21/07/2021

Rooting an Arlo Q Plus Camera (SSH πŸ”™πŸšͺ?!)

In this short video we show you how we discovered and used a backdoor in Arlo Q Plus to gain a root access to a device.

1. We identified the UART console

2. Dumped the NAND firmware

3. Found and cracked hardcoded SSH root account

4. Discovered a special operation mode to enable SSH

The vulnerability was disclosed to the vendor via ZDI (ZDI-21-683) and tracked under CVE-2021-31505.

Advisory: https://www.zerodayinitiative.com/advisories/ZDI-21-683/

Fixed version: VMC3040S: 1.9.0.8_199_3707910 (according to Arlo, we didn't test the fix)

Pwning Cisco ISE: From Cross Site Scripting to Root Shell!

Rice for Pretzels: Attacking a Cisco VPN Gateway 9000 km Away 🌍

You Might Also Like

Related Embedded Video Item Thumbnail OffensiveCon22 - Radek Domanski and Pedro Ribeiro - Pwn2Own’ing Your Router Over the Internet
Related Embedded Video Item Thumbnail Pwning Cisco ISE: From Cross Site Scripting to Root Shell!
Related Embedded Video Item Thumbnail Rice for Pretzels: Attacking a Cisco VPN Gateway 9000 km Away 🌍
Related Embedded Video Item Thumbnail DNS Remote Code Execution: Finding the Vulnerability πŸ‘Ύ (Part 1)
Related Embedded Video Item Thumbnail Exploiting (and Patching) a Zero Day RCE Vulnerability in a Western Digital NAS