About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Aruba in Chains: Chaining Vulnerabilities for Fun and Profit- 560

Aleph SecurityPosted 4 Years Ago
  • Aruba Instant is firmware for routers manufactured by Aruba Networks. The routers running this firmware are mainly bought by the enterprise industry (such as airports, hospitals, universities, conferences).
  • On the WiFi access point page (captive portal), there was functionality for adding a new logo. This functionality was done via a jailed console over SSH/Telnet. The binary takes in a URL, passes it to wget and does a download. Wisely, they sanitized their input from malicious shell characters to prevent command injection.
  • Does a space ( ) seem scary to you? With powerful binaries comes amazing primitives! Because the space had not been added to the filter for the URL, it was possible to escape the URL and pass in arbitrary arguments. Using --post-file=FILE, arbitrary files can be read; using --output-document=FILE let's us write arbitrary files to the server. But, this is only LPE at this point.
  • While trying to exploit the bug above, a patch appeared that fixed the space character. However, we can still use a TAB (\t) to do the same attack in a surprisingly effective way.
  • The next bug allowed for an arbitrary file write to any location via the HTTP server with one restriction: the name ended with .log. While using snprintf with the proper size will prevent buffer overflows, the truncation can be abused to write with an arbitrary file ending! Damn, that is so clever.
  • All of the previous bugs required some form of authentication. How about we change that? The authors found a race condition in one of the binaries responsible for sending PAPI data. PAPI sends a message then awaits for a response. By sending a fake PAPI message prior to the response, it will instruct the service to read from a file that it shouldn't; something like /etc/passwd.
  • At this point, it is gameover with an unauthenticated way to trigger the original set of LPEs. Besides these, the authors found an additional argument injection into wget again. Additionally, they found an XSS bug on the captive portal as well.
  • The steps to exploitation were long and complicated simply because the service is this way! They chained semi-intended features into an amazing set of bugs to own the device. Good work!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed