SlideShare ist ein Scribd-Unternehmen logo

The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability

Als PPTX, PDF herunterladen
The Hacker News
The Hacker News

Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability : The Hacker News

Technologie
1 von 34
TCP/32764 backdoor Or how linksys saved Christmas!
Who? • • • • Eloi Vanderbeken @elvanderb https://github.com/elvanderb eloi . vanderbeken @ gmail . com • Interested in reverse and crypto. • Don’t like to write reports :D – Angrish is hard! • Certified Ethical Dauber |Microsoft Paint MVP
When? Christmas!!!
(1Mb/s) / (10 users * 68dB) =
IDEA !
But… few years ago… /me now WAG 200G /me then Very long and complex
For the record… NOTHING NOTHING NOTHING wheat FAAAAR away, the DSLAM REALLY NOTHING cow Mothership corn NOTHING NOTHING NOTHING (or a cow) sugar beet NOTHING A little bit of nothing
Challenge: • No access to the http[s] administration tool. • No admin password anyway… • NEED DA INTERNET!
Nmap • Few interesting ports: – ReAIM (http://reaim.sourceforge.net/) • Possibly vuln… – Unkown service listening on TCP/32764 • Responds ScMMxFFxFFxFFxFFx00x00x00x00 to any requests.
GO-GO-GADGET GOOGLE Mister Guessing 2010!
Let’s get the firmware! http://support.linksys.com/en-us/support/gateways/WAG200G/download -> FU linksys! http://community.linksys.com/t5/Cable-and-DSL/WAG200G-FR-firmwareupgrade/m-p/233170 -> Thks users! http://download.modem-help.co.uk/mfcsL/LinkSys/WAG200G/Firmware/v1/ -> Thks modem-help & google!
WHER IZ U Ʀᴓ ФŦ-Ƒ$?!
WHER IZ U Ʀᴓ ФŦ-Ƒ$?! Cont’d ftp://ftp.linksys.com/opensourcecode is now down 
Chainsaw time! • Get LZMA SDK 4.65 • Modify squashfs-tools’ Makefile: • Use your chainsaw on source code:
Found you!
Where’s Waldo^wthe service? FU, maybe it’s in little endian… FU!!! Let’s get dirty! Just use grep and IDA to find the good one 
First steps • No symbols, MIPS: – We’ll have to reverse  – I love reversing and MIPS is easy so it’s OK :D • Very simple binary protocol: – Header (0xC bytes) followed by a payload • Header structure:
Easy protocol, isn’t it? Heap based buffer overflow
Messages…
Let’s bruteforce them!
WTF?!
WTFFFFFFUUUUU?! • NO MOAR INTERNETZ?! • When we restart the script : Configuration is reset?!?!!!
Quick messages’ reverse… 1. Dump configuration (nvram) 2. Get configuration var – possible stack based buffer overflow (if variable is controlled by the user) 3. Set configuration var – stack based buffer overflow, output buffer (size ≈ 0x10000) is on the stack. 4. Commit nvram – set nvram (/dev/mtdblock/3) from /tmp/nvram ; check CRC 5. Set bridge mode ON (not sure, I didn’t have the time to test it) – – – – – – – – – nvram_set(“wan_mode”, bridgedonly) nvram_set(“wan_encap”, 0) nvram_set(“wan_vpi”, 8) nvram_set(“wan_vci”, 81) system(“/usr/bin/killall br2684ctl”) system(“/usr/bin/killall udhcpd”) system(“/usr/bin/killall -9 atm_monitor”) system(“/usr/sbin/rc wan stop >/dev/null 2>&1”) system(“/usr/sbin/atm_monitor&”) 6. Show measured internet speed (download/upload)
Quick messages’ reverse… cont’d 7. cmd (yep, it’s a shell…) – special commands : • • – exit, bye, quit -> quit... (alive = 0) cd : change directory other commands : • buffer overflow on cmd output (same buffer again)… 8. write file – – – file name in payload root dir = /tmp directory traversal might be possible (not tested but it’s an open(sprintf(“/tmp/%s”, payload))… ) 9. return version 10. return modem router ip – nvram_get(“lan_ipaddr”) 11. restore default settings – – nvram_set(“restore_default”, 1) nvram_commit) 12. read /dev/mtdblock/0 [-4:-2] – dunno what it is, I didn’t have the time to test it 13. dump nvram on disk (/tmp/nvram) and commit
So if you need an access to the admin panel….
Thank you Linksys!!! You saved my Christmas 
Some more lolz… • I only had 1 day to test my codes/assumptions so the following slides are just some random thoughts/observations… • It wasn’t tested but it’s probably interesting 
In setup.cgi 
A little bit further in setup.cgi… get_rand_key ??? Generate the key used to encrypt Routercfg.cfg (if I’m right) libtea.so
Again in setup.cgi Not sure but I think we control this 
mini_httpd Hardcoded 1024bit RSA private key  May I show Doge… again?
To be continued… Backdoor is only confirmed on WAG200G, if you know/find other concerned hardware, let me know 

