Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Netgear is a popular router that is made by Comcast. While looking at attack surface analysis on the WAN interface on the Nethawk Smart Router, they noticed an already reverse engineered binary called /bin/circled. The daemon is started by default, even when turned off on the router.

They decided to target the update mechanism of this service. The check is launched at boot and every two hours; in the event of a crash, the process restarts.

The function update_database located at 0xCE38 parses a file in order to check if any updates apply. While parsing the lines of the update file, it uses sscanf to write two strings into buffers of size 256 each.

The vulnerability is that sscanf will read until a space has been found. As a result, this leads to a stack based buffer overflow. The overflow is good enough to corrupt the $PC on the stack.

To get the file for updating, it makes a request to curl. However, although the update request is made via HTTPs, the request has the -k flag, which disables certification verification. This means that the vulnerability for updating can be triggered if we can somehow control the response to this request.

In order to exploit this, the authors of the post setup a DHCP server for the Netgear routes. By doing this, it is easy to setup a DNS server and an HTTP update server as well. Since the -k is in the curl command, there is no verification on the certificate, making this attack possible.

A few things to consider for the exploitation of this bug:

• ASLR is only partially turned on (with a 1 instead of a 2) and without PIE
• Nullbytes cannot be written, this this is done via a format string.
• $R4, $R11 and $PC are the controllable registers in this request.

The authors found a magic gadget that allows them to control a parameter while calling system. Since this vulnerability was able to be hit twice, this allowed for the usage of a SINGLE nullbyte.

Although the heap is not randomized, we are not 100% sure where the string will be at but we know that the string will be in memory. As a result, they use a NOP-sled-like attack. They put a HUGE collection of As then a semi colon which is followed by the actual command. If the string hits any of the As, the first command will error out, resulting in the ACTUAL target command to run. A NOP sled for a bash command!

To patch this vulnerability, Netgear removed the -k switch and modified the parser to no longer have the buffer overflow vulnerability. To me, this felt weird for a Pwn2Own entry because it had limitations on WHEN it could be executed with a complicated networking setup. But, overall, great and fun write up!