Unsafe firewall includes allowing for remote code execution on Inteno's IOPSYS devices

In Inteno's IOPSYS devices, and very possibly other devices running firewall3 (which is included by default on most OpenWRT-based firmwares), it is possible for an authenticated attacker to abuse firewall includes to remotely execute any binary or script as root. A proof-of-concept exploit can be found at the end of the post. This vulnerability has been assigned the CVE ID: CVE-2018-20487.

≫ read more

Creating a key generator to reset a Hikvision IP camera's admin password

Unfortunately, generic IP cameras are notorious for their poor security practices. Most of the time, the manufacturers don't force secure passwords, and more often than not you can sign in with default passwords. Some do, though - one of these manufacturers is Hikvision. Upon logging in for the first time with the password 12345, it forces you to change it. Is this enough to stop attackers from accessing the device? Turns out it isn't.

≫ read more

pwn910nd - abusing OpenWRT's printer server to become root

I have discovered yet another vulnerability in Inteno's IOPSYS firmware - but I believe this to affect all OpenWRT or LEDE based routers that ship with the printer server p910nd. Any authenticated user can modify the configuration for the printer server in a way which allows them to read and append to any file as root. This leads to information disclosure and remote code execution. This vulnerability has been assigned the CVE ID: CVE-2018-10123.

≫ read more

Inteno misconfigured ACLs leading to information disclosure and logging in as root

Recently, while testing the security of Inteno routers, I found a misconfiguration in the Access Control Lists, which allows any authenticated user to see the contents of any file, write their own files and add an SSH key to the router, allowing for easy log in as root. By default, the consumer is only provided with the user account and the built-in support and admin accounts are not accessible. This vulnerability is dangerous as by default, the password for user is the same as the pre-set Wi-Fi key, or in some cases user, allowing for easy authentication. This vulnerability has been assigned CVE ID: CVE-2017-11361 and a CVSSv3 score of 8.8.

≫ read more

Installing custom OpenWRT on an Inteno (DG301) router

Soon after getting an Inteno DG301 router from my ISP Telia, I poked around the firmware trying to find out more about its internals. It became apparent that the iopsys firmware running on the machine was a customised version of OpenWRT. The modifications by Inteno include making it more fool-proof for consumers, removing any easy access to its internal settings in the process. It's not possible access SSH without proper keys, and Telnet is disabled, even in OpenWRT's failsafe mode. In addition to the provided user account, there are also the support and admin accounts, but the passwords for these are not known. I did manage to dump most of the filesystem by abusing an insecure default option in the router's bundled Samba and found a couple of other exploitable bugs, however, I still didn't have proper shell access or a way to invoke opkg to install my own packages.

≫ read more

ksoft's Easy Auto Refresh extension is selling your data

I was doing some work with Burp Suite through Chrome (which I don't often do) and very soon I realised that all of my requests were being relayed to a domain After probing around a bit, I narrowed it down to the Easy Auto Refresh plugin for Chrome, which currently has over half a million downloads. Disabling this plugin also stopped all requests to

≫ read more

Restoring stock BIOS on a Braswell Chromebook with a broken rom

Since Braswell is still widely unsupported in the world of Chromebooks (no public Tianocore/Windows rom released yet), one can expect to run into many issues when developing for these Chromebooks.

One of these issues I encountered was being unable to flash anything internally after flashing a Tianocore rom. This seems to be an issue with coreboot, and until it is fixed upstream, you will get this message trying to probe the chip:

Programmer does not support specified bus
Error: Programmer initialization failed.
≫ read more