Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

UDP Technology provides firmware for a large amount of IP camera vendors, such as Sophus. Going after a product used by many other companies makes the findings significantly more impactful! In the past, there have been many other discovers in this same software.

The beginning of the article discusses the reversing process for the device. The first step to reversing the firmware is to open it. The initial usage of binwalk failed. By running an entropy analysis on the files, it was easy to see that the firmware was encrypted.

Instead of trying to find the key to decrypt the firmware, they used a previous vulnerability to dump the firmware of a different device. Work smarter not harder!

They were hunting for command injection. So, in the webroot, they searched for all files that had popen, system or exec*. This limited the search to 28 files. By going from sink to source, they were able to identify a command injection bug in one of the CGI calls.

To find buffer overflow vulnerabilities, they analyzed the decompiled code manually. Unlike the previous vulnerability hunting, there is no shortcut for this. Just checking sources and seeing what can be controlled. From doing this, they found 4 unique buffer overflows.

To exploit the buffer overflows (only ASLR is turned on). However, the address of the libraries, such as LibC, was no randomized! By creating a ROP chain and jumping to system, code execution is a fairly standard CTF exercise. Even if the library addresses were randomized, using the PLT code would also work.

The authentication was done with HTTP Basic authentication and lighthttpd. The lighthttpd was designed to authenticate for various folder access, such as the CGI files. For instance, there is a list of rules within /uapi-cgi/admin.

The different folders under /uapi-cgi/ are all symlinks. Hence, there is a rewriting rule within the lighthttpd configuration that rewrites directories depending actual directory it needs to go to. Depending on the location being accessed, auth may or may not be applied.

Because the rewrite rule only checks the path, (not the resolved path), the authentication check can be bypassed with /non-existent/../uapi-cgi/certmngr.cgi. Damn, regexes are hard to do just right!

This writeup was a fairly standard IoT device with vulnerabilities everywhere. To me, the most interesting part was the authentication bypass because of the poor logic. The article does not have the best English and took some time to parse what was actually going on.