Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

There are a BUNCH of vulnerabilities in this. I will only touch on the unique/interesting ones.

Netgear has a protocol called Netgear Switch Management Protocol (NSDP) for network protocol discovery for switch configurations. The protocol authentication has two steps: asking for a random token and using this to generate a hash that will be used for authenticated requests.

If the first step is skipped at reboot, the random value is 0x0! Because we know the random value, we can send authenticated requests. The author shows a few ways of crashing the switch, making this a viable attack.

The firmware updating was done quite poorly. First, the firmware updating was not authenticated, which could allow for any signed version of the firmware to be put onto the device. Although this does not sound bad, downgrade attacks can common to use if a product has a previously known vulnerability.

Even with the validation check, it was not done properly. When validating the new firmware, the real file length can be spoofed and the maximum size of the firmware was not properly validated. Because of these oversights, the signature validation could be bypassed to add custom code to the device.

The device had some issues with authentication as well. The DHCP configuration functionality was completely unauthenticated and there was an information disclosure on the NSDP protocol.

Besides the items listed above, there were a plethora of general web app issues (XSS and CSRF), as well as several buffer overflows.