Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

For PWN2OWN 2021 IoT edition, this team decided to tackle the Western Digital PR4100 NAS. They targeted the APIs, which used the command gateway interface.

The authors found a fairly straight forward buffer overflow vulnerability when handling passwords. The overflow occurs because of a strcpy, which never checks the length of the buffer. Because there is NO PIE and no Stack canaries, this should be trivial to exploit.

At the point of the overflow, many of the registers are controlled, one of them points to free in LibC and two of them point to the stack. The overflow can only have a single NULLbyte at the end, because it's a strcpy. This is where exploitation becomes hard and fun! With no way to control a parameter to System some magic had to be done.

Since the password was base64 encoded, the original string could contain nullbytes. The new goal was to use a stack pivot to point the stack to where our base64 decoded password is at in order to set RDI with a nice string to call system.

After finding ROP gadgets to do actually this, they had a command via system with 47 characters. To do something impactful, the authors pushed a static netcat binary into the /Public SAMBA share and called this. Game over :)

A few ending remarks:

• WD Digital patched this bug right before Pwn2Own, which they were not happy about.
• WD equipment is similar to DLink NAS devices since DLink started to wind down this product division and sold it to WD. As a result, if bugs are in DLink NAS's, check WD as well.
• eb fe is an infinite loop in x86_64 assembly. This can be a good debugging trick for exploit devs.