Skip to navigation Skip to main content Skip to footer

HITBAMS – Your Not so “Home” Office – Soho Hacking at Pwn2Own

24 April 2023

By Alex Plaskett

Alex Plaskett and McCaulay Hudson presented this talk at HITB AMS on the 20th April 2023. The talk showcased NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto targeting all consumer routers (Netgear, TP-Link and Synology) from both a LAN and WAN perspective.  The talk also described how we compromised a small business device (Ubiquiti) via the WAN and used that to pivot to attack a device on the LAN (a printer). In total we created 7 different exploit chains and found many more vulnerabilities within the process. The full abstract can be read below. 

Slides

The slides for the talk can be downloaded here:

Demos

TP-Link LAN – meshyjson

Netgear WAN – pukungfu

Netgear LAN – smellycap

Synology WAN – dominate

Synology LAN – forgetme

Soho Smash-Up – Ubiquiti EdgeRouter + Lexmark Printer

 

Abstract

There has been a huge shift towards home working within the last couple of years. With this comes the security challenges of enterprises finding that their security perimeter has moved to the home office.  In the last 6 months NCC Exploit Development Group (EDG) participated in Pwn2Own 2022 Toronto targeting all consumer routers (Netgear, TP-Link and Synology) from both a LAN and WAN perspective.  We also compromised a small business device (Ubiquiti) via WAN and used that to pivot to attack a device on the LAN (a printer). In total we created 7 different exploit chains and found many more vulnerabilities within the process!

In the first section of the talk, we will describe how we approached rapidly finding vulnerabilities within multiple devices and what methodology was used. It will show how we investigated the devices both statically and dynamically in order to find vulnerabilities and vulnerability patterns which could affect other devices in scope.  We will discuss in this section how the approach varied between looking at devices via the WAN and LAN and the differences between their attack surfaces. We will also showcase custom tooling we developed for this process in order to identify low hanging fruit and speed up this analysis.

The next section of the talk we will cover the vulnerabilities we found. Specifically, we will describe multiple vulnerabilities within Netgear, TP-Link and Synology, from both LAN and WAN perspectives.

We will then discuss exploiting a number of these issues and highlight some of the unique challenges which Pwn2Own competition introduced which would not necessarily affect a real-world attacker (such as time constraints and worrying about collisions).

Finally, we will describe how we built multiple multi-stage exploit chains which were used to first compromise a router via the WAN and then pivot to compromise a device on a LAN. There were several unique challenges and design choices to be made with this due to the different architectures used and the need to engineer a reliable exploit.

We show how we developed these multiple WAN chains with different devices and then how they were combined with a second stage to compromise a printer on the LAN and the challenges which we encountered chaining together multiple targets.   

Finally, we will highlight where the security protections in all the consumer devices we targeted were lacking and what this means to end users and enterprises.

We will demo several vulnerabilities and highlight where real threat actors could use these types of attacks for lateral movement through a network or maintain persistence on devices to allow access to enterprise resources. 

Blog Posts

Two blog posts were previously published on these issues:

https://research.nccgroup.com/2022/12/22/puckungfu-a-netgear-wan-command-injection/

https://research.nccgroup.com/2022/12/19/meshyjson-a-tp-link-tdpserver-json-stack-overflow/