Previously, we showed you how we found a vulnerability in a DNS parser exposed through a router's Wide Area Network (WAN) connection.
Today, we will dive deep into it, and work around its limitations to build a surprisingly complex exploit. So buckle up, and join us on an epic journey to get that sweet remote root shell!
In this video, we will continue our journey into exploiting CVE-2020-10881, which we abused in the Pwn2Own Tokyo 2019 hacking competition to win $20,000 :-)
In 2019 and 2020, we DOMINATED the router Wide Area Network or WAN category in the Pwn2Own hacker competition. In this category, hackers attack network devices with previously unknown vulnerabilities, from external networks such as the Internet.
Unfortunately, by 2021 our competitors reversed engineered our techniques, and the game was up.
Today, we are starting a video series where we will show you our tips, tricks and techniques to find and exploit WAN vulnerabilities in network devices. And we're starting with a beautiful DNS exploit that got us $20,000 in prizes.
Let's get ready to PWN!
In this video, we will tell you the story of how we found CVE-2020-10881 in the Pwn2Own Tokyo 2019 hacking competition and won $20,000 dollars by exploiting it :-)
In this short video we show you how we discovered and used a backdoor in Arlo Q Plus to gain a root access to a device.
1. We identified the UART console
2. Dumped the NAND firmware
3. Found and cracked hardcoded SSH root account
4. Discovered a special operation mode to enable SSH
The vulnerability was disclosed to the vendor via ZDI (ZDI-21-683) and tracked under CVE-2021-31505.
Advisory: https://www.zerodayinitiative.com/advisories/ZDI-21-683/
Fixed version: VMC3040S: 1.9.0.8_199_3707910 (according to Arlo, we didn't test the fix)
One of the first things you have to do when hacking and breaking embedded device security is to obtain the firmware. If you're lucky, you can download it from the manufacturer's website or, if you have a shell, you can just copy it over to your computer.
But what if none of these options are available?
In this video, we will show you how you can connect directly to a NOR flash chip with the SPI protocol to dump the firmware and find your vulns, even if off the shelf tools don't work!
In this video we show you how we found, exploited and patched a chain of zero day vulnerabilities in a Western Digital (WD) Network Attached Storage (NAS) device. This chain allows an unauthenticated attacker to execute code as root and install a permanent backdoor on the NAS.
The vulnerabilities affect most of the WD NAS line-up and their OS3 firmware versions and are unpatched as of 2021/02/25. The new OS5 firmware is not vulnerable. OS3 is in a limbo, it's not clear whether it is supported or not by WD, but WD's official response to a security advisory in November 2020 seems to indicate that it's out of support.
Please keep safe - do not expose your NAS to the Internet. If your device supports OS5, upgrade to that, otherwise you can use our patch to fix it, which needs to be done at every reboot.
Our patch can be found at:
https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer_patch.sh
https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2020/weekend_destroyer_patch.sh
The UART Protocol and Interface is crucial for hacking IoT devices. We explain how to quickly identify a UART interface and connect to it to get a root shell, as well as a trick on how to re-enable a UART connector that has been disabled by the manufacturer.
Learn tricks and techniques like these, with us, on our embedded device hacking training!
http://training.flashback.sh/
In this video we will show you how we found and exploited vulnerabilities in the TP-Link Archer AC1750 to win $5,000 in Pwn2Own Tokyo 2019.
We made a total of $55,000 hacking routers in this competition!
For in-depth details, refer to our advisories:
https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md
https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2020/minesweeper.md
The two advisories complement each other. The first one describes the process we used to pwn this router in 2019, and the second one how we found in 2020 that TP-Link improperly patched the command injection. We used that knowledge to improve the exploit so that it works on old and newer "patched" firmwares.
The command injection described in this video is the improved one.
The vulnerabilities exploited in this video are:
- CVE-2020-10882
- CVE-2020-10883
- CVE-2020-10884
- CVE-2020-28347
All vulnerabilities have been fixed by TP-Link in current firmware versions.