Full disclosure-vulnerabilities


Published on

Slides BugCon Security Conferences '09 Mexico City (Alex Hernandez aka alt3kx)

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Full disclosure-vulnerabilities

  1. 1. Full DisclosureVulnerabilities<br />(0-days)<br />ByAlex Hernández aka alt3kx<br />Date: 14.08.009<br />Copyright (c) SybSecurity.com <br />ResearchLabs 2009<br />
  2. 2. About<br />Alex Hernandez aka alt3kx<br />Currently researcher contributor Spain, Germany, USA,<br />Amsterdam, Argentina, Australia, Belgium, Canada, and <br />Mexico.<br />He has also coded some exploits, mainly for the pen-<br />testing task. The last public exploit published on <br />security’s page like milw0rm, securityfocus ,<br />Packetstorm.<br />Devision Security Labs Neurowork Spain<br />www.SybSecurity.comMX-AR-ES<br />
  3. 3. Content<br />Aruba Networks (WiFIRouter) 0-day<br />CSRF & HijackingSession (cookies)<br />Exploit & PoC video<br />TriB0x (VoIPasterisk) 0-day<br />SQLi and LFI<br />Exploit & PoC video<br />Cisco VPN client 0-day <br />Denial Of Service (DoS)<br />Exploit & PoC video<br />
  4. 4. Aruba's networks were designed from the ground up to <br />meet these requirements – and more. Our wireless <br />solutions make add, move, and change costs evaporate. <br />In fact, wireless networks built on our adaptive 802.11n <br />technology cost just 10% of a comparable wired build-<br />out, allowing you to rightsize your network while <br />upgrading efficiency and productivity.<br />www.arubanetworks.com<br />
  5. 5. Aruba 200 (WiFiRouter)<br />
  6. 6. Cross SiteRequestForgery<br />Yes everythingis vulnerable to CSRF…<br />
  7. 7. Vulnerable POST Form (uploadshell)<br />Videos PoC (Proof Of Concept)<br />
  8. 8. Firmware Vulnerables<br />Software Version ArubaOS <br />BuildNumber 16439<br />Label16439<br />BuiltOn 2007-10-09 15:47:42 PDT<br />Software Version ArubaOS (Digitally Signed - Production Build)<br />Build Number 20304<br />Label 20304<br />BuiltOn 2008-12-22 16:37:36 PST<br />
  9. 9. Response Aruba Networks?<br />NotYet<br />support@arubanetworks.com<br />
  10. 10. Trixbox es una distribución del sistema operativo<br />GNU/Linux, basada en CentOS, que tiene la<br />particularidad de ser una central telefónica (PBX) por <br />software basada en la PBX de código abierto Asterisk. <br />Como cualquier central PBX, permite interconectar <br />teléfonos internos de una compañía y conectarlos la red <br />telefónica convencional (RTB - Red telefónica básica).<br />
  11. 11. SQLi Trixb0x<br />Web-meetme<br />What is it:<br />Web-MeetMe is a suite of PHP pages to allow for scheduling and managing conferences on an Asterisk PBX. Add rooms and specify)<br />
  12. 12. SomeScreensConfig 1<br />
  13. 13. SomeScreensConfig 2<br />
  14. 14. SQLi Web-MeetMe Video…<br />Thepower of ‘ <br />Bypass Auth ' or 'a'='a<br />
  15. 15. LFI (Local FileInclusion)<br />DirectoryTraversal… video.<br />
  16. 16. Response Trixbox & Dan Austin? <br />Vulnerable Versions<br />Web-MeetMe_v3.1.0.tgz<br />Web-MeetMe_v3.0.tgz<br />Patches… NotYet…<br />
  17. 17.
  18. 18. Cisco VPN Client<br />Local Denial of Service (DoS) <br />“cvpnd.exe”<br />
  19. 19. Overview<br />The Cisco Virtual Private Network (VPN) Client establishes an encrypted tunnel between a local system and a Cisco VPN concentrator. The tunnel provides data integrity and confidentiality, allowing users a secure connection to a corporate network otherwise from a public non-trusted network.<br />
  20. 20. Description<br />A Denial of Service (DOS) attack on the win32 VPN client platform, can be exploited locally and collapse the VPN client through the "cvpnd.exe" service running with "SYSTEM" priviledges.<br />
  21. 21. Technicaldetails<br />The Cisco VPN Clientfor win32 getsinstalled as a Windows servicecalled "Cisco Systems, Inc. VPN Service" or "CVPND", and itsbinaryisassociatedto: C:Program FilesCisco SystemsVPN Clientcvpnd.exe. C:Archivos de programaCisco SystemsVPN Clientcvpnd.exe<br /> By defect, the CVPND service gets executed with "SYSTEM" priviledges<br />
  22. 22. Cisco VPN Client<br />
  23. 23. Default PATH Win2k<br />
  24. 24.
  25. 25. Default PATH Windows Vista<br />
  26. 26.
  27. 27. ExploitCode 0day<br />Video…<br />
  28. 28. Response CISCO?<br />Yep, CISCO r0x <br />Omar Santos <br />osantos [at] cisco [dot] com<br />PSIRT HighRisk!<br />BugID es CSCsz49276<br />PSIRT ID es PSIRT-0676131279<br />Relese 27 Agosto 2009 (Credits Alex Hernandez)<br />
  29. 29. Thank u! <br />ahernandez [at] sybsecurity [dot] com<br />Research & Papers:<br />http://www.sybsecurity.com/en/laboratory/<br />