SlideShare une entreprise Scribd logo

The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability

Télécharger en tant que PPTX, PDF
The Hacker News
The Hacker News

Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability : The Hacker News

Technologie
1  sur  34
TCP/32764 backdoor Or how linksys saved Christmas!
Who? • • • • Eloi Vanderbeken @elvanderb https://github.com/elvanderb eloi . vanderbeken @ gmail . com • Interested in reverse and crypto. • Don’t like to write reports :D – Angrish is hard! • Certified Ethical Dauber |Microsoft Paint MVP
When? Christmas!!!
(1Mb/s) / (10 users * 68dB) =
IDEA !
But… few years ago… /me now WAG 200G /me then Very long and complex
For the record… NOTHING NOTHING NOTHING wheat FAAAAR away, the DSLAM REALLY NOTHING cow Mothership corn NOTHING NOTHING NOTHING (or a cow) sugar beet NOTHING A little bit of nothing
Challenge: • No access to the http[s] administration tool. • No admin password anyway… • NEED DA INTERNET!
Nmap • Few interesting ports: – ReAIM (http://reaim.sourceforge.net/) • Possibly vuln… – Unkown service listening on TCP/32764 • Responds ScMMxFFxFFxFFxFFx00x00x00x00 to any requests.
GO-GO-GADGET GOOGLE Mister Guessing 2010!
Let’s get the firmware! http://support.linksys.com/en-us/support/gateways/WAG200G/download -> FU linksys! http://community.linksys.com/t5/Cable-and-DSL/WAG200G-FR-firmwareupgrade/m-p/233170 -> Thks users! http://download.modem-help.co.uk/mfcsL/LinkSys/WAG200G/Firmware/v1/ -> Thks modem-help & google!
WHER IZ U Ʀᴓ ФŦ-Ƒ$?!
WHER IZ U Ʀᴓ ФŦ-Ƒ$?! Cont’d ftp://ftp.linksys.com/opensourcecode is now down 
Chainsaw time! • Get LZMA SDK 4.65 • Modify squashfs-tools’ Makefile: • Use your chainsaw on source code:
Found you!
Where’s Waldo^wthe service? FU, maybe it’s in little endian… FU!!! Let’s get dirty! Just use grep and IDA to find the good one 
First steps • No symbols, MIPS: – We’ll have to reverse  – I love reversing and MIPS is easy so it’s OK :D • Very simple binary protocol: – Header (0xC bytes) followed by a payload • Header structure:
Easy protocol, isn’t it? Heap based buffer overflow
Messages…
Let’s bruteforce them!
WTF?!
WTFFFFFFUUUUU?! • NO MOAR INTERNETZ?! • When we restart the script : Configuration is reset?!?!!!
Quick messages’ reverse… 1. Dump configuration (nvram) 2. Get configuration var – possible stack based buffer overflow (if variable is controlled by the user) 3. Set configuration var – stack based buffer overflow, output buffer (size ≈ 0x10000) is on the stack. 4. Commit nvram – set nvram (/dev/mtdblock/3) from /tmp/nvram ; check CRC 5. Set bridge mode ON (not sure, I didn’t have the time to test it) – – – – – – – – – nvram_set(“wan_mode”, bridgedonly) nvram_set(“wan_encap”, 0) nvram_set(“wan_vpi”, 8) nvram_set(“wan_vci”, 81) system(“/usr/bin/killall br2684ctl”) system(“/usr/bin/killall udhcpd”) system(“/usr/bin/killall -9 atm_monitor”) system(“/usr/sbin/rc wan stop >/dev/null 2>&1”) system(“/usr/sbin/atm_monitor&”) 6. Show measured internet speed (download/upload)
Quick messages’ reverse… cont’d 7. cmd (yep, it’s a shell…) – special commands : • • – exit, bye, quit -> quit... (alive = 0) cd : change directory other commands : • buffer overflow on cmd output (same buffer again)… 8. write file – – – file name in payload root dir = /tmp directory traversal might be possible (not tested but it’s an open(sprintf(“/tmp/%s”, payload))… ) 9. return version 10. return modem router ip – nvram_get(“lan_ipaddr”) 11. restore default settings – – nvram_set(“restore_default”, 1) nvram_commit) 12. read /dev/mtdblock/0 [-4:-2] – dunno what it is, I didn’t have the time to test it 13. dump nvram on disk (/tmp/nvram) and commit
So if you need an access to the admin panel….
Thank you Linksys!!! You saved my Christmas 
Some more lolz… • I only had 1 day to test my codes/assumptions so the following slides are just some random thoughts/observations… • It wasn’t tested but it’s probably interesting 
In setup.cgi 
A little bit further in setup.cgi… get_rand_key ??? Generate the key used to encrypt Routercfg.cfg (if I’m right) libtea.so
Again in setup.cgi Not sure but I think we control this 
mini_httpd Hardcoded 1024bit RSA private key  May I show Doge… again?
To be continued… Backdoor is only confirmed on WAG200G, if you know/find other concerned hardware, let me know 

Recommandé

Block the System - building blocks in Gutenberg
Block the System - building blocks in GutenbergBlock the System - building blocks in Gutenberg
Block the System - building blocks in GutenbergLuc Princen
 
Vagrant - Version control your dev environment
Vagrant - Version control your dev environmentVagrant - Version control your dev environment
Vagrant - Version control your dev environmentbocribbz
 
Backing up thousands of containers
Backing up thousands of containersBacking up thousands of containers
Backing up thousands of containersMarian Marinov
 
Node.js Cloud deployment
Node.js Cloud deploymentNode.js Cloud deployment
Node.js Cloud deploymentNicholas McClay
 
nginx + uwsgi emperor + bottle
nginx + uwsgi emperor + bottlenginx + uwsgi emperor + bottle
nginx + uwsgi emperor + bottleJordi Soucheiron
 
Node and SocketIO
Node and SocketIONode and SocketIO
Node and SocketIOKentucky JavaScript Users Group
 
Simple webapps with nginx, uwsgi emperor and bottle
Simple webapps with nginx, uwsgi emperor and bottleSimple webapps with nginx, uwsgi emperor and bottle
Simple webapps with nginx, uwsgi emperor and bottleJordi Soucheiron
 
Performance and stability testing \w Gatling
Performance and stability testing \w GatlingPerformance and stability testing \w Gatling
Performance and stability testing \w GatlingDmitry Vrublevsky
 

Recommandé

Block the System - building blocks in Gutenberg
Block the System - building blocks in GutenbergBlock the System - building blocks in Gutenberg
Block the System - building blocks in GutenbergLuc Princen
 
Vagrant - Version control your dev environment
Vagrant - Version control your dev environmentVagrant - Version control your dev environment
Vagrant - Version control your dev environmentbocribbz
 
Backing up thousands of containers
Backing up thousands of containersBacking up thousands of containers
Backing up thousands of containersMarian Marinov
 
Node.js Cloud deployment
Node.js Cloud deploymentNode.js Cloud deployment
Node.js Cloud deploymentNicholas McClay
 
nginx + uwsgi emperor + bottle
nginx + uwsgi emperor + bottlenginx + uwsgi emperor + bottle
nginx + uwsgi emperor + bottleJordi Soucheiron
 
Node and SocketIO
Node and SocketIONode and SocketIO
Node and SocketIOKentucky JavaScript Users Group
 
Simple webapps with nginx, uwsgi emperor and bottle
Simple webapps with nginx, uwsgi emperor and bottleSimple webapps with nginx, uwsgi emperor and bottle
Simple webapps with nginx, uwsgi emperor and bottleJordi Soucheiron
 
Performance and stability testing \w Gatling
Performance and stability testing \w GatlingPerformance and stability testing \w Gatling
Performance and stability testing \w GatlingDmitry Vrublevsky
 
