About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Pwn2Own Tokyo 2020: Defeating the TP-Link AC1750- 416

synacktivPosted 5 Years Ago
  • The TP-Link is a RTOS router that runs MIPS. To setup a proper debugging environment, they attached to the UART connection. However, the inputs were completely ignored; this forced them to directly connect to the PCB trace on their device.
  • With an easy UART shell, they compiled gdbserver, strace and busybox in order to make testing much easier. Additionally, the device does not prevent firmware downgrade. This allowed them to use old firmware issues to pop a root shell to do further recon.
  • Once on the device, they did a significant amount of reversing to eventually find a server called Sync Server. Its goal is to synchronize data from the TDPServer and output this content to /tmp for other services to consume.
  • This service parsed all incoming mesh network devices to pass it into an array of structs with only a IP address and MAC address. This array was never expected to have more than 32 devices, but there is no bounds check! So, by adding more than 32 devices, a pointer overflow occurs that overwrites $fp and $ra pointers registers when this resumes execution.
  • These pointers (on the heap), have controlled data! Because the router has a RWX heap and the overwritten pointer is to the heap with controllable data, we can write shellcode.
  • The data being sent in the MAC address is only limited to 17 bytes and had character restrictions. The character restrictions were bypassable by unicode escaping the characters though. With the shellcode, the author jumps to the system PLT and starts another service that is not on by default but it riddled with vulns.
  • The reason a backdoor shell is not initially used is because of the restriction on the amount of allowed characters. So, they had to turn on a different service in order to exploit that instead. With control over the other service, a root shell is gained!
  • The authors submitted this to Pwn2Own and have included a nice POC at the end of the article. They claim that the TP-Link has many other vulnerabilities that are still waiting to be found! Overall, this was an awesome exploit with interesting bugs throughout.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed