Puckungfu: A NETGEAR WAN Command Injection

Summary Vulnerability Details Overview Execution Flow /bin/pucfu /usr/lib/libfwcheck.so get_check_fw fw_check_api curl_post /lib/libpu_util.so SetFileValue pegaPopen Check Firmware HTTPS Normal Request & Response Exploitation Command Injection Response Root Shell Final Notes Patch Pwn2Own Note Summary This blog post describes a command injection vulnerability found and exploited in November 2022 by NCC Group in the Netgear RAX30 router’s … Continue reading Puckungfu: A NETGEAR WAN Command Injection

MeshyJSON: A TP-Link tdpServer JSON Stack Overflow

Summary Target Binary tdpServer Architecture & Mitigations Forks Understanding The Vulnerability Reaching The Vulnerable Function Broadcast Fork Flow Server Fork Flow JSON Array Stack Overflow Triggering The Bug Broadcast Fork Response Server Fork Request Vulnerability Constraints Storing Arbitrary Content In Memory cJSON Summarized cJSON Struct cJSON Data cJSON Heap Memory Single cJSON cJSON structure and … Continue reading MeshyJSON: A TP-Link tdpServer JSON Stack Overflow

Replicating CVEs with KLEE

This blog post details the steps taken to replicate a udhcpc process crash on BusyBox 1.24.2 using NVD - CVE-2016-2147 (nist.gov), and to produce a working denial of service exploit. We will be using the symbolic execution engine called KLEE to help identify parameters that can cause the specific crash we are interested in. This … Continue reading Replicating CVEs with KLEE

earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts

(The version of Ghidra used in this article is 10.1.2. For the Go string recovery tool release, skip ahead to Ghostrings Release.) Introduction A well-known issue with reverse engineering Go programs is that the lack of null terminators in Go strings makes recovering string definitions from compiled binaries difficult. Within a compiled Go program, many … Continue reading earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts

Tool Release – Ghostrings

Introduction Ghostrings is a collection of Ghidra scripts for recovering string definitions in Go binaries with P-Code analysis. A well-known issue with reverse engineering Go programs is that the lack of null terminators in Go strings makes recovering string definitions from compiled binaries difficult. Within a compiled Go program, many of the constant string values … Continue reading Tool Release – Ghostrings

Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)

This blog post describes an unchecked return value vulnerability found and exploited in September 2021 by Alex Plaskett, Cedric Halbronn and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. We successfully exploited it at Pwn2Own 2021 competition in November 2021 when targeting the Western Digital PR4100.

Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1)

Lexmark encrypts the firmware update packages provided to consumers, making the binary analysis more difficult. With little over a month of research time assigned and few targets to look at, NCC Group decided to remove the flash memory and extract the firmware using a programmer, firmware which we (correctly) assumed would be stored unencrypted. This allowed us to bypass the firmware update package encryption. With the firmware extracted, the binaries could be reverse-engineered to find vulnerabilities that would allow remote code execution.

A Look At Some Real-World Obfuscation Techniques

Among the variety of penetration testing engagements NCC Group delivers, some - often within the gaming industry - require performing the assignment in a blackbox fashion against an obfuscated binary, and the client's priorities revolve more around evaluating the strength of their obfuscation against content protection violations, rather than exercising the application's security boundaries. The … Continue reading A Look At Some Real-World Obfuscation Techniques

Domestic IoT Nightmares: Smart Doorbells

Preface Half way through 2020, UK independent consumer champion Which? magazine reached out to us and asked if we could assist investigating the security of a series of domestic IoT devices and to perform a vulnerability assessment of each device. The assessments included smart plugs and smart/connected doorbells. We also worked on a number of … Continue reading Domestic IoT Nightmares: Smart Doorbells