HITBAMS – Your Not so “Home” Office – Soho Hacking at Pwn2Own
2023-4-24 16:31:1 Author: research.nccgroup.com(查看原文) 阅读量:13 收藏

Alex Plaskett and McCaulay Hudson presented this talk at HITB AMS on the 20th April 2023. The talk showcased NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto targeting all consumer routers (Netgear, TP-Link and Synology) from both a LAN and WAN perspective.  The talk also described how we compromised a small business device (Ubiquiti) via the WAN and used that to pivot to attack a device on the LAN (a printer). In total we created 7 different exploit chains and found many more vulnerabilities within the process. The full abstract can be read below. 

The slides for the talk can be downloaded here:

TP-Link LAN – meshyjson

Netgear WAN – pukungfu

Netgear LAN – smellycap

Synology WAN – dominate

Synology LAN – forgetme

Soho Smash-Up – Ubiquiti EdgeRouter + Lexmark Printer

There has been a huge shift towards home working within the last couple of years. With this comes the security challenges of enterprises finding that their security perimeter has moved to the home office.  In the last 6 months NCC Exploit Development Group (EDG) participated in Pwn2Own 2022 Toronto targeting all consumer routers (Netgear, TP-Link and Synology) from both a LAN and WAN perspective.  We also compromised a small business device (Ubiquiti) via WAN and used that to pivot to attack a device on the LAN (a printer). In total we created 7 different exploit chains and found many more vulnerabilities within the process!

In the first section of the talk, we will describe how we approached rapidly finding vulnerabilities within multiple devices and what methodology was used. It will show how we investigated the devices both statically and dynamically in order to find vulnerabilities and vulnerability patterns which could affect other devices in scope.  We will discuss in this section how the approach varied between looking at devices via the WAN and LAN and the differences between their attack surfaces. We will also showcase custom tooling we developed for this process in order to identify low hanging fruit and speed up this analysis.

The next section of the talk we will cover the vulnerabilities we found. Specifically, we will describe multiple vulnerabilities within Netgear, TP-Link and Synology, from both LAN and WAN perspectives.

We will then discuss exploiting a number of these issues and highlight some of the unique challenges which Pwn2Own competition introduced which would not necessarily affect a real-world attacker (such as time constraints and worrying about collisions).

Finally, we will describe how we built multiple multi-stage exploit chains which were used to first compromise a router via the WAN and then pivot to compromise a device on a LAN. There were several unique challenges and design choices to be made with this due to the different architectures used and the need to engineer a reliable exploit.

We show how we developed these multiple WAN chains with different devices and then how they were combined with a second stage to compromise a printer on the LAN and the challenges which we encountered chaining together multiple targets.   

Finally, we will highlight where the security protections in all the consumer devices we targeted were lacking and what this means to end users and enterprises.

We will demo several vulnerabilities and highlight where real threat actors could use these types of attacks for lateral movement through a network or maintain persistence on devices to allow access to enterprise resources. 

Two blog posts were previously published on these issues:

https://research.nccgroup.com/2022/12/22/puckungfu-a-netgear-wan-command-injection/

https://research.nccgroup.com/2022/12/19/meshyjson-a-tp-link-tdpserver-json-stack-overflow/

Here are some related articles you may find interesting

Public Report – Kubernetes 1.24 Security Audit

NCC Group was selected to perform a security evaluation of Kubernetes 1.24.0 release in response to Kubernetes SIG Security’s Third-Party Security Audit Request for Proposals. The testing portion of the audit took place in May and June 2022. The global project team performed a security architectural design review that resulted…

Public Report – Solana Program Library ZK-Token Security Assessment

In August 2022, Solana Foundation engaged NCC Group to conduct a security assessment of the ZK-Token SDK, a collection of open-source functions and types that implement the core cryptographic functionalities of the Solana Program Library (SPL) Confidential Token extension. These functionalities are homomorphic encryption and associated proofs used to demonstrate…

Stepping Insyde System Management Mode

In October of 2022, Intel’s Alder Lake BIOS source code was leaked online. The leaked code was comprised of firmware components that originated from three sources: I obtained a copy of the leaked code and began to hunt for vulnerabilities. This writeup focuses on the vulnerabilities that I found and…

View articles by category

Call us before you need us.

Our experts will help you.

Get in touch


文章来源: https://research.nccgroup.com/2023/04/24/hitbams-your-not-so-home-office-soho-hacking-at-pwn2own/
如有侵权请联系:admin#unsafe.sh