Several mistakes were committed: - running everything as root - mounting the root file system as read-write - hardcoding the encryption key - enabling a network service when it's not necessary (we hadn't configured this feature, it is enabled by default) But most importantly, input wasn't sanitised. Notice that it expects a MAC address, which has a very strict and well known format: aa:bb:cc:dd:ee:ff After copying to an intermediate buffer with a limited size (as they did correctly), they should have validated the MAC address before proceeding. This could have easily been done with a regex, such as: ^[a-fA-F0-9]{2}(:[a-fA-F0-9]{2}){5}$ In addition, they could have introduced additional security controls, such as a properly configured firewall, sandboxing, etc.
@Ralph Reilly there's a reason for this, it saves manufacturing costs as they can just flash the same exact image over and over and let the device bootstrap when it's booted up for the first time.
@@TonyLee_windsurf You can't "hide" the private key, as the software will need it to decrypt the packet. Hard coding the key is terrible because every single router using the same firmware uses the same key. If the key was saved on a file, and checked and generated if the file was missing, it would not be possible to hack every router without physical access to it first.
Great work guys! Pedro’s explanation of the team’s process of auditing system calls is exceptional. This kind of breakdown is something I rarely see covered in detail.
We absolutely love these kinds of detailed breakdown of your thought process while looking at a target. Definitely continue doing these types of videos
I like what you have done there. Very straight forward explenation, and I have to slightly disagree with you saying it was rushed. It was perfect. Longer videos are harder to follow and the amount you put in and the little backstories like being in Laos spiced it up a little. I am looking forward to more of your exploits.
idk what I should comment now.. Everything I wanted to say like 'this is awesome' and stuff has been said by everyone.. But I'm still commenting to let you guys know that we really need more of this great content from you guys!! Really appreciate it!!
non-programmer here i love this breakdown. i get to witness the mindset of successfully exploiting a vulnerability (within a 13 character limitation). i actually got it. most of it made sense even to an 'illiterate' bystander like myself. pwn bounty well deserved!
You guys did an amazing job in explaining the exploitation process. For a next video I would love to see more on how you reverse engineer/decrypt the code and the process of analyzing it. Thanks for giving back to the community! You rock!
Thanks for the feedback! We will show that in detail in future videos. Bear in mind there was a serious reverse engineering effort behind all of this. Most functions in the binary were not even defined, and all symbols are our names (the binary had few symbols).
@@FlashbackTeam I understand. But what for me personally would be super interesting to see, is how to start turning that binary code into code. I think that there are not that many videos on hardware > code > recognising exploitable functions. Again, thanks for giving back to the community!
@@FlashbackTeam I was thinking "how on earth you got all those symbols if the code wasn't compiled for debugging", thanks for the clarification, a lot of effort indeed.
Thank for sharing this. I like the no-nonsense style. For your first video this is a great piece of work. Like your graphics - a picture says more than thousand words. Must have been a lot of work but it pays back.
Wow, impressive work guys, learnt so much in a single video. As feedback I would say that it would be cool to have a quick look on the exploiting writing process ;)
Hi , Great work guys!!!!!! I just found your channel yesterday and I'm really enjoying your videos !!!!!!!! Everything I wanted to say like 'this is awesome' !!!!!!! Please make longer video about setup your environment and witch program use for exploit for router !
From a developer sight of view, it makes me now think twice about validation of strings from not trust able sources, as the exploit would break if any function in the call chain would check the input values fully also for injection. Very interesting how "easy" it is to gain access when you reach a specific level of knowledge, very nice video and remote Injection method of the remote shell!
Loved the experience watching the video. As a n00b, I'm thankful for the details presented and would request that even more videos with even more details would be much appreciated. And wish both of you the very best.Cheers,
Money well deserved! This was just beautiful. Thanks for sharing guys. I'd have to re-watch the reverse engineering part of the system calls a few times to understand what's happening though 😅
That was pretty cool. I will like to see more videos like this one. Also a video of how someone can get started in hardware hacking, tools required will be appreciated
Great job guys! Does that mean that us, the users, are vulnerable through the network just by having one of these at home?. Or would I be in trouble just if I invite you for a cup of coffee?🤣🤣🤣 Keep it up!
