Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
NETGEAR Bug Bounty
Search
Lays
May 20, 2017
Research
2
910
NETGEAR Bug Bounty
一個發生在日本的溫馨小故事
Lays
May 20, 2017
Tweet
Share
More Decks by Lays
See All by Lays
ROP 輕鬆談
l4ys
5
1.7k
Other Decks in Research
See All in Research
熊本から日本の都市交通政策を立て直す~「車1割削減、渋滞半減、公共交通2倍」の実現へ~@公共交通マーケティング研究会リスタートセミナー
trafficbrain
0
140
さんかくのテスト.pdf
sankaku0724
0
340
MIRU2024チュートリアル「様々なセンサやモダリティを用いたシーン状態推定」
miso2024
4
2.2k
文化が形作る音楽推薦の消費と、その逆
kuri8ive
0
160
論文読み会 SNLP2024 Instruction-tuned Language Models are Better Knowledge Learners. In: ACL 2024
s_mizuki_nlp
1
350
テキストマイニングことはじめー基本的な考え方からメディアディスコース研究への応用まで
langstat
1
120
Weekly AI Agents News! 8月号 プロダクト/ニュースのアーカイブ
masatoto
1
190
ニュースメディアにおける事前学習済みモデルの可能性と課題 / IBIS2024
upura
3
510
医療支援AI開発における臨床と情報学の連携を円滑に進めるために
moda0
0
110
VisFocus: Prompt-Guided Vision Encoders for OCR-Free Dense Document Understanding
sansan_randd
1
240
クラウドソーシングによる学習データ作成と品質管理(セキュリティキャンプ2024全国大会D2講義資料)
takumi1001
0
280
渋谷Well-beingアンケート調査結果
shibuyasmartcityassociation
0
260
Featured
See All Featured
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Documentation Writing (for coders)
carmenintech
65
4.4k
Automating Front-end Workflow
addyosmani
1366
200k
Agile that works and the tools we love
rasmusluckow
327
21k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Side Projects
sachag
452
42k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Transcript
Lays @ HITCON CTF Team / 2017. May
故事是這樣 der
SECCON CTF in Japan 2017 年年初
CTF 就不說了了 ⼤大家都比我懂
⼤大老遠跑來來⽇日本 好像該做點有意義的事
於是我們買了了⽜牛排來來煎。
飽暖思淫慾 難得⼤大家都在⽇日本 有⼈人提議 ⼀一起來來挖洞洞洞洞(?)吧
組隊玩 Bug Bounty 或許可以有些新思路路
NETGEAR on bugcrowd
None
None
Target 1 Nighthawk X4S
First Try • Download Firmware • binwalk to extract squash
filesystem • Grab some cgi from /www to feed • Pwn it and profit !
First Try • Download Firmware • binwalk to extract squash
filesystem • Grab some cgi from /www to feed • Pwn it and profit !
Preauth CGIs? Only two are real cgi …
RMT_invite.cgi It calls another binary: proccgi … and It’s open
sourced !
proccgi from 1997 A bigger attack surface? we just got
nothing…
Second Try • the HTTP Server • Pwn it and
profit !
/usr/sbin/uhttpd • It’s open sourced too ! • Call net-cgi
to process cgi requests
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi • Found a command injection ! • device_uuid is
created from User-Agent and IP Address
/usr/sbin/net-cgi • Found a command injection ! • But it’s
also filtered out… • Only alphanumeric allowed
/usr/sbin/net-cgi • Found another buffer overflow ! • Keep reading
until space / tab / new line • But it’s just an overflow on global variable …
/usr/sbin/net-cgi • Exploit chain ! • Overwrite device_uuid in .bss
after filtered
/usr/sbin/net-cgi • So now command injection works • No space
/ tab available? use ${IFS} http://[ip]/FW_log.htm?/ %20timestamp=[A*504];sleep${IFS}10;
But how do we test our exploit…?
PChome 24h ! but we’re in Japan…
None
Exploit • Write to stdout didn’t work : ( •
Write output to a file and copy it to webroot • Access the output file curl http://[ip]/FW_log.htm?%20timestamp= [A * 504];[cmd]|tee${IFS}/www/out.js;
Report • NETGEAR told me it’s duplicated after 2 weeks
(╯‵□′)╯︵ ┴─┴
Target 2 Nighthawk X8 (比我們在⽇日本煎的⽜牛排還貴)
Nighthawk X8 • Nothing interesting in cgi files too •
Different HTTP Server from X4S • Most of cgi requests handled by httpd
/usr/sbin/httpd ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/httpd • It’s boring on plane … so I
found a stack overflow • A strcpy from QUERY_STRING • How do we get here?
Stack overflow • Triggered if url starts with /shares •
But we could only access /shares from LAN
Stack overflow • Triggered if url starts with /shares •
But we could only access /shares from LAN … really ?
Stack overflow • The check is only strncmp with
“GET /shares” • Bypass by sending “HEAD /shares” or something like “XXXX /shares”
Stack overflow • So now we can crash the HTTP
Server • Let’s try to control PC !
Control the PC • No url decode • curl /
requests doesn’t support unprintable url • But it’s https … • Send raw https requests
But how do I test my exploit…? Can I have
a debug environment ?
Debug • There’re no ssh / telnet features … •
We need other ways to debug !
So I found another command injection • device_name in lan.cgi
handler
So I found another command injection • device_name in lan.cgi
handler
Now let’s see if we’ve controlled the PC • dmesg
doesn’t work : ( • Found some useful gadgets system(“echo Kernel crash >> /tmp/info.txt”) • Read /tmp/info.txt to check if PC controlled
Now we controlled the PC But where to jump …
?
Exploit • Stack overflow caused by strcpy • We can
only use one gadget • It’s not CTF, system(“/bin/sh”) doesn’t work • We need some magic gadgets !
So I and found this : acosNvramConfig_set(“http_passwd”, “”); acosNvramConfig_save(); •
So we can set the login password to empty !
After server restarted, we can login without auth
Exploit • Combined above 2 bugs • We can bypass
auth and execute command with root privilege !
Report • Got $1500 bounty after 2 months ヽ(✿゚▽゚)ノ
Conclusion • 貴的產品不⼀一定安全 • Bug Bounty 對於提升產品安全還是挺有幫助的 • 簡單的洞洞⼈人⼈人能挖,越猥瑣的思路路越不容易易撞 •
有看有機會,⼤大家沒事就⼀一起來來挖挖吧