Puckungfu: A NETGEAR WAN Command Injection

Summary Vulnerability Details Overview Execution Flow /bin/pucfu /usr/lib/libfwcheck.so get_check_fw fw_check_api curl_post /lib/libpu_util.so SetFileValue pegaPopen Check Firmware HTTPS Normal Request & Response Exploitation Command Injection Response Root Shell Final Notes Patch Pwn2Own Note Summary This blog post describes a command injection vulnerability found and exploited in November 2022 by NCC Group in the Netgear RAX30 router’s … Continue reading Puckungfu: A NETGEAR WAN Command Injection

MeshyJSON: A TP-Link tdpServer JSON Stack Overflow

Summary Target Binary tdpServer Architecture & Mitigations Forks Understanding The Vulnerability Reaching The Vulnerable Function Broadcast Fork Flow Server Fork Flow JSON Array Stack Overflow Triggering The Bug Broadcast Fork Response Server Fork Request Vulnerability Constraints Storing Arbitrary Content In Memory cJSON Summarized cJSON Struct cJSON Data cJSON Heap Memory Single cJSON cJSON structure and … Continue reading MeshyJSON: A TP-Link tdpServer JSON Stack Overflow

Detecting Mimikatz with Busylight

In 2015 Raphael Mudge released an article [1] that detailed that versions of mimikatz released after 8th of October, 2015 had a new module that was utilising certain types of external USB devices to flash lights in different colours if mimikatz was executed. The technique presented in the article required certain kind of busylights that … Continue reading Detecting Mimikatz with Busylight

SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)

Introduction netlink and nf_tables Overview Sets Expressions Set Expressions Stateful Expressions Expressions of Interest nft_lookup nft_dynset nft_connlimit Vulnerability Discovery CVE-2022-32250 Analysis Set Creation Set Deactivation Initial Limited UAF Write Exploitation Building an Initial Plan Offsets We Can Write at Into the UAF Chunk Hunting for Replacement Objects What Pointer Do We Want to Arbitrary Free? … Continue reading SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)

Rise of the Sensors: Securing LoRaWAN Networks

One of the current research priorities for NCC Group is smart cities. We perceive that in the future substantial investment will be made into deploying intelligent sensor systems into our cities: initially the focus being on passive applications, gathering and collecting data, but potentially in future leading to more active applications, integrating systems to automatically … Continue reading Rise of the Sensors: Securing LoRaWAN Networks

Crave the Data: Statistics from 1,300 Phishing Campaigns

tl;dr 1,300 phishing campaigns were analysed involving over 360,000 usersTargets in Charities to be over 3 times more likely to click than the Health SectorHowever once clicked half of all targets were likely to supply credentials regardlessBest case 1/10 of targets will click a linkBest case 1/20 of targets will supply credentials Background Our hypothesis … Continue reading Crave the Data: Statistics from 1,300 Phishing Campaigns

Properly Signed Certificates on CPE Devices

During late January 2020, a hot topic surfaced between security professionals on an issue that has historically had different proposed solutions. This blog post seeks to explore these solutions and identify pragmatic approaches to risk reduction on this specific issue concerning Customer Premises Equipment (CPE) security. Two security researchers (Tom Pohl and Nick Starke) analysed … Continue reading Properly Signed Certificates on CPE Devices

Tool Release – Collaborator++

When testing for out-of-band vulnerabilities, Collaborator has been an invaluable tool since its initial release in 2015. By acting as a HTTP, DNS and SMTP server, Collaborator allows researchers to identify complex out-of-band interactions between target applications and external services aiding in the discovery of vulnerabilities such as server-side request forgery (SSRF), XML external entity … Continue reading Tool Release – Collaborator++