Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
NETGEAR Bug Bounty
Search
Lays
May 20, 2017
Research
2
880
NETGEAR Bug Bounty
一個發生在日本的溫馨小故事
Lays
May 20, 2017
Tweet
Share
More Decks by Lays
See All by Lays
ROP 輕鬆談
l4ys
5
1.6k
Other Decks in Research
See All in Research
[KDD2023論文読み会] BERT4CTR: An Efficient Framework to Combine Pre-trained Language Model with Non-textual Features for CTR Prediction / KDD2023 LY Tech Reading
shunk031
0
430
精神疾患患者のアクティビティデータを利用したリハビリテーションのためのシステムに関する研究
comfortdesignlab
0
140
ニフティのインナーソース導入事例 - InnerSource Commons #11
niftycorp
PRO
0
260
Combating Misinformation in the age of LLMs
teacherpeterpan
0
130
First Authorに俺はなるっ!! IROS’23 CCC2023 FY
shota_nishiyama
0
170
第59回名古屋CV・PRMU勉強会:ICCV2023論文紹介(自己教師あり学習)
naok615
0
310
Alternative Photographic Processes Reimagined: The Role of Digital Technology in Revitalizing Classic Printing Techniques【SIGGRAPH Asia 2023】
toremolo72
0
430
フルリモートワークでのスクラムのスケール
kmorita1111
2
1k
Active Retrieval Augmented Generation
kiyohiro8
3
440
20240209 データを肴に熊本の交通を考える会「車1割削減、渋滞半減、公共交通2倍」をめざし世界に学ぼう
trafficbrain
0
770
床面圧力センサ開発における感圧導電シート分離方式の検討 / WISS2023
yumulab
0
270
The Theory behind Vector DB
matsui_528
0
1.3k
Featured
See All Featured
Raft: Consensus for Rubyists
vanstee
132
6.2k
Rebuilding a faster, lazier Slack
samanthasiow
72
8.2k
What the flash - Photography Introduction
edds
64
11k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
321
20k
Done Done
chrislema
178
15k
Six Lessons from altMBA
skipperchong
20
3k
Designing with Data
zakiwarfel
95
4.8k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
20
1.6k
Web Components: a chance to create the future
zenorocha
305
41k
A better future with KSS
kneath
231
16k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
13
1.5k
Transcript
Lays @ HITCON CTF Team / 2017. May
故事是這樣 der
SECCON CTF in Japan 2017 年年初
CTF 就不說了了 ⼤大家都比我懂
⼤大老遠跑來來⽇日本 好像該做點有意義的事
於是我們買了了⽜牛排來來煎。
飽暖思淫慾 難得⼤大家都在⽇日本 有⼈人提議 ⼀一起來來挖洞洞洞洞(?)吧
組隊玩 Bug Bounty 或許可以有些新思路路
NETGEAR on bugcrowd
None
None
Target 1 Nighthawk X4S
First Try • Download Firmware • binwalk to extract squash
filesystem • Grab some cgi from /www to feed • Pwn it and profit !
First Try • Download Firmware • binwalk to extract squash
filesystem • Grab some cgi from /www to feed • Pwn it and profit !
Preauth CGIs? Only two are real cgi …
RMT_invite.cgi It calls another binary: proccgi … and It’s open
sourced !
proccgi from 1997 A bigger attack surface? we just got
nothing…
Second Try • the HTTP Server • Pwn it and
profit !
/usr/sbin/uhttpd • It’s open sourced too ! • Call net-cgi
to process cgi requests
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/net-cgi • Found a command injection ! • device_uuid is
created from User-Agent and IP Address
/usr/sbin/net-cgi • Found a command injection ! • But it’s
also filtered out… • Only alphanumeric allowed
/usr/sbin/net-cgi • Found another buffer overflow ! • Keep reading
until space / tab / new line • But it’s just an overflow on global variable …
/usr/sbin/net-cgi • Exploit chain ! • Overwrite device_uuid in .bss
after filtered
/usr/sbin/net-cgi • So now command injection works • No space
/ tab available? use ${IFS} http://[ip]/FW_log.htm?/ %20timestamp=[A*504];sleep${IFS}10;
But how do we test our exploit…?
PChome 24h ! but we’re in Japan…
None
Exploit • Write to stdout didn’t work : ( •
Write output to a file and copy it to webroot • Access the output file curl http://[ip]/FW_log.htm?%20timestamp= [A * 504];[cmd]|tee${IFS}/www/out.js;
Report • NETGEAR told me it’s duplicated after 2 weeks
(╯‵□′)╯︵ ┴─┴
Target 2 Nighthawk X8 (比我們在⽇日本煎的⽜牛排還貴)
Nighthawk X8 • Nothing interesting in cgi files too •
Different HTTP Server from X4S • Most of cgi requests handled by httpd
/usr/sbin/httpd ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled
/usr/sbin/httpd • It’s boring on plane … so I
found a stack overflow • A strcpy from QUERY_STRING • How do we get here?
Stack overflow • Triggered if url starts with /shares •
But we could only access /shares from LAN
Stack overflow • Triggered if url starts with /shares •
But we could only access /shares from LAN … really ?
Stack overflow • The check is only strncmp with
“GET /shares” • Bypass by sending “HEAD /shares” or something like “XXXX /shares”
Stack overflow • So now we can crash the HTTP
Server • Let’s try to control PC !
Control the PC • No url decode • curl /
requests doesn’t support unprintable url • But it’s https … • Send raw https requests
But how do I test my exploit…? Can I have
a debug environment ?
Debug • There’re no ssh / telnet features … •
We need other ways to debug !
So I found another command injection • device_name in lan.cgi
handler
So I found another command injection • device_name in lan.cgi
handler
Now let’s see if we’ve controlled the PC • dmesg
doesn’t work : ( • Found some useful gadgets system(“echo Kernel crash >> /tmp/info.txt”) • Read /tmp/info.txt to check if PC controlled
Now we controlled the PC But where to jump …
?
Exploit • Stack overflow caused by strcpy • We can
only use one gadget • It’s not CTF, system(“/bin/sh”) doesn’t work • We need some magic gadgets !
So I and found this : acosNvramConfig_set(“http_passwd”, “”); acosNvramConfig_save(); •
So we can set the login password to empty !
After server restarted, we can login without auth
Exploit • Combined above 2 bugs • We can bypass
auth and execute command with root privilege !
Report • Got $1500 bounty after 2 months ヽ(✿゚▽゚)ノ
Conclusion • 貴的產品不⼀一定安全 • Bug Bounty 對於提升產品安全還是挺有幫助的 • 簡單的洞洞⼈人⼈人能挖,越猥瑣的思路路越不容易易撞 •
有看有機會,⼤大家沒事就⼀一起來來挖挖吧