21/07/2021

Rooting an Arlo Q Plus Camera (SSH 🔙🚪?!)

In this short video we show you how we discovered and used a backdoor in Arlo Q Plus to gain a root access to a device.

1. We identified the UART console

2. Dumped the NAND firmware

3. Found and cracked hardcoded SSH root account

4. Discovered a special operation mode to enable SSH

The vulnerability was disclosed to the vendor via ZDI (ZDI-21-683) and tracked under CVE-2021-31505.

Advisory: https://www.zerodayinitiative.com/advisories/ZDI-21-683/

Fixed version: VMC3040S: 1.9.0.8_199_3707910 (according to Arlo, we didn't test the fix)

Pwning Cisco ISE: From Cross Site Scripting to Root Shell!

Rice for Pretzels: Attacking a Cisco VPN Gateway 9000 km Away 🌍

You Might Also Like

Related Embedded Video Item Thumbnail Extracting Firmware from Embedded Devices (SPI NOR Flash) ⚡
Related Embedded Video Item Thumbnail Pwning Cisco ISE: From Cross Site Scripting to Root Shell!
Related Embedded Video Item Thumbnail How We Hacked a TP-Link Router and Took Home $55,000 in Pwn2Own
Related Embedded Video Item Thumbnail DNS Remote Code Execution: Writing the Exploit 💣 (Part 2)
Related Embedded Video Item Thumbnail Exploiting (and Patching) a Zero Day RCE Vulnerability in a Western Digital NAS