Announcement

Collapse
No announcement yet.

Daniel (dozer) Jensen - Hunting Bugs in The Tropics

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Daniel (dozer) Jensen - Hunting Bugs in The Tropics

    Daniel (dozer) Jensen - Hunting Bugs in The Tropics



    Daniel (dozer)Jensen, Hacker

    Presentation Title: Hunting Bugs in The Tropics
    Length of presentation: 45 Minutes

    Aruba Networks makes networking products for the enterprise. I make enterprise products run arbitrary code.

    Over the past couple of years, I've been hunting for vulnerabilities in some of Aruba's on-premise networking products and have had a bountiful harvest. A curated (read: patched) selection of these will be presented for your enjoyment. Pre-auth vulnerabilities and interesting bug chains abound, as well as a few unexpected attack surfaces and a frequently overlooked bug class.

    This talk will explore some of the vulnerabilities I've found in various products in the Aruba range, and include details of their exploitation. I'll elaborate on how I found these bugs, detailing my workflow for breaking open virtual appliances and searching for vulnerabilities in them.

    SPEAKER BIO):
    Daniel (aka dozer) works as a security consultant at a large cybersecurity company. He has been a professional penetration tester for several years, and has discovered numerous vulnerabilities in a wide range of software. He currently lives in New Zealand, and his favourite animal is the goose.

    twitter.com/dozernz
    https://dozer.nz

    REFERENCES:
    Aruba Vulns/ Prior Research
    https://x-c3ll.github.io/posts/CVE-2...1-RCE-ArubaOS/
    https://alephsecurity.com/2021/07/15/aruba-instant/
    https://seclists.org/fulldisclosure/2016/May/19
    https://dozer.nz/posts/aruba-clearpass-rce (My own post)

    Misc
    https://gtfobins.github.io/
    https://github.com/vulhub/vulhub/tre...eo-cas/4.1-rce

Working...
X