マイナーツールを使ってみる
マイナーツールを使ってみるマイナーツールを使ってみる
マイナーツールを使ってみるN Masahiro
 
CRaSH the shell for the Java Virtual Machine
CRaSH the shell for the Java Virtual MachineCRaSH the shell for the Java Virtual Machine
CRaSH the shell for the Java Virtual MachineGR8Conf
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
Quick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with VagrantQuick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with VagrantJoe Ferguson
 
SaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertoolsSaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertoolsThomas Jackson
 
Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?Christian Joudrey
 
Scaling WordPress
Scaling WordPressScaling WordPress
Scaling WordPressMark Jaquith
 
Custom Non-RDS Multi-AZ Mysql Replication
Custom Non-RDS Multi-AZ Mysql ReplicationCustom Non-RDS Multi-AZ Mysql Replication
Custom Non-RDS Multi-AZ Mysql ReplicationMichael H. Oshita
 
NodeJS Concurrency
NodeJS ConcurrencyNodeJS Concurrency
NodeJS Concurrencypgriess
 
Os Whitaker
Os WhitakerOs Whitaker
Os Whitakeroscon2007
 
Node.js concurrency
Node.js concurrencyNode.js concurrency
Node.js concurrencyGiacomo Fornari
 
JavaScript Event Loop
JavaScript Event LoopJavaScript Event Loop
JavaScript Event LoopThomas Hunter II
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsjacekbecela
 
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)Ontico
 
JavaScript Engines and Event Loop
JavaScript Engines and Event Loop JavaScript Engines and Event Loop
JavaScript Engines and Event Loop Tapan B.K.
 
Challenges when building high profile editorial sites
Challenges when building high profile editorial sitesChallenges when building high profile editorial sites
Challenges when building high profile editorial sitesYann Malet
 
Vagrant for real
Vagrant for realVagrant for real
Vagrant for realMichele Orselli
 
Vagrant
VagrantVagrant
VagrantEvans Ye
 
OS-autoinst: Testing with Perl and openCV
OS-autoinst: Testing with Perl and openCVOS-autoinst: Testing with Perl and openCV
OS-autoinst: Testing with Perl and openCVAlex-P. Natsios
 
Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...
Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...
Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...Tũi Wichets
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networksSahil Rai
 
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and Secrets
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and SecretsEx-NSA Contractor Stole at Least 500 Million Pages of Records and Secrets
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and SecretsThe Hacker News
 

Contenu connexe

Tendances

マイナーツールを使ってみる
マイナーツールを使ってみるマイナーツールを使ってみる
マイナーツールを使ってみるN Masahiro
 
CRaSH the shell for the Java Virtual Machine
CRaSH the shell for the Java Virtual MachineCRaSH the shell for the Java Virtual Machine
CRaSH the shell for the Java Virtual MachineGR8Conf
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
Quick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with VagrantQuick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with VagrantJoe Ferguson
 
SaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertoolsSaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertoolsThomas Jackson
 
Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?Christian Joudrey
 
Custom Non-RDS Multi-AZ Mysql Replication
Custom Non-RDS Multi-AZ Mysql ReplicationCustom Non-RDS Multi-AZ Mysql Replication
Custom Non-RDS Multi-AZ Mysql ReplicationMichael H. Oshita
 
NodeJS Concurrency
NodeJS ConcurrencyNodeJS Concurrency
NodeJS Concurrencypgriess
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsjacekbecela
 
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)Ontico
 
JavaScript Engines and Event Loop
JavaScript Engines and Event Loop JavaScript Engines and Event Loop
JavaScript Engines and Event Loop Tapan B.K.
 
