU/Linux, basada en CentOS, que tiene laparticularidad de ser una central telefónica (PBX)

por software basada en la PBX de código abierto

Asterisk. Como cualquier central PBX, permite

interconectar teléfonos internos de una compañía y

conectarlos la red telefónica convencional (RTB - Red telefónica

básica).

SQLi Trixb0x

Web-meetme

What is it:

• Web-MeetMe is a suite of PHP pages to allow for scheduling and managing conferences on an Asterisk PBX. Add rooms and specify)

Some Screens Config 1

Some Screens Config 2

SQLi Web-MeetMe Video…

The power of ‘ Bypass Auth ' or 'a'='a

LFI (Local File Inclusion)

• Directory Traversal… video.

Response Trixbox & Dan Austin?

Vulnerable Versions

• Web-MeetMe_v3.1.0.tgz• Web-MeetMe_v3.0.tgz

Patches… Not Yet…

Cisco VPN Client Local Denial of Service (DoS)

“cvpnd.exe”

Overview

• The Cisco Virtual Private Network (VPN) Client establishes an encrypted tunnel between a local system and a Cisco VPN concentrator. The tunnel provides data integrity and confidentiality, allowing users a secure connection to a corporate network otherwise from a public non-trusted network.

Description

• A Denial of Service (DOS) attack on the win32 VPN client platform, can be exploited locally and collapse the VPN client through the "cvpnd.exe" service running with "SYSTEM" priviledges.

Technical details

The Cisco VPN Client for win32 gets installed as a Windows service called "Cisco Systems, Inc. VPN Service" or "CVPND", and its binary is associated to: C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe. C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe

By defect, the CVPND service gets executed with "SYSTEM" priviledges

Cisco VPN Client

Default PATH Win2k

Default PATH Windows Vista

Exploit Code 0day

• Video…

Response CISCO?

Yep, CISCO r0x

Omar Santos osantos [at] cisco [dot] com

PSIRT High Risk!

Bug ID es CSCsz49276PSIRT ID es PSIRT-0676131279Relese 27 Agosto 2009 (Credits Alex Hernandez)

Thank u!

ahernandez [at] sybsecurity [dot] com

Research & Papers:http://www.sybsecurity.com/en/laboratory/