Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Pwn2Own is a competition focused on finding vulnerabilities in high value targets. In this rendition of Pwn2Own for IoT devices, they choose the Netgear Router RAX30. Pwn2Own has many tough issues:

• Bugs must be in the most recent version of the firmware. Although this seems obvious, this means a patch the day before may change the exploit pattern.
• You can only enter once per device and duplicates don't get payouts. This means that an awesome bug may have been found by somebody else.

While looking at the binaries, puhttpsniff caught their eye. Using the strings command shows some HTTP parsing, which is always interesting. The binary inserts NFLOG iptable rules to run callbacks.

While reviewing the command, there is a super trivial command injection vulnerability when constructing IP tables with the User Agent header. The exploit payload is curl --user-agent "a\";/sbin/reboot;\"" http://192.168.1.1. This was on the LAN side.

With access to the devices while running via the previous bug, they started hunting for more. By listing socket information, they learned that SSH and telnet are open for IPv4 and IPv6 on the LAN. When running nmap on the device from the WAN on IPv4 (default), nothing comes up though.

However, from our learnings from earlier, the device is listening on IPv6 as well. This is because the the IP table rules for IPv6 are only applied to the LAN interface and the WAN if a public IPv6 address is provided. If a link-local address is used on the WAN interface (same network segment), all of the services are accessible. Pretty neat bug!

With a bypass for accessing restricted services, what else can we do? /etc/shadow has a hardcoded password that was easily cracked via John the Ripper. Now, the telnet port can be used to connect. Additionally, the telnet prompt had hardcoded commands but had a special bad door sh to escape this.

The full steps for the second chain are as follows:

1. Ping the address of the WAN interface. This can be used to find the link-local address of the device. I don't fully understand IPv6 networking so I'm pretty much copying and pasting here.
2. Launch telnet with the cracked credentials.
3. sh command to escape the shell.
4. Since the user with the cracked password has uid 0, we are now root.

This was a very novel vulnerability in the routing tables; I will definitely keep this in mind for future assessments. Sadly, both the networking bug and command injection were fixed a few days before the event. So so so sad. Regardless, amazing findings!