Challenges when building high profile editorial sites
Challenges when building high profile editorial sitesChallenges when building high profile editorial sites
Challenges when building high profile editorial sitesYann Malet
 
OS-autoinst: Testing with Perl and openCV
OS-autoinst: Testing with Perl and openCVOS-autoinst: Testing with Perl and openCV
OS-autoinst: Testing with Perl and openCVAlex-P. Natsios
 

Tendances (19)

マイナーツールを使ってみる
マイナーツールを使ってみるマイナーツールを使ってみる
マイナーツールを使ってみる
 
CRaSH the shell for the Java Virtual Machine
CRaSH the shell for the Java Virtual MachineCRaSH the shell for the Java Virtual Machine
CRaSH the shell for the Java Virtual Machine
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
 
Quick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with VagrantQuick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with Vagrant
 
SaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertoolsSaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertools
 
Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?
 
Scaling WordPress
Scaling WordPressScaling WordPress
Scaling WordPress
 
Custom Non-RDS Multi-AZ Mysql Replication
Custom Non-RDS Multi-AZ Mysql ReplicationCustom Non-RDS Multi-AZ Mysql Replication
Custom Non-RDS Multi-AZ Mysql Replication
 
NodeJS Concurrency
NodeJS ConcurrencyNodeJS Concurrency
NodeJS Concurrency
 
Os Whitaker
Os WhitakerOs Whitaker
Os Whitaker
 
Node.js concurrency
Node.js concurrencyNode.js concurrency
Node.js concurrency
 
JavaScript Event Loop
JavaScript Event LoopJavaScript Event Loop
JavaScript Event Loop
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.js
 
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)
 
JavaScript Engines and Event Loop
JavaScript Engines and Event Loop JavaScript Engines and Event Loop
JavaScript Engines and Event Loop
 
Challenges when building high profile editorial sites
Challenges when building high profile editorial sitesChallenges when building high profile editorial sites
Challenges when building high profile editorial sites
 
Vagrant for real
Vagrant for realVagrant for real
Vagrant for real
 
Vagrant
VagrantVagrant
Vagrant
 
OS-autoinst: Testing with Perl and openCV
OS-autoinst: Testing with Perl and openCVOS-autoinst: Testing with Perl and openCV
OS-autoinst: Testing with Perl and openCV
 

En vedette

Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...
Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...
Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...Tũi Wichets
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networksSahil Rai
 
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and Secrets
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and SecretsEx-NSA Contractor Stole at Least 500 Million Pages of Records and Secrets
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and SecretsThe Hacker News
 
Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...
Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...
Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...The Hacker News
 
FBI vs Silk Road: Criminal Complaint against Feds
FBI vs Silk Road: Criminal Complaint against FedsFBI vs Silk Road: Criminal Complaint against Feds
FBI vs Silk Road: Criminal Complaint against FedsThe Hacker News
 
โครงงาน Airlink เพื่อการศึกษา
โครงงาน Airlink เพื่อการศึกษาโครงงาน Airlink เพื่อการศึกษา
โครงงาน Airlink เพื่อการศึกษาพัน พัน
 
Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingAleksandr Yampolskiy
 
How to crack a router for username and password
How to crack a router for username and passwordHow to crack a router for username and password
How to crack a router for username and passwordComp-Info Tech
 
Introduction To Code Igniter
Introduction To Code IgniterIntroduction To Code Igniter
Introduction To Code IgniterAmzad Hossain
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingThe Hacker News
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
Candy crush cheat codes: 10 Cheat Codes of candy crush saga
Candy crush cheat codes: 10 Cheat Codes of candy crush sagaCandy crush cheat codes: 10 Cheat Codes of candy crush saga
Candy crush cheat codes: 10 Cheat Codes of candy crush sagaMeddy Lee
 
Python et son intégration avec Odoo
Python et son intégration avec OdooPython et son intégration avec Odoo
Python et son intégration avec OdooHassan WAHSISS
 
Configuring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddband
Configuring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddbandConfiguring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddband
Configuring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddbandJithin Parakka
 

En vedette (15)

Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...
Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...
Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networks
 
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and Secrets
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and SecretsEx-NSA Contractor Stole at Least 500 Million Pages of Records and Secrets
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and Secrets
 
Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...
Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...
Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...
 
