Alex Plaskett and McCaulay Hudson presented this talk at HITB AMS on the 20th April 2023. The talk showcased NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto targeting all consumer routers (Netgear, TP-Link and Synology) from both a LAN and WAN perspective. The talk also described how we compromised a small business device (Ubiquiti) via the WAN and used that to pivot to attack a device on the LAN (a printer). In total we created 7 different exploit chains and found many more vulnerabilities within the process. The full abstract can be read below.
The slides for the talk can be downloaded here:
There has been a huge shift towards home working within the last couple of years. With this comes the security challenges of enterprises finding that their security perimeter has moved to the home office. In the last 6 months NCC Exploit Development Group (EDG) participated in Pwn2Own 2022 Toronto targeting all consumer routers (Netgear, TP-Link and Synology) from both a LAN and WAN perspective. We also compromised a small business device (Ubiquiti) via WAN and used that to pivot to attack a device on the LAN (a printer). In total we created 7 different exploit chains and found many more vulnerabilities within the process!
In the first section of the talk, we will describe how we approached rapidly finding vulnerabilities within multiple devices and what methodology was used. It will show how we investigated the devices both statically and dynamically in order to find vulnerabilities and vulnerability patterns which could affect other devices in scope. We will discuss in this section how the approach varied between looking at devices via the WAN and LAN and the differences between their attack surfaces. We will also showcase custom tooling we developed for this process in order to identify low hanging fruit and speed up this analysis.
The next section of the talk we will cover the vulnerabilities we found. Specifically, we will describe multiple vulnerabilities within Netgear, TP-Link and Synology, from both LAN and WAN perspectives.
We will then discuss exploiting a number of these issues and highlight some of the unique challenges which Pwn2Own competition introduced which would not necessarily affect a real-world attacker (such as time constraints and worrying about collisions).
Finally, we will describe how we built multiple multi-stage exploit chains which were used to first compromise a router via the WAN and then pivot to compromise a device on a LAN. There were several unique challenges and design choices to be made with this due to the different architectures used and the need to engineer a reliable exploit.
We show how we developed these multiple WAN chains with different devices and then how they were combined with a second stage to compromise a printer on the LAN and the challenges which we encountered chaining together multiple targets.
Finally, we will highlight where the security protections in all the consumer devices we targeted were lacking and what this means to end users and enterprises.
We will demo several vulnerabilities and highlight where real threat actors could use these types of attacks for lateral movement through a network or maintain persistence on devices to allow access to enterprise resources.
Two blog posts were previously published on these issues:
https://research.nccgroup.com/2022/12/22/puckungfu-a-netgear-wan-command-injection/
https://research.nccgroup.com/2022/12/19/meshyjson-a-tp-link-tdpserver-json-stack-overflow/
NCC Group was selected to perform a security evaluation of Kubernetes 1.24.0 release in response to Kubernetes SIG Security’s Third-Party Security Audit Request for Proposals. The testing portion of the audit took place in May and June 2022. The global project team performed a security architectural design review that resulted…
In August 2022, Solana Foundation engaged NCC Group to conduct a security assessment of the ZK-Token SDK, a collection of open-source functions and types that implement the core cryptographic functionalities of the Solana Program Library (SPL) Confidential Token extension. These functionalities are homomorphic encryption and associated proofs used to demonstrate…
In October of 2022, Intel’s Alder Lake BIOS source code was leaked online. The leaked code was comprised of firmware components that originated from three sources: I obtained a copy of the leaked code and began to hunt for vulnerabilities. This writeup focuses on the vulnerabilities that I found and…