-
• 11/09/2023DNS Remote Code Execution: Writing the Exploit π£ (Part 2)
Previously, we showed you how we found a vulnerability in a DNS parser exposed through a router's Wide Area Network (WAN) connection.
Today, we will dive deep into it, and work around its limitations to build a surprisingly complex exploit. So buckle up, and join us on an epic journey to get that sweet remote root shell!
In this video, we will continue our journey into exploiting CVE-2020-10881, which we abused in the Pwn2Own Tokyo 2019 hacking competition to win $20,000 :-)
-
• 16/03/2023DNS Remote Code Execution: Finding the Vulnerability πΎ (Part 1)
In 2019 and 2020, we DOMINATED the router Wide Area Network or WAN category in the Pwn2Own hacker competition. In this category, hackers attack network devices with previously unknown vulnerabilities, from external networks such as the Internet.
Unfortunately, by 2021 our competitors reversed engineered our techniques, and the game was up.
Today, we are starting a video series where we will show you our tips, tricks and techniques to find and exploit WAN vulnerabilities in network devices. And we're starting with a beautiful DNS exploit that got us $20,000 in prizes.
Let's get ready to PWN!
In this video, we will tell you the story of how we found CVE-2020-10881 in the Pwn2Own Tokyo 2019 hacking competition and won $20,000 dollars by exploiting it :-)
-
• 27/07/2022OffensiveCon22 - Radek Domanski and Pedro Ribeiro - Pwn2Ownβing Your Router Over the Internet
Our talk from OffensiveCon22
-
• 09/09/2022Extracting Firmware from Embedded Devices (SPI NOR Flash) β‘
One of the first things you have to do when hacking and breaking embedded device security is to obtain the firmware. If you're lucky, you can download it from the manufacturer's website or, if you have a shell, you can just copy it over to your computer.
But what if none of these options are available?
In this video, we will show you how you can connect directly to a NOR flash chip with the SPI protocol to dump the firmware and find your vulns, even if off the shelf tools don't work!
-
• 06/01/2021How We Hacked a TP-Link Router and Took Home $55,000 in Pwn2Own
Learn tricks and techniques like these, with us, on our embedded device hacking training!
http://training.flashback.sh/
In this video we will show you how we found and exploited vulnerabilities in the TP-Link Archer AC1750 to win $5,000 in Pwn2Own Tokyo 2019.
We made a total of $55,000 hacking routers in this competition!
For in-depth details, refer to our advisories:
https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md
https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2020/minesweeper.md
The two advisories complement each other. The first one describes the process we used to pwn this router in 2019, and the second one how we found in 2020 that TP-Link improperly patched the command injection. We used that knowledge to improve the exploit so that it works on old and newer "patched" firmwares.
The command injection described in this video is the improved one.
The vulnerabilities exploited in this video are:
- CVE-2020-10882
- CVE-2020-10883
- CVE-2020-10884
- CVE-2020-28347
All vulnerabilities have been fixed by TP-Link in current firmware versions.
-
• 21/01/2021Hacker's Guide to UART Root Shells
The UART Protocol and Interface is crucial for hacking IoT devices. We explain how to quickly identify a UART interface and connect to it to get a root shell, as well as a trick on how to re-enable a UART connector that has been disabled by the manufacturer.
-
• 21/02/2021Exploiting (and Patching) a Zero Day RCE Vulnerability in a Western Digital NAS
In this video we show you how we found, exploited and patched a chain of zero day vulnerabilities in a Western Digital (WD) Network Attached Storage (NAS) device. This chain allows an unauthenticated attacker to execute code as root and install a permanent backdoor on the NAS.
The vulnerabilities affect most of the WD NAS line-up and their OS3 firmware versions and are unpatched as of 2021/02/25. The new OS5 firmware is not vulnerable. OS3 is in a limbo, it's not clear whether it is supported or not by WD, but WD's official response to a security advisory in November 2020 seems to indicate that it's out of support.
Please keep safe - do not expose your NAS to the Internet. If your device supports OS5, upgrade to that, otherwise you can use our patch to fix it, which needs to be done at every reboot.
Our patch can be found at:
https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer_patch.sh
https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2020/weekend_destroyer_patch.sh
-
30/06/2021Pwning Cisco ISE: From Cross Site Scripting to Root Shell!
n this short video we show you how dangerous a cross site scripting (XSS) vulnerability can be.
Back in 2018, Pedro found 3 vulnerabilities that allow an unauthenticated attacker to achieve remote code execution as root in a Cisco Identity Services Engine device.
1- Stored cross site scripting (exploitable by an unauthenticated attacker)
2- Unsafe Java deserialization (exploitable by an authenticated user)
3- Privilege escalation to root due to incorrect file permissions
We start by sending an unauthenticated HTTP request to store the XSS payload on the device. Then, we send a phishing email to the device administrator. Once the device administrator clicks on the email link, he will be sent to the device page that contains our XSS payload. That payload sends a malicious request to a REST endpoint in the device that performs the Java deserialization, and we then get our shell running as the web server user. Finally we abuse the incorrect file permissions to get root!
For an in depth look on each vulnerability and how the exploit works under the hood, please check the advisory at https://github.com/pedrib/PoC/blob/master/advisories/Cisco/cisco_ise_rce.md
-
• 21/07/2021Rooting an Arlo Q Plus Camera (SSH ππͺ?!)
In this short video we show you how we discovered and used a backdoor in Arlo Q Plus to gain a root access to a device.
1. We identified the UART console
2. Dumped the NAND firmware
3. Found and cracked hardcoded SSH root account
4. Discovered a special operation mode to enable SSH
The vulnerability was disclosed to the vendor via ZDI (ZDI-21-683) and tracked under CVE-2021-31505.
Advisory: https://www.zerodayinitiative.com/advisories/ZDI-21-683/
Fixed version: VMC3040S: 1.9.0.8_199_3707910 (according to Arlo, we didn't test the fix)
-
16/12/2021Rice for Pretzels: Attacking a Cisco VPN Gateway 9000 km Away π
A short teaser showing the exploit we used in Pwn2Own Austin 2021, where we hacked the Cisco RV340 router by exploiting a vulnerability over the Wide Area Network (WAN) interface.
But not all WAN vulnerabilities are equal... and this one is exploitable over the Internet, from Thailand to Munich, over 9000 km away!
The vulnerabilities exploited in this video (CVE-2022-20699 / ZDI-22-414 and frens) were revealed in our talk at OffensiveCon 2022, "Pwn2Own'ing Your Router Over the Internet" (https://www.offensivecon.org/speakers/2022/radek-domanski-and-pedro-ribeiro.html).
For more details (and the exploit!) check our advisory:
https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Austin_2021/flashback_connects/flashback_connects.md
https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Austin2021/flashback_connects/flashback_connects.md