Rooting an Arlo Q Plus Camera (SSH ππͺ?!)
In this short video we show you how we discovered and used a backdoor in Arlo Q Plus to gain a root access to a device.
1. We identified the UART console
2. Dumped the NAND firmware
3. Found and cracked hardcoded SSH root account
4. Discovered a special operation mode to enable SSH
The vulnerability was disclosed to the vendor via ZDI (ZDI-21-683) and tracked under CVE-2021-31505.
Advisory: https://www.zerodayinitiative.com/advisories/ZDI-21-683/
Fixed version: VMC3040S: 1.9.0.8_199_3707910 (according to Arlo, we didn't test the fix)
Previous
DNS Remote Code Execution: Finding the Vulnerability πΎ (Part 1)
Next