DNS Remote Code Execution: Finding the Vulnerability 👾 (Part 1)
ฝัง
- เผยแพร่เมื่อ 7 พ.ค. 2024
- Learn tricks and techniques like these, with us, in our amazing training courses!
flashback.sh/training
In 2019 and 2020, we DOMINATED the router Wide Area Network or WAN category in the Pwn2Own hacker competition. In this category, hackers attack network devices with previously unknown vulnerabilities, from external networks such as the Internet.
Unfortunately, by 2021 our competitors reversed engineered our techniques, and the game was up.
Today, we are starting a video series where we will show you our tips, tricks and techniques to find and exploit WAN vulnerabilities in network devices. And we're starting with a beautiful DNS exploit that got us $20,000 in prizes.
Let's get ready to PWN!
In this video, we will tell you the story of how we found CVE-2020-10881 in the Pwn2Own Tokyo 2019 hacking competition and present our Game Plan for exploiting it :-)
00:00 - Intro
00:50 - WAN vs LAN
03:12 - Target Introduction and Recon
05:23 - Finding an Open Port and Fuzzing It
07:48 - Quick Look in Ghidra for Crash Investigation
10:38 - What is conn-indicator Doing?
12:30 - DNS Protocol
17:50 - A Deeper Look in Ghidra
20:33 - DNS Packet Parsing and the Vulnerability
24:51 - Radek's Evil Game Plan
28:03 - Our Training
Did you enjoy this video? Then follow us on Twitter, and subscribe to our channel for more awesome hacking videos.
~ Flashback Team
flashback.sh
/ flashbackpwn
Background track: "Hackers" by Karl Casey @WhiteBatAudio - วิทยาศาสตร์และเทคโนโลยี
I love how this video starts by explaining what LAN is, and 2 minutes later it's binary reverse eng
Yeah it goes from basic concepts to insanity and no time at all
0-100 really fast
Great format. This is so clearly described and spoken that I listened to it a SECOND time, as a “podcast”. Thanks for going that extra “kilometer” and describing what’s on-screen.
Excellent documentation and walk through. I love your stuff.
When you showed your "Fuzzer" i totally lost it. Haven't had such a good laugh in years in this topic.
But if i think about it some more, it is just about perfect. Easily accessible (but not perfect) entropy to cause spasms in badly written code.
Being more or less available on any machine with and OS (no, Windows is not an OS, it's malware) means you can do preliminary tests even in absence of your "fav tools".
I didn't get the joke :( was the netstar + grep somehow the fuzzer? Bc it looks it's only returning a specific line of Info from the previous, full, netstat cmd. Not seeing the usefulness unless 'conn' is supposed to be significant and understood as the grep string prior to beginning
@@antiquark6253 piping /dev/urandom into a program was the fuzzer iirc.
Urandom generates a never ending stream of random bytes. And like a thousand monkeys with a thousand typewriters, it will eventually come up with a sequence that breaks the program under test.
@@DasIllu oh I see now, the multi tiled terminals had me confused to what he was referring to, but I never thought to use nc that way. Very cool trick thx for illuminating that
Can't wait to see the detailed analysis of Part2.
keep up the great work. sometimes people feel like so many things are common sense and dont explain the things that help people understand stuff. thank you for such a detailed video
Waiting for part 2! Amazing work!
Glad to see you back :)
Awesome stuff! waiting for the 2nd video.
Best hackers from pwn2own 😊
Incredible work. I'm blown away to see this entire research from start to finish, including the thought process. Well done. I hope to one day be able to do what you do!
Can't wait for part 2! :)
It should be out very soon. We are on the last stretch in recording.
Nice video, added this to my watch list, will comeback and share my thoughts, for the time being its time to work.
So awesome that you guys share this knowledge, really, keep up the great work!
This is what I have been waiting for a long time
w8 for second part. Thanks!
Excellent documentation we want 2part😊
lmao i love these videos you two are relatable yet much smarter...ive learned quite abit watching you guys thanks💯
This is what we are looking for, nice job . Keep it up. Happy hacking
Love your voice, is so soothing for teaching/learning. Thanks!
Hyped for the second part, hope it comes soon!
hell I really appreciate what this guys are doing, because I don't understand 70% of what they are talking about. There is soooo much to learn and it seems scary 🤯
I appreciate every video in this channel, This is very useful. Thank you, guys.