If you use it at home, you would only be vulnerable if you invited us for a cup of coffee... but it's not that simple, let us explain! Routers like these are used in small businesses to provide Internet service to the business' customers, which would be connected to the LAN interfaces (Wi-Fi or Ethernet). As a small business customer (let's say in a cafe, hotel or hospital), you could abuse this vulnerability, take control of the router, and attack the other customers. LAN style attacks are also relevant in large businesses, where for example you connect to a segregated Wi-Fi network, but are still connected to the LAN-side of a router, and could then execute similar attacks. In the same competition we actually hacked the same router over the WAN interface (where the router connects to the Internet), we will put a video up describing the attack in the future. This last phrase means that if you use this router, you are still vulnerable from the outside of your local network (outside of the coffee cup zone), NOT due to this specific vulnerability, but due to others we found in the same competition :D
Not checking the format of the payload basically. If you are expecting a Mac address then at least check that the payload is a valid Mac address before you append it to a string and execute it (as root too duh!)... Great work guys, this is genius, the tracing of where the data came in, the print 'x'>>a to built up the file was clever and the script to send that over as TPDP packets was great. Then you have the paperclip! A great masterclass... Lots of examples of hacking embedded devices that are online involve getting a firmware update, using binwalk to break it down and look for vulnerabilities in software or hardcoded passwords and that's about it. Actual "hardware" hacking though is a very different beast.
We only use the Ghidra Hues plugin to have a dark theme. The original author deleted it, but here is a copy in Pedro's github repo: github.com/pedrib/ghidra.hues
even this video is more than 10 minutes, I'm take a break from my workload to watch this video nice education video bro, from me who interest on vulnerability hardware
Someone help me with a little "slap" on how to get the online interface login once I'm in it. 🤔 (I know the basics and the location of the hash required for encryption. But it has nothing to do with the online superficial passw) I had a lot of fun with the video anyway! Anyway, I had a great time with the video, let there be more of these tplink stuff..! ✔ 😎
Hii! Nice video. Could you please explain in more detail about the logistics of sending the packet carrying the payloads? I want to know exactly what steps are taken to create the desired packet, what does it look like, how is it crafted, how it is sent, and how the target is made to receive it - is there no preceding functions the target must execute to prepare for handling this onemesh request? What would it look like if it were TCP? Sorry if the answers are obvious, I am out of my depth at this level of exploitation and would love to learn.
Thanks for the comments! You'll find full details in our advisories: github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2020/minesweeper.md
I already didn't buy TP-Link for other reasons. This is just the final nail in the coffin. Sadly, alot of even reputable brands do similar things. Would love to see if Asus, Netgear, Eero and others have the same flaws. Makes you understand why Cyclops Blink was so effective in spreading.
Really enjoyed the video.. especially the 13 character limit part.. Out of curiosity, is there any reason tp link left the uart open or was it something they just overlooked? P.S extra kudos to the subtle humor you injected into this video.
We will definitely do more videos on embedded device hacking. We will use routers as an example, but actually many devices are similar to routers, such as firewalls, network devices and embedded devices in general. The Ghidra theme is Ghidra.Hues: github.com/pedrib/ghidra.hues
Great video,it's the first exploit that I actually understood,but i hope you cover more about the initial reversing process and how you managed to find the exploitable function upon the thousands of other stuff or just like some general tips for simplying the undreadable code into a simpler one(I would understand if you want to keep like the scripts you used for your own)
@@FlashbackTeam Yes, of course, as it is on GitHub with an O/S license. I'm just surprised that the NSA open-sourced it. That's like something Snowden would do, but without it being official!
Hi. Thanks! I didn't print the arms myself but bought it directly from Giuseppe. But I think he links the files under CC license. Take a look here: www.thingiverse.com/thing:2427726 I saw similar product from sensepeek.com/ but didn't use them myself yet.
The vulnerabilities demonstrated in this video are only exploitable over the LAN. It is impossible to exploit them over the WAN in the default router configuration. We used it to win the Pwn2Own Tokyo 2019 TP-Link LAN category.
As a software developer I would have liked to hear what could have been done to prevent this. Obviously not running everything as root to start with.
Several mistakes were committed:
- running everything as root
- mounting the root file system as read-write
- hardcoding the encryption key
- enabling a network service when it's not necessary (we hadn't configured this feature, it is enabled by default)
But most importantly, input wasn't sanitised. Notice that it expects a MAC address, which has a very strict and well known format: aa:bb:cc:dd:ee:ff
After copying to an intermediate buffer with a limited size (as they did correctly), they should have validated the MAC address before proceeding. This could have easily been done with a regex, such as: ^[a-fA-F0-9]{2}(:[a-fA-F0-9]{2}){5}$
In addition, they could have introduced additional security controls, such as a properly configured firewall, sandboxing, etc.