Empfohlen

Block the System - building blocks in Gutenberg
Block the System - building blocks in GutenbergBlock the System - building blocks in Gutenberg
Block the System - building blocks in GutenbergLuc Princen
 
Vagrant - Version control your dev environment
Vagrant - Version control your dev environmentVagrant - Version control your dev environment
Vagrant - Version control your dev environmentbocribbz
 
Backing up thousands of containers
Backing up thousands of containersBacking up thousands of containers
Backing up thousands of containersMarian Marinov
 
Node.js Cloud deployment
Node.js Cloud deploymentNode.js Cloud deployment
Node.js Cloud deploymentNicholas McClay
 
nginx + uwsgi emperor + bottle
nginx + uwsgi emperor + bottlenginx + uwsgi emperor + bottle
nginx + uwsgi emperor + bottleJordi Soucheiron
 
Node and SocketIO
Node and SocketIONode and SocketIO
Node and SocketIOKentucky JavaScript Users Group
 
Simple webapps with nginx, uwsgi emperor and bottle
Simple webapps with nginx, uwsgi emperor and bottleSimple webapps with nginx, uwsgi emperor and bottle
Simple webapps with nginx, uwsgi emperor and bottleJordi Soucheiron
 
Performance and stability testing \w Gatling
Performance and stability testing \w GatlingPerformance and stability testing \w Gatling
Performance and stability testing \w GatlingDmitry Vrublevsky
 

Empfohlen

Block the System - building blocks in Gutenberg
Block the System - building blocks in GutenbergBlock the System - building blocks in Gutenberg
Block the System - building blocks in GutenbergLuc Princen
 
Vagrant - Version control your dev environment
Vagrant - Version control your dev environmentVagrant - Version control your dev environment
Vagrant - Version control your dev environmentbocribbz
 
Backing up thousands of containers
Backing up thousands of containersBacking up thousands of containers
Backing up thousands of containersMarian Marinov
 
Node.js Cloud deployment
Node.js Cloud deploymentNode.js Cloud deployment
Node.js Cloud deploymentNicholas McClay
 
nginx + uwsgi emperor + bottle
nginx + uwsgi emperor + bottlenginx + uwsgi emperor + bottle
nginx + uwsgi emperor + bottleJordi Soucheiron
 
Node and SocketIO
Node and SocketIONode and SocketIO
Node and SocketIOKentucky JavaScript Users Group
 
Simple webapps with nginx, uwsgi emperor and bottle
Simple webapps with nginx, uwsgi emperor and bottleSimple webapps with nginx, uwsgi emperor and bottle
Simple webapps with nginx, uwsgi emperor and bottleJordi Soucheiron
 
Performance and stability testing \w Gatling
Performance and stability testing \w GatlingPerformance and stability testing \w Gatling
Performance and stability testing \w GatlingDmitry Vrublevsky
 
マイナーツールを使ってみる
マイナーツールを使ってみるマイナーツールを使ってみる
マイナーツールを使ってみるN Masahiro
 
CRaSH the shell for the Java Virtual Machine
CRaSH the shell for the Java Virtual MachineCRaSH the shell for the Java Virtual Machine
CRaSH the shell for the Java Virtual MachineGR8Conf
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
Quick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with VagrantQuick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with VagrantJoe Ferguson
 
SaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertoolsSaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertoolsThomas Jackson
 
Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?Christian Joudrey
 
Scaling WordPress
Scaling WordPressScaling WordPress
Scaling WordPressMark Jaquith
 
Custom Non-RDS Multi-AZ Mysql Replication
Custom Non-RDS Multi-AZ Mysql ReplicationCustom Non-RDS Multi-AZ Mysql Replication
Custom Non-RDS Multi-AZ Mysql ReplicationMichael H. Oshita
 
NodeJS Concurrency
NodeJS ConcurrencyNodeJS Concurrency
NodeJS Concurrencypgriess
 
Os Whitaker
Os WhitakerOs Whitaker
Os Whitakeroscon2007
 
Node.js concurrency
Node.js concurrencyNode.js concurrency
Node.js concurrencyGiacomo Fornari
 
JavaScript Event Loop
JavaScript Event LoopJavaScript Event Loop
JavaScript Event LoopThomas Hunter II
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsjacekbecela
 
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)Ontico
 
JavaScript Engines and Event Loop
JavaScript Engines and Event Loop JavaScript Engines and Event Loop
JavaScript Engines and Event Loop Tapan B.K.
 
Challenges when building high profile editorial sites
Challenges when building high profile editorial sitesChallenges when building high profile editorial sites
Challenges when building high profile editorial sitesYann Malet
 
Vagrant for real
Vagrant for realVagrant for real
Vagrant for realMichele Orselli
 
Vagrant
VagrantVagrant
VagrantEvans Ye
 
OS-autoinst: Testing with Perl and openCV
OS-autoinst: Testing with Perl and openCVOS-autoinst: Testing with Perl and openCV
OS-autoinst: Testing with Perl and openCVAlex-P. Natsios
 
Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...
Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...
Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...Tũi Wichets
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networksSahil Rai
 
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and Secrets
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and SecretsEx-NSA Contractor Stole at Least 500 Million Pages of Records and Secrets
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and SecretsThe Hacker News
 

Weitere ähnliche Inhalte

Was ist angesagt?

マイナーツールを使ってみる
マイナーツールを使ってみるマイナーツールを使ってみる
マイナーツールを使ってみるN Masahiro
 
CRaSH the shell for the Java Virtual Machine
CRaSH the shell for the Java Virtual MachineCRaSH the shell for the Java Virtual Machine
CRaSH the shell for the Java Virtual MachineGR8Conf
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
Quick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with VagrantQuick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with VagrantJoe Ferguson
 
SaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertoolsSaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertoolsThomas Jackson
 
Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?Christian Joudrey
 
Custom Non-RDS Multi-AZ Mysql Replication
Custom Non-RDS Multi-AZ Mysql ReplicationCustom Non-RDS Multi-AZ Mysql Replication
Custom Non-RDS Multi-AZ Mysql ReplicationMichael H. Oshita
 
NodeJS Concurrency
NodeJS ConcurrencyNodeJS Concurrency
NodeJS Concurrencypgriess
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.jsjacekbecela
 
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)Ontico
 
JavaScript Engines and Event Loop
JavaScript Engines and Event Loop JavaScript Engines and Event Loop
JavaScript Engines and Event Loop Tapan B.K.
 
Challenges when building high profile editorial sites
Challenges when building high profile editorial sitesChallenges when building high profile editorial sites
Challenges when building high profile editorial sitesYann Malet
 
OS-autoinst: Testing with Perl and openCV
OS-autoinst: Testing with Perl and openCVOS-autoinst: Testing with Perl and openCV
OS-autoinst: Testing with Perl and openCVAlex-P. Natsios
 

Was ist angesagt? (19)

マイナーツールを使ってみる
マイナーツールを使ってみるマイナーツールを使ってみる
マイナーツールを使ってみる
 
CRaSH the shell for the Java Virtual Machine
CRaSH the shell for the Java Virtual MachineCRaSH the shell for the Java Virtual Machine
CRaSH the shell for the Java Virtual Machine
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
 
Quick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with VagrantQuick & Easy Dev Environments with Vagrant
Quick & Easy Dev Environments with Vagrant
 
SaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertoolsSaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertools
 
Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?Introduction to Node.js: What, why and how?
Introduction to Node.js: What, why and how?
 