I’m thinking about making a similar video but mine are done in documentary format‼️
Found Your channel from @liveoverflow
Great Content 🙌🙌
I don't think I've ever said "Oh my God you can do that?!" so many times while watching a video haha. Amazing stuff
Thanks so much, we are learning! 😍
Regardless of the exploit, it's pretty disturbing that stock router firmware is spamming DNS requests to arbitrary commercial domains, just to blink an LED light...
Amazing work... !
Crazy ammount of research, good job
Awaiting part 2!
Waiting for part 2!
Amazing video. Subscribed
After the first 30 seconds, I subed and liked the vid.
Smart fridge 😂 01:32
Best series ✨
This is the most realistic and valuable hacker video I have ever seen
thank you for your hard work!!!!
The jump scare at 1:21
Hi.
I’m Japanese, and I could understand your video because of your very smart and cool presentation.
Thank you for uploading this video!
(I’m sorry about being not good at English.)
Wooowww amazing!!!! But how did you run MIPS executable on PC? Or you we're was on target via ssh?
LETS GOOOOOOOOOOOOOOO i love yall
You are a legend people. Proud of taking your courses.
We're not affiliated with TryHackMe and have not developed any courses or tutorials for them :-)
Our courses are developed and taught by us privately, check flashback.sh/training
Very appreciate your sharing
i have been trying to get into this for the long time. i feel like i don't understand programming which makes hacking so difficult. i love your moto at the end. i love the training at the end you talked about. i need to spend a lot more time getting a better understanding of programming so i can understand how to do what your trying and make money ethical hacking.
The chances are slim to none unless you get a degree lol although they hire people who don’t have one, they are talented ones who just moves to action when others thinking how to get into this 😂
@@M4D4F4K4. i am hopeless. i will figure something out.
Thank you for this
Thanks for sharing
Amazing !!
Vamos 🔥🔥🎉
Can't wait until the second part pops out. I really want to hit the ground running with this kind of exploitation
The best Pedro.
16:59 does offset to name point to start of length+string or can if point to another compression mode?
what a nice research
this is cool. what O.S are you using though
Your thumbnail is shokingly un clickbaity for sucha good video...
This is 💎
Can you link the video you recommended that we watch on the beginning of the video?
Thats another lvl...
The best
just wondering, what firmware and version did the router have installed?
Isso sim é qualidade parabéns
verdade
It's shocking how it's making unsolicited DNS queries for random domains for completely unrelated companies. Concerning. If I was watching the WAN and saw these random requests coming from a router, I'd be concerned it was compromised in some way, not operating normally with stock firmware...
Ghidra makes it easy to reverse engineer. You would think there would be standard practices on operational flow that prevents the behaviour. Standard Libraries for dns handling.
conn-indicator needs to know when it has network connectivity, and the programmers chose this way to verify it. This is normal, and in this specific case quite benign in our opinion, as the DNS domains it is trying to query are well known.
The mistake here was to make their own DNS parser (why TP-Link? WHY???). They could have used a shell script and standard utilities for checking connectivity, and a separate binary for controlling the LED lights!
If this makes you worried, then have a look at what your phone, Windows or MacOS computer is doing for the same connectivity checks, without any user program running or any kind of user interaction, you will be VERY surprised 🙈
@@FlashbackTeam As a Linux user, no idea how it does the check, likely it will not be google.
If the CPU used by a server had as its lowest-level language a managed language, say for instance a Lips CPU, where there is no memcpy and other such potentially bug-infested C code behind the Lisp code, then how would you find a vulnerability?
Nice presentation. You touched on a couple points that are just outside my full understanding. Specifically, at the segmentation fault, what makes a memory address "unmapped". Is it unmapped because it is outside the allocated stack frame? Anyway, really nice work! Thank you.
Hi Matthew, glad you liked the video!
You are correct. When a program starts, it allocates ("maps") memory ranges for the stack, the heap, libraries, the executable code, etc.
These regions are not contiguous in memory. For example let's say a stack of 0x1000 in size, mapped in memory starting from 0x10000, which means its range is 0x10000 to 0x11000. Then we have a heap of size 0x1000, which is mapped at 0x12000 to 0x13000.
