Hunting Bugs in The Tropics

Presented at DEF CON 30 (2022), Aug. 12, 2022, 5 p.m. (45 minutes)

Aruba Networks makes networking products for the enterprise. I make enterprise products run arbitrary code.

Over the past couple of years, I've been hunting for vulnerabilities in some of Aruba's on-premise networking products and have had a bountiful harvest. A curated (read: patched) selection of these will be presented for your enjoyment. Pre-auth vulnerabilities and interesting bug chains abound, as well as a few unexpected attack surfaces and a frequently overlooked bug class.

This talk will explore some of the vulnerabilities I've found in various products in the Aruba range, and include details of their exploitation. I'll elaborate on how I found these bugs, detailing my workflow for breaking open virtual appliances and searching for vulnerabilities in them.

Presenters:

• Daniel Jensen
  Daniel (aka dozer) works as a security consultant at a large cybersecurity company. He has been a professional penetration tester for several years, and has discovered numerous vulnerabilities in a wide range of software. He currently lives in New Zealand, and his favourite animal is the goose.

Links:

• https://forum.defcon.org/node/242208
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Daniel Jensen - Hunting Bugs in The Tropics.mp4
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Daniel Jensen - Hunting Bugs in The Tropics.srt (subtitles)
• https://www.youtube.com/watch?v=kMgXtuJdP3c

Similar Presentations:

• Black Hat USA 2021 / Exploiting Windows COM/WinRT Services
• BSidesSF 2016 / Sedating the Watchdog: Abusing Security Products to Bypass Windows Protections