Scaling WordPress
Scaling WordPressScaling WordPress
Scaling WordPress
 
Custom Non-RDS Multi-AZ Mysql Replication
Custom Non-RDS Multi-AZ Mysql ReplicationCustom Non-RDS Multi-AZ Mysql Replication
Custom Non-RDS Multi-AZ Mysql Replication
 
NodeJS Concurrency
NodeJS ConcurrencyNodeJS Concurrency
NodeJS Concurrency
 
Os Whitaker
Os WhitakerOs Whitaker
Os Whitaker
 
Node.js concurrency
Node.js concurrencyNode.js concurrency
Node.js concurrency
 
JavaScript Event Loop
JavaScript Event LoopJavaScript Event Loop
JavaScript Event Loop
 
Introduction to node.js
Introduction to node.jsIntroduction to node.js
Introduction to node.js
 
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)
Как построить видеоплатформу на 200 Гбитс / Ольховченков Вячеслав (Integros)
 
JavaScript Engines and Event Loop
JavaScript Engines and Event Loop JavaScript Engines and Event Loop
JavaScript Engines and Event Loop
 
Challenges when building high profile editorial sites
Challenges when building high profile editorial sitesChallenges when building high profile editorial sites
Challenges when building high profile editorial sites
 
Vagrant for real
Vagrant for realVagrant for real
Vagrant for real
 
Vagrant
VagrantVagrant
Vagrant
 
OS-autoinst: Testing with Perl and openCV
OS-autoinst: Testing with Perl and openCVOS-autoinst: Testing with Perl and openCV
OS-autoinst: Testing with Perl and openCV
 

Andere mochten auch

Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...
Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...
Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...Tũi Wichets
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networksSahil Rai
 
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and Secrets
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and SecretsEx-NSA Contractor Stole at Least 500 Million Pages of Records and Secrets
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and SecretsThe Hacker News
 
Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...
Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...
Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...The Hacker News
 
FBI vs Silk Road: Criminal Complaint against Feds
FBI vs Silk Road: Criminal Complaint against FedsFBI vs Silk Road: Criminal Complaint against Feds
FBI vs Silk Road: Criminal Complaint against FedsThe Hacker News
 
โครงงาน Airlink เพื่อการศึกษา
โครงงาน Airlink เพื่อการศึกษาโครงงาน Airlink เพื่อการศึกษา
โครงงาน Airlink เพื่อการศึกษาพัน พัน
 
Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingAleksandr Yampolskiy
 
How to crack a router for username and password
How to crack a router for username and passwordHow to crack a router for username and password
How to crack a router for username and passwordComp-Info Tech
 
Introduction To Code Igniter
Introduction To Code IgniterIntroduction To Code Igniter
Introduction To Code IgniterAmzad Hossain
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingThe Hacker News
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
Candy crush cheat codes: 10 Cheat Codes of candy crush saga
Candy crush cheat codes: 10 Cheat Codes of candy crush sagaCandy crush cheat codes: 10 Cheat Codes of candy crush saga
Candy crush cheat codes: 10 Cheat Codes of candy crush sagaMeddy Lee
 
Python et son intégration avec Odoo
Python et son intégration avec OdooPython et son intégration avec Odoo
Python et son intégration avec OdooHassan WAHSISS
 
Configuring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddband
Configuring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddbandConfiguring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddband
Configuring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddbandJithin Parakka
 

Andere mochten auch (15)

Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...
Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...
Solution Wireless Link 10 – 20 KM Speed 200 Mbps MikroTik RB SXT 5nDr2 Lite 5...
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networks
 
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and Secrets
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and SecretsEx-NSA Contractor Stole at Least 500 Million Pages of Records and Secrets
Ex-NSA Contractor Stole at Least 500 Million Pages of Records and Secrets
 
Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...
Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...
Corrupt Federal Agent charged in Silk Road theft accused of stealing another ...
 