Tor honions
Tor honionsTor honions
Tor honions
 
FBI vs Silk Road: Criminal Complaint against Feds
FBI vs Silk Road: Criminal Complaint against FedsFBI vs Silk Road: Criminal Complaint against Feds
FBI vs Silk Road: Criminal Complaint against Feds
 
โครงงาน Airlink เพื่อการศึกษา
โครงงาน Airlink เพื่อการศึกษาโครงงาน Airlink เพื่อการศึกษา
โครงงาน Airlink เพื่อการศึกษา
 
Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - Briefing
 
How to crack a router for username and password
How to crack a router for username and passwordHow to crack a router for username and password
How to crack a router for username and password
 
Introduction To Code Igniter
Introduction To Code IgniterIntroduction To Code Igniter
Introduction To Code Igniter
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration Testing
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
Candy crush cheat codes: 10 Cheat Codes of candy crush saga
Candy crush cheat codes: 10 Cheat Codes of candy crush sagaCandy crush cheat codes: 10 Cheat Codes of candy crush saga
Candy crush cheat codes: 10 Cheat Codes of candy crush saga
 
Python et son intégration avec Odoo
Python et son intégration avec OdooPython et son intégration avec Odoo
Python et son intégration avec Odoo
 
Configuring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddband
Configuring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddbandConfiguring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddband
Configuring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddband
 

Similaire à The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability

JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...srisatish ambati
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Brendan Gregg
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014Brendan Gregg
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
QCon 2015 Broken Performance Tools
QCon 2015 Broken Performance ToolsQCon 2015 Broken Performance Tools
QCon 2015 Broken Performance ToolsBrendan Gregg
 
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbertA Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbertJ On The Beach
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance ToolsBrendan Gregg
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still funpyschedelicsupernova
 
Broken Performance Tools
Broken Performance ToolsBroken Performance Tools
Broken Performance ToolsC4Media
 
Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...
Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...
Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...ScyllaDB
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Digital Bond
 
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!Puppet
 
My Opera meets Varnish, Dec 2009
My Opera meets Varnish, Dec 2009My Opera meets Varnish, Dec 2009
My Opera meets Varnish, Dec 2009Cosimo Streppone
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiTakuya ASADA
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud
 

Similaire à The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability (20)

JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Fun
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
QCon 2015 Broken Performance Tools
QCon 2015 Broken Performance ToolsQCon 2015 Broken Performance Tools
QCon 2015 Broken Performance Tools
 
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbertA Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance Tools
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still fun
 
Broken Performance Tools
Broken Performance ToolsBroken Performance Tools
Broken Performance Tools
 
Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...
Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...
Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
 
My Opera meets Varnish, Dec 2009
My Opera meets Varnish, Dec 2009My Opera meets Varnish, Dec 2009
My Opera meets Varnish, Dec 2009
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
 
Kvm optimizations
Kvm optimizationsKvm optimizations
Kvm optimizations
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 

Plus de The Hacker News

Patent Troll - Big Websites Sued For Using HTTPS Encryption
Patent Troll - Big Websites Sued For Using HTTPS EncryptionPatent Troll - Big Websites Sued For Using HTTPS Encryption
Patent Troll - Big Websites Sued For Using HTTPS EncryptionThe Hacker News
 
Geo-Inference Attacks via the Browser Cache
Geo-Inference Attacks via the Browser CacheGeo-Inference Attacks via the Browser Cache
Geo-Inference Attacks via the Browser CacheThe Hacker News
 
FCC Net Neutrality Rules (Complete 400 Pages)
FCC Net Neutrality Rules (Complete 400 Pages)FCC Net Neutrality Rules (Complete 400 Pages)
FCC Net Neutrality Rules (Complete 400 Pages)The Hacker News
 
Google's Effort to Fight Content Piracy
Google's Effort to Fight Content PiracyGoogle's Effort to Fight Content Piracy
Google's Effort to Fight Content PiracyThe Hacker News
 