@Ralph Reilly there's a reason for this, it saves manufacturing costs as they can just flash the same exact image over and over and let the device bootstrap when it's booted up for the first time.
for the C, C++ devs : -Wall -Wextra -Wconversion -Werror
@@supermaster2012 One can use public key encryption, at lease hide the private key. Harder for hacker to create diff encrypted pkt.
@@TonyLee_windsurf You can't "hide" the private key, as the software will need it to decrypt the packet. Hard coding the key is terrible because every single router using the same firmware uses the same key. If the key was saved on a file, and checked and generated if the file was missing, it would not be possible to hack every router without physical access to it first.
It wasn't rushed at all. A perfect explanation at a perfect pace.
What was "connected pin to line" what was that? What did he say?
Great work guys! Pedro’s explanation of the team’s process of auditing system calls is exceptional. This kind of breakdown is something I rarely see covered in detail.
the way you created a file one character at a time is so smart . i would have felt so stuck with the 13 characters .
My god. I think this is the best channel ive seen so far. These dudes are legit
We absolutely love these kinds of detailed breakdown of your thought process while looking at a target. Definitely continue doing these types of videos
I went from trying to find a work around to remove ISP limitation to Getting full control of the device. Your videos were a big help.
This is my new favorite UA-cam channel full stop. Excellent work guys!
I just found your channel yesterday and I'm really enjoying your videos. The information and quality is unmatched!
I like what you have done there. Very straight forward explenation, and I have to slightly disagree with you saying it was rushed. It was perfect. Longer videos are harder to follow and the amount you put in and the little backstories like being in Laos spiced it up a little. I am looking forward to more of your exploits.
idk what I should comment now.. Everything I wanted to say like 'this is awesome' and stuff has been said by everyone.. But I'm still commenting to let you guys know that we really need more of this great content from you guys!! Really appreciate it!!
non-programmer here
i love this breakdown. i get to witness the mindset of successfully exploiting a vulnerability (within a 13 character limitation).
i actually got it. most of it made sense even to an 'illiterate' bystander like myself.
pwn bounty well deserved!
You guys did an amazing job in explaining the exploitation process. For a next video I would love to see more on how you reverse engineer/decrypt the code and the process of analyzing it. Thanks for giving back to the community! You rock!
Thanks for the feedback!
We will show that in detail in future videos. Bear in mind there was a serious reverse engineering effort behind all of this. Most functions in the binary were not even defined, and all symbols are our names (the binary had few symbols).
@@FlashbackTeam I understand. But what for me personally would be super interesting to see, is how to start turning that binary code into code. I think that there are not that many videos on hardware > code > recognising exploitable functions.
Again, thanks for giving back to the community!
@@FlashbackTeam I was thinking "how on earth you got all those symbols if the code wasn't compiled for debugging", thanks for the clarification, a lot of effort indeed.
Thank for sharing this. I like the no-nonsense style. For your first video this is a great piece of work. Like your graphics - a picture says more than thousand words. Must have been a lot of work but it pays back.
... fiiiiinally an actually GOOD channel on such topics...
Wow, impressive work guys, learnt so much in a single video. As feedback I would say that it would be cool to have a quick look on the exploiting writing process ;)
Thank you for your feedback! We will go into depth on that in the next videos!
@@FlashbackTeam u are welcome, can't wait to watch them :P
@@FlashbackTeam yes, I guess, the length of the video doesn't matter for people who will wanna learn. So go for it.
Hi ,
Great work guys!!!!!! I just found your channel yesterday and I'm really enjoying your videos !!!!!!!! Everything I wanted to say like 'this is awesome' !!!!!!! Please make longer video about setup your environment and witch program use for exploit for router !
You guys rocked🔥 lot of learning in a single video from hardware to binary, reverse engineering to maintaining access .....😃
Pure genius the writing to a shell script and then executing lol
Blyat, this is the best router exploit video on UA-cam by a long way! More of this guys ✌️
Excellent video. I couldn't stop laughing at the `echo urmom>d` hahaha
From a developer sight of view, it makes me now think twice about validation of strings from not trust able sources, as the exploit would break if any function in the call chain would check the input values fully also for injection. Very interesting how "easy" it is to gain access when you reach a specific level of knowledge, very nice video and remote Injection method of the remote shell!