Tor honions
Tor honionsTor honions
Tor honions
 
FBI vs Silk Road: Criminal Complaint against Feds
FBI vs Silk Road: Criminal Complaint against FedsFBI vs Silk Road: Criminal Complaint against Feds
FBI vs Silk Road: Criminal Complaint against Feds
 
โครงงาน Airlink เพื่อการศึกษา
โครงงาน Airlink เพื่อการศึกษาโครงงาน Airlink เพื่อการศึกษา
โครงงาน Airlink เพื่อการศึกษา
 
Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - Briefing
 
How to crack a router for username and password
How to crack a router for username and passwordHow to crack a router for username and password
How to crack a router for username and password
 
Introduction To Code Igniter
Introduction To Code IgniterIntroduction To Code Igniter
Introduction To Code Igniter
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration Testing
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
Candy crush cheat codes: 10 Cheat Codes of candy crush saga
Candy crush cheat codes: 10 Cheat Codes of candy crush sagaCandy crush cheat codes: 10 Cheat Codes of candy crush saga
Candy crush cheat codes: 10 Cheat Codes of candy crush saga
 
Python et son intégration avec Odoo
Python et son intégration avec OdooPython et son intégration avec Odoo
Python et son intégration avec Odoo
 
Configuring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddband
Configuring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddbandConfiguring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddband
Configuring D-link DSL-2730U Wireless N ADSL2+Router to connect BSNL broaddband
 

Ähnlich wie The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability

JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...srisatish ambati
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Brendan Gregg
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014Brendan Gregg
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
QCon 2015 Broken Performance Tools
QCon 2015 Broken Performance ToolsQCon 2015 Broken Performance Tools
QCon 2015 Broken Performance ToolsBrendan Gregg
 
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbertA Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbertJ On The Beach
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance ToolsBrendan Gregg
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still funpyschedelicsupernova
 
Broken Performance Tools
Broken Performance ToolsBroken Performance Tools
Broken Performance ToolsC4Media
 
Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...
Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...
Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...ScyllaDB
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Digital Bond
 
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!Puppet
 
My Opera meets Varnish, Dec 2009
My Opera meets Varnish, Dec 2009My Opera meets Varnish, Dec 2009
My Opera meets Varnish, Dec 2009Cosimo Streppone
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiTakuya ASADA
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.
 

Ähnlich wie The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability (20)

JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
 
Adventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable FunAdventures in Femtoland: 350 Yuan for Invaluable Fun
Adventures in Femtoland: 350 Yuan for Invaluable Fun
 
Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016Broken Linux Performance Tools 2016
Broken Linux Performance Tools 2016
 
Linux Performance Tools 2014
Linux Performance Tools 2014Linux Performance Tools 2014
Linux Performance Tools 2014
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
QCon 2015 Broken Performance Tools
QCon 2015 Broken Performance ToolsQCon 2015 Broken Performance Tools
QCon 2015 Broken Performance Tools
 
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbertA Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbert
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance Tools
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still fun
 
Broken Performance Tools
Broken Performance ToolsBroken Performance Tools
Broken Performance Tools
 
Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...
Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...
Scylla Summit 2018: Make Scylla Fast Again! Find out how using Tools, Talent,...
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
Puppet Camp NYC 2014: Build a Modern Infrastructure in 45 min!
 
My Opera meets Varnish, Dec 2009
My Opera meets Varnish, Dec 2009My Opera meets Varnish, Dec 2009
My Opera meets Varnish, Dec 2009
 
SMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgiSMP implementation for OpenBSD/sgi
SMP implementation for OpenBSD/sgi
 
Kvm optimizations
Kvm optimizationsKvm optimizations
Kvm optimizations
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 

Mehr von The Hacker News

Patent Troll - Big Websites Sued For Using HTTPS Encryption
Patent Troll - Big Websites Sued For Using HTTPS EncryptionPatent Troll - Big Websites Sued For Using HTTPS Encryption
Patent Troll - Big Websites Sued For Using HTTPS EncryptionThe Hacker News
 
Geo-Inference Attacks via the Browser Cache
Geo-Inference Attacks via the Browser CacheGeo-Inference Attacks via the Browser Cache
Geo-Inference Attacks via the Browser CacheThe Hacker News
 
FCC Net Neutrality Rules (Complete 400 Pages)
FCC Net Neutrality Rules (Complete 400 Pages)FCC Net Neutrality Rules (Complete 400 Pages)
FCC Net Neutrality Rules (Complete 400 Pages)The Hacker News
 