In this example, if we try to access memory at 0x11001, it will cause a segmentation fault, as that memory is not mapped to either the heap or the stack.
This was exactly what happened in the example in the video, albeit with different (more realistic) addresses.
What toolsets(s) are you using ie caller??
🖤
Wow 😮👍👍👍❤️🔥
Seeing my exact router in this vid is funny and terrifying
Thanks this was very helpful! I wonder why they used DNS instead of ICMP? Surely DNS was never intended for such things?
More and more places blocking ICMP these days. Moreover, even if they wanted to ping a well known CNAME, it would still require a DNS query, so just doing the query is more efficient, since it's only checking for connectivity.
It seems almost impossible for a regular person to be able to protect themselves over someone accessing their computer or phone. After having all of my data stolen from a big tech company it has been so difficult to feel safe.
At 6:50 you mention that you're using gdb while having a laugh for your buddy who uses a 'lame java's one, were you referring to ghidra? Lol
I won the last 3 years WASP competition, but my method for doing this cannot be disclosed because of the damage it will cause, here is a sample of what i know: bluetooth follows the standard made by cisco on their routers where you make one the master the rest just follow. the same applies in Bluetooth yet here the clients that connect allow you root access to them as the technology defined.
TP-Link be like:
- Unit testing? Nah bro, we in China trust each other
Mantap :D
I feel like $20k is a paltry sum to pay hackers for a hardware (firmware?) Bug on a device sold to hundreds of thousands of people
I have a Question for Experts what I can not extract from that what is. My Provider had a Damage in a Knot where a Car crashed in.... first the internetconnection was lost, a few Minutes....after That it was ok for a few Minutes.... then it crashed again and was a longer Time out of Order. Since that I can not connect my Handy and my TV but every other Device works as usual. One Thing is that my Handy and the TV dont find the Port anymore... How is that possible?
Why TH-cam am recommended video this me not know but watch interesting brain capacity limited open to expansion thank you I will sub
It didn't occur to me until watching this video, but AI would be amazing at reverse-engineering like this. Renaming functions and variables and creating comments based on context is already so close to how AI models interpret code.
Catch up, Ppl been doing this ever sense chatgpt hit the streets
AI has not catched up to thinking like this.
@@maktiki Lol , Yes it did, There plenty of Plugins that do just That Already
I feel like half of the hacking attempts at this point are *most likely* made by AI botnets that are programmed to execute these types of attacks using rogue / zombie ip's that operate on virtual machines that can't be traced.
@@azurescenss 💀🧢
Part 2 when? :D
Please release a course in hacking please i want to learn or atleast link a good course that is useful to learn deep hacking please!!
Vendor-supplied router firmwares that use ancient kernel and code is commonly recognized to be insecure. This is why I always use OpenWRT
i watched the video, but i feel sad i am understanding very little. i didn't know you had a real world hacker course.
Anybody knows which code editor he is using there?
$4000 for the online course. I don't even have $40.
looks like dns reading memory overflow
I have no clue wtf your saying half the time but, I still watch hoping something will stick. something better than nothing, right? I love hearing the actual thought process of the hack as if you're going threw it for the first time. I like this very much.
why does conn-indicator need to parse dns response?
can't it just receive response, ignore contents, turn on LED?
How would it know it received a valid response to its request if it doesn't parse it?
we're waiting for the part 2 for 2 week 😭😭
Just came here to find it but I will have to join the queue waiting for part 2 😅
@@huskytail 3month of waiting
im not interested anymore
i well unsubscribe they don't respect us ....
@@amyn86 I must confess I had even forgotten about it.
Where is part 2?
Which OS you are using?
Pedro prefers Debian, and Radek likes Ubuntu more.
This is so cool and amazing !
DNS
DAS
닫힌문닫혀있는문
DZS
OPDZM
모래시계가작용하여연문
Excellent on how to also think it up. Not just run some tools.
What knowledge should i have to understand this video ??!!
DAYRIIN FIHA KHOBARAAAAA2
WLA
WAYLI
LA RAHOM MACHI KHOBARA2
🤓🤓🤓🤓
Samsung Qualcomm mobile dead boot unbrick, can you 'hack' it ?
👍👩💻
Crack a wpa handshake file for me🤣
where is part2? ❤
We are still working on Part2. Will be released as soon as we have finished it.