One thing we like to highlight at Bugcrowd is creating lasting positive relationships between clients and talented researchers. Today one of our crowd, Duarte Silva, released some of his work on reverse engineering Aruba Networks ArubaOS Firmware package.
Some time ago, I had the chance to get my hands on a ArubaOS firmware, what follows is the full process to extract all the files recreating the appliance running file system. This had the objective of fuzzing the extracted binaries in QEMU (ArubaOS management console is CGI based).
Duarte worked initially on the Aruba Networks Bugcrowd private bounty. He then reached out to Bugcrowd and Aruba to publish subsections of his research. Outlined in Duarte’s blog are his investigations into unpacking the OS firmware into a readable file structure. After this is done, Duarte plans on fuzzing the files within to exploit vulnerabilities in the firmware binaries. By sharing his research publically he has also opened up and quickened the testing of the firmware by other Crowd members.
The conversation between Duarte and Aruba was a breath of fresh air in the responsible disclosure discussions many have said to be unapproachable. We applaud both Duarte and Aruba in creating an environment where researchers can communicate security vulnerabilities in tandem with organizations.
Aruba has stepped up even further, asking Duarte and other researchers to look into more attacks on the firmware, including trying to modify the firmware, upload it to a controller, and get it to run on a device.
If you have the skills and the motivation to do this work, Bugcrowd and Aruba are looking for you! Aruba’s program is private, to be eligible for an invitation you need to join Bugcrowd platform and submit high quality vulnerabilities to our public programs. New and rising researchers that have shown that they have the skills are often invited to our private programs, giving those researchers access to complex, interesting, and often lucrative programs like Aruba Networks.
Come join our worldwide community of researchers and take advantage of our Bugcrowd forum where we share knowledge about our methods and provide many guides and resources.
Reputation, fame, and fortune await you! #jointhehunt