This Warrant Authorized FBI to Track and Infect Computers with Malware
This Warrant Authorized FBI to Track and Infect Computers with MalwareThis Warrant Authorized FBI to Track and Infect Computers with Malware
This Warrant Authorized FBI to Track and Infect Computers with MalwareThe Hacker News
 
National Security Authorities Transparency Report 2013
National Security Authorities Transparency Report 2013National Security Authorities Transparency Report 2013
National Security Authorities Transparency Report 2013The Hacker News
 
Blackshades Indictment by FBI
Blackshades Indictment by FBIBlackshades Indictment by FBI
Blackshades Indictment by FBIThe Hacker News
 
Blackshades, yucel indictment s1 13 cr 834 redacted
Blackshades, yucel indictment s1 13 cr 834 redactedBlackshades, yucel indictment s1 13 cr 834 redacted
Blackshades, yucel indictment s1 13 cr 834 redactedThe Hacker News
 
Multiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for AndroidMultiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for AndroidThe Hacker News
 

Plus de The Hacker News (10)

Facebook lawsuit
Facebook lawsuitFacebook lawsuit
Facebook lawsuit
 
Patent Troll - Big Websites Sued For Using HTTPS Encryption
Patent Troll - Big Websites Sued For Using HTTPS EncryptionPatent Troll - Big Websites Sued For Using HTTPS Encryption
Patent Troll - Big Websites Sued For Using HTTPS Encryption
 
Geo-Inference Attacks via the Browser Cache
Geo-Inference Attacks via the Browser CacheGeo-Inference Attacks via the Browser Cache
Geo-Inference Attacks via the Browser Cache
 
FCC Net Neutrality Rules (Complete 400 Pages)
FCC Net Neutrality Rules (Complete 400 Pages)FCC Net Neutrality Rules (Complete 400 Pages)
FCC Net Neutrality Rules (Complete 400 Pages)
 
Google's Effort to Fight Content Piracy
Google's Effort to Fight Content PiracyGoogle's Effort to Fight Content Piracy
Google's Effort to Fight Content Piracy
 
This Warrant Authorized FBI to Track and Infect Computers with Malware
This Warrant Authorized FBI to Track and Infect Computers with MalwareThis Warrant Authorized FBI to Track and Infect Computers with Malware
This Warrant Authorized FBI to Track and Infect Computers with Malware
 
National Security Authorities Transparency Report 2013
National Security Authorities Transparency Report 2013National Security Authorities Transparency Report 2013
National Security Authorities Transparency Report 2013
 
Blackshades Indictment by FBI
Blackshades Indictment by FBIBlackshades Indictment by FBI
Blackshades Indictment by FBI
 
Blackshades, yucel indictment s1 13 cr 834 redacted
Blackshades, yucel indictment s1 13 cr 834 redactedBlackshades, yucel indictment s1 13 cr 834 redacted
Blackshades, yucel indictment s1 13 cr 834 redacted
 
Multiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for AndroidMultiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for Android
 

