lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 10 May 2015 00:22:02 -0700
From: Zach C <uid000@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Broken, Abandoned, and Forgotten Code

Hello,

I'm posting a multipart reversing and exploitation series entitled "Broken,
Abandoned, and Forgotten Code." It explores the discovery, reverse
engineering, and exploitation of an unauthenticated firmware update
capability in the UPnP stack of Netgear SOHO routers.

This isn't your typical "OMG command injection SOHO Routers are so
insecure!!!1!" project. We all know they are; that's been covered ad
nauseam.

This project was a challenge to exploit partially implemented, forgotten
code that appeared too broken to actually work. I set out to craft an
exploit and a special firmware image that would avoid crashing the UPNP
server and would leave the router with persistent backdoor access.

This was a really fun project, and I want to share it anyone who might be
interested in embedded Linux reversing and exploitation. I walk the reader
from start to finish through the process of vulnerability discovery,
reverse engineering, exploitation, and post-exploitation. I tried to make
it so the reader can follow along with their own router, some basic
reversing experience, and the right tools.

There should be something for everyone. We'll cover figuring out how to
form the SOAP request. There will be lots of MIPS Linux disassembly.
There's debugging, binary patching, and emulation. There is a section
toward the end where we take apart the router to look for a debugging port.

The intro, and Part 1, 2 and 3 are up already. Part 4 comes Thursday,
followed by a new installation each week. I have twelve parts written, and
expect there to be around fourteen total.

Here are links to what's up so far:
Prologue (includes PoC exploit video):
http://shadow-file.blogspot.com/2015/04/broken-abandoned-and-forgotten-code_22.html
Part 1: http://shadow-file.blogspot.com/2015/04/abandoned-part-01.html
Part 2: http://shadow-file.blogspot.com/2015/04/abandoned-part-02.html
Part 3: http://shadow-file.blogspot.com/2015/05/abandoned-part-03.html

If you enjoy it, and you're on Twitter, please give me a mention or
retweet; I'm @zcutlip.

I've had a blast writing this and I hope you all have as much fun reading
it and following along.

Cheers!
Zach

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists