Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
NETGEAR Bug Bounty
Search
Lays
May 20, 2017
Research
2
900
NETGEAR Bug Bounty
一個發生在日本的溫馨小故事
Lays
May 20, 2017
Tweet
Share
More Decks by Lays
See All by Lays
ROP 輕鬆談
l4ys
5
1.7k
Other Decks in Research
See All in Research
The Fellowship of Trust in AI
tomzimmermann
0
130
[CV勉強会@関東 CVPR2024] Visual Layout Composer: Image-Vector Dual Diffusion Model for Design Layout Generation / kantocv 61th CVPR 2024
shunk031
1
430
第 2 部 11 章「大規模言語モデルの研究開発から実運用に向けて」に向けて / MLOps Book Chapter 11
upura
0
360
[2024.08.30] Gemma-Ko, 오픈 언어모델에 한국어 입히기 @ 머신러닝부트캠프2024
beomi
0
690
Y.Morita_20240726_JBUG_Fukuoka#18
ymorita613
0
280
Embers of Autoregression: Understanding Large Language Models Through the Problem They are Trained to Solve
eumesy
PRO
7
1.2k
Weekly AI Agents News!
masatoto
25
23k
言語処理学会30周年記念事業留学支援交流会@YANS2024:「学生のための短期留学」
a1da4
1
240
FOSS4G 山陰 Meetup 2024@砂丘 はじめの挨拶
wata909
1
110
LLM時代にLabは何をすべきか聞いて回った1年間
hargon24
1
490
文献紹介:A Multidimensional Framework for Evaluating Lexical Semantic Change with Social Science Applications
a1da4
1
220
Weekly AI Agents News! 7月号 論文のアーカイブ
masatoto
1
210
Featured
See All Featured
For a Future-Friendly Web
brad_frost
175
9.4k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Documentation Writing (for coders)
carmenintech
65
4.4k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
The Cost Of JavaScript in 2023
addyosmani
45
6.7k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
Docker and Python
trallard
40
3.1k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
15
2k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Transcript
Lays @ HITCON CTF Team / 2017. May
故事是這樣 der
SECCON CTF in Japan 2017 年年初
CTF 就不說了了 ⼤大家都比我懂
⼤大老遠跑來來⽇日本 好像該做點有意義的事
於是我們買了了⽜牛排來來煎。
飽暖思淫慾 難得⼤大家都在⽇日本 有⼈人提議 ⼀一起來來挖洞洞洞洞(?)吧
組隊玩 Bug Bounty 或許可以有些新思路路
NETGEAR on bugcrowd
None
None
Target 1 Nighthawk X4S
First Try • Download Firmware • binwalk to extract squash
filesystem • Grab some cgi from /www to feed • Pwn it and profit !
First Try • Download Firmware • binwalk to extract squash
filesystem • Grab some cgi from /www to feed • Pwn it and profit !
Preauth CGIs? Only two are real cgi …
RMT_invite.cgi It calls another binary: proccgi … and It’s open
sourced !
proccgi from 1997 A bigger attack surface? we just got
nothing…
Second Try • the HTTP Server • Pwn it and
profit !
/usr/sbin/uhttpd • It’s open sourced too ! • Call net-cgi
to process cgi requests
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi • Found a command injection ! • device_uuid is
created from User-Agent and IP Address
/usr/sbin/net-cgi • Found a command injection ! • But it’s
also filtered out… • Only alphanumeric allowed
/usr/sbin/net-cgi • Found another buffer overflow ! • Keep reading
until space / tab / new line • But it’s just an overflow on global variable …
/usr/sbin/net-cgi • Exploit chain ! • Overwrite device_uuid in .bss
after filtered
/usr/sbin/net-cgi • So now command injection works • No space
/ tab available? use ${IFS} http://[ip]/FW_log.htm?/ %20timestamp=[A*504];sleep${IFS}10;
But how do we test our exploit…?
PChome 24h ! but we’re in Japan…
None
Exploit • Write to stdout didn’t work : ( •
Write output to a file and copy it to webroot • Access the output file curl http://[ip]/FW_log.htm?%20timestamp= [A * 504];[cmd]|tee${IFS}/www/out.js;
Report • NETGEAR told me it’s duplicated after 2 weeks
(╯‵□′)╯︵ ┴─┴
Target 2 Nighthawk X8 (比我們在⽇日本煎的⽜牛排還貴)
Nighthawk X8 • Nothing interesting in cgi files too •
Different HTTP Server from X4S • Most of cgi requests handled by httpd
/usr/sbin/httpd ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/httpd • It’s boring on plane … so I
found a stack overflow • A strcpy from QUERY_STRING • How do we get here?
Stack overflow • Triggered if url starts with /shares •
But we could only access /shares from LAN
Stack overflow • Triggered if url starts with /shares •
But we could only access /shares from LAN … really ?
Stack overflow • The check is only strncmp with
“GET /shares” • Bypass by sending “HEAD /shares” or something like “XXXX /shares”
Stack overflow • So now we can crash the HTTP
Server • Let’s try to control PC !
Control the PC • No url decode • curl /
requests doesn’t support unprintable url • But it’s https … • Send raw https requests
But how do I test my exploit…? Can I have
a debug environment ?
Debug • There’re no ssh / telnet features … •
We need other ways to debug !
So I found another command injection • device_name in lan.cgi
handler
So I found another command injection • device_name in lan.cgi
handler
Now let’s see if we’ve controlled the PC • dmesg
doesn’t work : ( • Found some useful gadgets system(“echo Kernel crash >> /tmp/info.txt”) • Read /tmp/info.txt to check if PC controlled
Now we controlled the PC But where to jump …
?
Exploit • Stack overflow caused by strcpy • We can
only use one gadget • It’s not CTF, system(“/bin/sh”) doesn’t work • We need some magic gadgets !
So I and found this : acosNvramConfig_set(“http_passwd”, “”); acosNvramConfig_save(); •
So we can set the login password to empty !
After server restarted, we can login without auth
Exploit • Combined above 2 bugs • We can bypass
auth and execute command with root privilege !
Report • Got $1500 bounty after 2 months ヽ(✿゚▽゚)ノ
Conclusion • 貴的產品不⼀一定安全 • Bug Bounty 對於提升產品安全還是挺有幫助的 • 簡單的洞洞⼈人⼈人能挖,越猥瑣的思路路越不容易易撞 •
有看有機會,⼤大家沒事就⼀一起來來挖挖吧