Dernier

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability

  • 1. TCP/32764 backdoor Or how linksys saved Christmas!
  • 2. Who? • • • • Eloi Vanderbeken @elvanderb https://github.com/elvanderb eloi . vanderbeken @ gmail . com • Interested in reverse and crypto. • Don’t like to write reports :D – Angrish is hard! • Certified Ethical Dauber |Microsoft Paint MVP
  • 4. (1Mb/s) / (10 users * 68dB) =
  • 6. But… few years ago… /me now WAG 200G /me then Very long and complex
  • 7. For the record… NOTHING NOTHING NOTHING wheat FAAAAR away, the DSLAM REALLY NOTHING cow Mothership corn NOTHING NOTHING NOTHING (or a cow) sugar beet NOTHING A little bit of nothing
  • 8. Challenge: • No access to the http[s] administration tool. • No admin password anyway… • NEED DA INTERNET!
  • 9. Nmap • Few interesting ports: – ReAIM (http://reaim.sourceforge.net/) • Possibly vuln… – Unkown service listening on TCP/32764 • Responds ScMMxFFxFFxFFxFFx00x00x00x00 to any requests.
  • 11. Let’s get the firmware! http://support.linksys.com/en-us/support/gateways/WAG200G/download -> FU linksys! http://community.linksys.com/t5/Cable-and-DSL/WAG200G-FR-firmwareupgrade/m-p/233170 -> Thks users! http://download.modem-help.co.uk/mfcsL/LinkSys/WAG200G/Firmware/v1/ -> Thks modem-help & google!
  • 12. WHER IZ U Ʀᴓ ФŦ-Ƒ$?!
  • 13. WHER IZ U Ʀᴓ ФŦ-Ƒ$?! Cont’d ftp://ftp.linksys.com/opensourcecode is now down 
  • 14. Chainsaw time! • Get LZMA SDK 4.65 • Modify squashfs-tools’ Makefile: • Use your chainsaw on source code:
  • 16. Where’s Waldo^wthe service? FU, maybe it’s in little endian… FU!!! Let’s get dirty! Just use grep and IDA to find the good one 
  • 17. First steps • No symbols, MIPS: – We’ll have to reverse  – I love reversing and MIPS is easy so it’s OK :D • Very simple binary protocol: – Header (0xC bytes) followed by a payload • Header structure:
  • 18. Easy protocol, isn’t it? Heap based buffer overflow
  • 21. WTF?!
  • 22. WTFFFFFFUUUUU?! • NO MOAR INTERNETZ?! • When we restart the script : Configuration is reset?!?!!!
  • 23.
  • 24. Quick messages’ reverse… 1. Dump configuration (nvram) 2. Get configuration var – possible stack based buffer overflow (if variable is controlled by the user) 3. Set configuration var – stack based buffer overflow, output buffer (size ≈ 0x10000) is on the stack. 4. Commit nvram – set nvram (/dev/mtdblock/3) from /tmp/nvram ; check CRC 5. Set bridge mode ON (not sure, I didn’t have the time to test it) – – – – – – – – – nvram_set(“wan_mode”, bridgedonly) nvram_set(“wan_encap”, 0) nvram_set(“wan_vpi”, 8) nvram_set(“wan_vci”, 81) system(“/usr/bin/killall br2684ctl”) system(“/usr/bin/killall udhcpd”) system(“/usr/bin/killall -9 atm_monitor”) system(“/usr/sbin/rc wan stop >/dev/null 2>&1”) system(“/usr/sbin/atm_monitor&”) 6. Show measured internet speed (download/upload)
  • 25. Quick messages’ reverse… cont’d 7. cmd (yep, it’s a shell…) – special commands : • • – exit, bye, quit -> quit... (alive = 0) cd : change directory other commands : • buffer overflow on cmd output (same buffer again)… 8. write file – – – file name in payload root dir = /tmp directory traversal might be possible (not tested but it’s an open(sprintf(“/tmp/%s”, payload))… ) 9. return version 10. return modem router ip – nvram_get(“lan_ipaddr”) 11. restore default settings – – nvram_set(“restore_default”, 1) nvram_commit) 12. read /dev/mtdblock/0 [-4:-2] – dunno what it is, I didn’t have the time to test it 13. dump nvram on disk (/tmp/nvram) and commit
  • 26. So if you need an access to the admin panel….
  • 27. Thank you Linksys!!! You saved my Christmas 
  • 28. Some more lolz… • I only had 1 day to test my codes/assumptions so the following slides are just some random thoughts/observations… • It wasn’t tested but it’s probably interesting 
  • 30. A little bit further in setup.cgi… get_rand_key ??? Generate the key used to encrypt Routercfg.cfg (if I’m right) libtea.so
  • 31.
  • 32. Again in setup.cgi Not sure but I think we control this 
  • 33. mini_httpd Hardcoded 1024bit RSA private key  May I show Doge… again?
  • 34. To be continued… Backdoor is only confirmed on WAG200G, if you know/find other concerned hardware, let me know 