Google's Effort to Fight Content Piracy
Google's Effort to Fight Content PiracyGoogle's Effort to Fight Content Piracy
Google's Effort to Fight Content PiracyThe Hacker News
 
This Warrant Authorized FBI to Track and Infect Computers with Malware
This Warrant Authorized FBI to Track and Infect Computers with MalwareThis Warrant Authorized FBI to Track and Infect Computers with Malware
This Warrant Authorized FBI to Track and Infect Computers with MalwareThe Hacker News
 
National Security Authorities Transparency Report 2013
National Security Authorities Transparency Report 2013National Security Authorities Transparency Report 2013
National Security Authorities Transparency Report 2013The Hacker News
 
Blackshades Indictment by FBI
Blackshades Indictment by FBIBlackshades Indictment by FBI
Blackshades Indictment by FBIThe Hacker News
 
Blackshades, yucel indictment s1 13 cr 834 redacted
Blackshades, yucel indictment s1 13 cr 834 redactedBlackshades, yucel indictment s1 13 cr 834 redacted
Blackshades, yucel indictment s1 13 cr 834 redactedThe Hacker News
 
Multiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for AndroidMultiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for AndroidThe Hacker News
 

Mehr von The Hacker News (10)

Facebook lawsuit
Facebook lawsuitFacebook lawsuit
Facebook lawsuit
 
Patent Troll - Big Websites Sued For Using HTTPS Encryption
Patent Troll - Big Websites Sued For Using HTTPS EncryptionPatent Troll - Big Websites Sued For Using HTTPS Encryption
Patent Troll - Big Websites Sued For Using HTTPS Encryption
 
Geo-Inference Attacks via the Browser Cache
Geo-Inference Attacks via the Browser CacheGeo-Inference Attacks via the Browser Cache
Geo-Inference Attacks via the Browser Cache
 
FCC Net Neutrality Rules (Complete 400 Pages)
FCC Net Neutrality Rules (Complete 400 Pages)FCC Net Neutrality Rules (Complete 400 Pages)
FCC Net Neutrality Rules (Complete 400 Pages)
 
Google's Effort to Fight Content Piracy
Google's Effort to Fight Content PiracyGoogle's Effort to Fight Content Piracy
Google's Effort to Fight Content Piracy
 
This Warrant Authorized FBI to Track and Infect Computers with Malware
This Warrant Authorized FBI to Track and Infect Computers with MalwareThis Warrant Authorized FBI to Track and Infect Computers with Malware
This Warrant Authorized FBI to Track and Infect Computers with Malware
 
National Security Authorities Transparency Report 2013
National Security Authorities Transparency Report 2013National Security Authorities Transparency Report 2013
National Security Authorities Transparency Report 2013
 
Blackshades Indictment by FBI
Blackshades Indictment by FBIBlackshades Indictment by FBI
Blackshades Indictment by FBI
 
Blackshades, yucel indictment s1 13 cr 834 redacted
Blackshades, yucel indictment s1 13 cr 834 redactedBlackshades, yucel indictment s1 13 cr 834 redacted
Blackshades, yucel indictment s1 13 cr 834 redacted
 
Multiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for AndroidMultiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for Android
 

Kürzlich hochgeladen

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Kürzlich hochgeladen (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset vulnerability

