Download - Full disclosure-vulnerabilities
![Page 1: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/1.jpg)
Full Disclosure Vulnerabilities (0-days)
By Alex Hernández aka alt3kx
Date: 14.08.009Copyright (c) SybSecurity.com
Research Labs 2009
![Page 2: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/2.jpg)
AboutAlex Hernandez aka alt3kx
Currently researcher contributor Spain, Germany, USA,
Amsterdam, Argentina, Australia, Belgium, Canada, and
Mexico.
He has also coded some exploits, mainly for the pen-
testing task. The last public exploit published on security’s page like milw0rm, securityfocus ,Packetstorm.Devision Security Labs Neurowork Spainwww.SybSecurity.com MX-AR-ES
![Page 3: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/3.jpg)
Content• Aruba Networks (WiFI Router) 0-day
– CSRF & Hijacking Session (cookies)– Exploit & PoC video
• TriB0x (VoIP asterisk) 0-day– SQLi and LFI– Exploit & PoC video
• Cisco VPN client 0-day – Denial Of Service (DoS)– Exploit & PoC video
![Page 4: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/4.jpg)
Aruba's networks were designed from the ground up to
meet these requirements – and more. Our wireless
solutions make add, move, and change costs evaporate.
In fact, wireless networks built on our adaptive 802.11n
technology cost just 10% of a comparable wired build-
out, allowing you to rightsize your network while upgrading efficiency and productivity.
www.arubanetworks.com
![Page 5: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/5.jpg)
Aruba 200 (WiFi Router)
![Page 6: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/6.jpg)
Cross Site Request Forgery
Yes everything is vulnerable to CSRF…
![Page 7: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/7.jpg)
Vulnerable POST Form (upload shell)
• Videos PoC (Proof Of Concept)
![Page 8: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/8.jpg)
Firmware Vulnerables
• Software Version ArubaOS 3.1.1.4 • Build Number 16439• Label16439• Built On 2007-10-09 15:47:42 PDT
• Software Version ArubaOS 3.3.1.23 (Digitally Signed - Production Build)
• Build Number 20304• Label 20304• Built On 2008-12-22 16:37:36 PST
![Page 10: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/10.jpg)
Trixbox es una distribución del sistema operativoGNU/Linux, basada en CentOS, que tiene laparticularidad de ser una central telefónica (PBX)
por software basada en la PBX de código abierto
Asterisk. Como cualquier central PBX, permite
interconectar teléfonos internos de una compañía y
conectarlos la red telefónica convencional (RTB - Red telefónica
básica).
![Page 11: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/11.jpg)
SQLi Trixb0x
Web-meetme
What is it:
• Web-MeetMe is a suite of PHP pages to allow for scheduling and managing conferences on an Asterisk PBX. Add rooms and specify)
![Page 12: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/12.jpg)
Some Screens Config 1
![Page 13: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/13.jpg)
Some Screens Config 2
![Page 14: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/14.jpg)
SQLi Web-MeetMe Video…
The power of ‘ Bypass Auth ' or 'a'='a
![Page 15: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/15.jpg)
LFI (Local File Inclusion)
• Directory Traversal… video.
![Page 16: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/16.jpg)
Response Trixbox & Dan Austin?
Vulnerable Versions
• Web-MeetMe_v3.1.0.tgz• Web-MeetMe_v3.0.tgz
Patches… Not Yet…
![Page 17: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/17.jpg)
![Page 18: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/18.jpg)
Cisco VPN Client Local Denial of Service (DoS)
“cvpnd.exe”
![Page 19: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/19.jpg)
Overview
• The Cisco Virtual Private Network (VPN) Client establishes an encrypted tunnel between a local system and a Cisco VPN concentrator. The tunnel provides data integrity and confidentiality, allowing users a secure connection to a corporate network otherwise from a public non-trusted network.
![Page 20: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/20.jpg)
Description
• A Denial of Service (DOS) attack on the win32 VPN client platform, can be exploited locally and collapse the VPN client through the "cvpnd.exe" service running with "SYSTEM" priviledges.
![Page 21: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/21.jpg)
Technical details
The Cisco VPN Client for win32 gets installed as a Windows service called "Cisco Systems, Inc. VPN Service" or "CVPND", and its binary is associated to: C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe. C:\Archivos de programa\Cisco Systems\VPN Client\cvpnd.exe
By defect, the CVPND service gets executed with "SYSTEM" priviledges
![Page 22: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/22.jpg)
Cisco VPN Client
![Page 23: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/23.jpg)
Default PATH Win2k
![Page 24: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/24.jpg)
![Page 25: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/25.jpg)
Default PATH Windows Vista
![Page 26: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/26.jpg)
![Page 27: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/27.jpg)
Exploit Code 0day
• Video…
![Page 28: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/28.jpg)
Response CISCO?
Yep, CISCO r0x
Omar Santos osantos [at] cisco [dot] com
PSIRT High Risk!
Bug ID es CSCsz49276PSIRT ID es PSIRT-0676131279Relese 27 Agosto 2009 (Credits Alex Hernandez)
![Page 29: Full disclosure-vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062405/55783e19d8b42a1f5b8b4d33/html5/thumbnails/29.jpg)
Thank u!
ahernandez [at] sybsecurity [dot] com
Research & Papers:http://www.sybsecurity.com/en/laboratory/