  • 1. TCP/32764 backdoor Or how linksys saved Christmas!
  • 2. Who? • • • • Eloi Vanderbeken @elvanderb https://github.com/elvanderb eloi . vanderbeken @ gmail . com • Interested in reverse and crypto. • Don’t like to write reports :D – Angrish is hard! • Certified Ethical Dauber |Microsoft Paint MVP
  • 4. (1Mb/s) / (10 users * 68dB) =
  • 6. But… few years ago… /me now WAG 200G /me then Very long and complex
  • 7. For the record… NOTHING NOTHING NOTHING wheat FAAAAR away, the DSLAM REALLY NOTHING cow Mothership corn NOTHING NOTHING NOTHING (or a cow) sugar beet NOTHING A little bit of nothing
  • 8. Challenge: • No access to the http[s] administration tool. • No admin password anyway… • NEED DA INTERNET!
  • 9. Nmap • Few interesting ports: – ReAIM (http://reaim.sourceforge.net/) • Possibly vuln… – Unkown service listening on TCP/32764 • Responds ScMMxFFxFFxFFxFFx00x00x00x00 to any requests.
  • 11. Let’s get the firmware! http://support.linksys.com/en-us/support/gateways/WAG200G/download -> FU linksys! http://community.linksys.com/t5/Cable-and-DSL/WAG200G-FR-firmwareupgrade/m-p/233170 -> Thks users! http://download.modem-help.co.uk/mfcsL/LinkSys/WAG200G/Firmware/v1/ -> Thks modem-help & google!
  • 12. WHER IZ U Ʀᴓ ФŦ-Ƒ$?!
  • 13. WHER IZ U Ʀᴓ ФŦ-Ƒ$?! Cont’d ftp://ftp.linksys.com/opensourcecode is now down 
  • 14. Chainsaw time! • Get LZMA SDK 4.65 • Modify squashfs-tools’ Makefile: • Use your chainsaw on source code:
  • 16. Where’s Waldo^wthe service? FU, maybe it’s in little endian… FU!!! Let’s get dirty! Just use grep and IDA to find the good one 
  • 17. First steps • No symbols, MIPS: – We’ll have to reverse  – I love reversing and MIPS is easy so it’s OK :D • Very simple binary protocol: – Header (0xC bytes) followed by a payload • Header structure:
  • 18. Easy protocol, isn’t it? Heap based buffer overflow
  • 21. WTF?!
  • 22. WTFFFFFFUUUUU?! • NO MOAR INTERNETZ?! • When we restart the script : Configuration is reset?!?!!!
  • 23.
  • 24. Quick messages’ reverse… 1. Dump configuration (nvram) 2. Get configuration var – possible stack based buffer overflow (if variable is controlled by the user) 3. Set configuration var – stack based buffer overflow, output buffer (size ≈ 0x10000) is on the stack. 4. Commit nvram – set nvram (/dev/mtdblock/3) from /tmp/nvram ; check CRC 5. Set bridge mode ON (not sure, I didn’t have the time to test it) – – – – – – – – – nvram_set(“wan_mode”, bridgedonly) nvram_set(“wan_encap”, 0) nvram_set(“wan_vpi”, 8) nvram_set(“wan_vci”, 81) system(“/usr/bin/killall br2684ctl”) system(“/usr/bin/killall udhcpd”) system(“/usr/bin/killall -9 atm_monitor”) system(“/usr/sbin/rc wan stop >/dev/null 2>&1”) system(“/usr/sbin/atm_monitor&”) 6. Show measured internet speed (download/upload)
  • 25. Quick messages’ reverse… cont’d 7. cmd (yep, it’s a shell…) – special commands : • • – exit, bye, quit -> quit... (alive = 0) cd : change directory other commands : • buffer overflow on cmd output (same buffer again)… 8. write file – – – file name in payload root dir = /tmp directory traversal might be possible (not tested but it’s an open(sprintf(“/tmp/%s”, payload))… ) 9. return version 10. return modem router ip – nvram_get(“lan_ipaddr”) 11. restore default settings – – nvram_set(“restore_default”, 1) nvram_commit) 12. read /dev/mtdblock/0 [-4:-2] – dunno what it is, I didn’t have the time to test it 13. dump nvram on disk (/tmp/nvram) and commit
  • 26. So if you need an access to the admin panel….
  • 27. Thank you Linksys!!! You saved my Christmas 
  • 28. Some more lolz… • I only had 1 day to test my codes/assumptions so the following slides are just some random thoughts/observations… • It wasn’t tested but it’s probably interesting 
  • 30. A little bit further in setup.cgi… get_rand_key ??? Generate the key used to encrypt Routercfg.cfg (if I’m right) libtea.so
  • 31.
  • 32. Again in setup.cgi Not sure but I think we control this 
  • 33. mini_httpd Hardcoded 1024bit RSA private key  May I show Doge… again?
  • 34. To be continued… Backdoor is only confirmed on WAG200G, if you know/find other concerned hardware, let me know 