This is very, very well graphiced exploit explanation. Huge thanks, there are million exploit explanations but i never seen like this one.
Loved the experience watching the video. As a n00b, I'm thankful for the details presented and would request that even more videos with even more details would be much appreciated. And wish both of you the very best.Cheers,
Printing one char at a time to a file due to the charlimit then executing the file was genius!
This was awesome, and thanks for showing your thought process when discovering this vuln. Hope to learn more from you guys in the future
That was fantastic and very well put together. Very educational. So excited to see more of this!
Money well deserved! This was just beautiful. Thanks for sharing guys. I'd have to re-watch the reverse engineering part of the system calls a few times to understand what's happening though 😅
explanation in the state of art! Brilliant, and waiting for more, congratulations!
Nice exploit, even better explanation! Great work.
Awesome guys! What a video... very clear and objective. The exploit sending one char at a time was really dope
Great work, love the thought behind constructing the final final in chunks due to the character limitation.
I never get tired of your voice ;)
That was pretty cool. I will like to see more videos like this one. Also a video of how someone can get started in hardware hacking, tools required will be appreciated
Verry nice job. I don’t understand what you exactly does but it is so a nice idea. I want to learn this. Sooo nice
Great video, first time I've been aware of a reverse shell before really interesting stuff!
Nice work, thanks for the great deep dive! Keep up the great work on developing that specialty education platform :)
Thanks, will do!
Panowie, super robota, jako początkujący embeddeddev bardzo dziękuję za content!
mad respect for you guys, what's better than learning from the bests.
Congratulations guys. Looking forward to learning more. Thank you for starting this channel 👍🏼👌🏽
Amazing content guys. Waiting for more🙃
The explanation is quite good and making it seem easy. Good guys
Didn't expect to see Dashie in this video. But I'll take it!
You guy's are insane, please release nore videos. Highly appreciated
Great job guys! Does that mean that us, the users, are vulnerable through the network just by having one of these at home?. Or would I be in trouble just if I invite you for a cup of coffee?🤣🤣🤣 Keep it up!
If you use it at home, you would only be vulnerable if you invited us for a cup of coffee... but it's not that simple, let us explain!
Routers like these are used in small businesses to provide Internet service to the business' customers, which would be connected to the LAN interfaces (Wi-Fi or Ethernet).
As a small business customer (let's say in a cafe, hotel or hospital), you could abuse this vulnerability, take control of the router, and attack the other customers.
LAN style attacks are also relevant in large businesses, where for example you connect to a segregated Wi-Fi network, but are still connected to the LAN-side of a router, and could then execute similar attacks.
In the same competition we actually hacked the same router over the WAN interface (where the router connects to the Internet), we will put a video up describing the attack in the future.
This last phrase means that if you use this router, you are still vulnerable from the outside of your local network (outside of the coffee cup zone), NOT due to this specific vulnerability, but due to others we found in the same competition :D
brilliant waiting for more!
This is the best hardware hacking video I have seen in my life. Thank you!
GND pins are usually easy to find by eye since they're most often connected to a GND plane instead of a line.
Not checking the format of the payload basically. If you are expecting a Mac address then at least check that the payload is a valid Mac address before you append it to a string and execute it (as root too duh!)... Great work guys, this is genius, the tracing of where the data came in, the print 'x'>>a to built up the file was clever and the script to send that over as TPDP packets was great. Then you have the paperclip! A great masterclass...
Lots of examples of hacking embedded devices that are online involve getting a firmware update, using binwalk to break it down and look for vulnerabilities in software or hardcoded passwords and that's about it. Actual "hardware" hacking though is a very different beast.
ah so late for this, but absolutely worth the watch. Congrats guys on this fantastic job. "Looks juicy" my new favorite phrase :p
Very cleverly done. I really enjoyed watching 👍
Great vid can't wait to see more! Which plugins are you using on Ghidra?
We only use the Ghidra Hues plugin to have a dark theme. The original author deleted it, but here is a copy in Pedro's github repo:
github.com/pedrib/ghidra.hues
Very nice job! Congratulations boys!!!
Great work! Looking forward to the next video.
even this video is more than 10 minutes, I'm take a break from my workload to watch this video
nice education video bro, from me who interest on vulnerability hardware
You, Sir, are a scholar and a certified badass.
Awesome video! Great pace and explanation. The file buildup within the 13 char limit is genius haha. Well done!
Really nice work dudes, love the idea of building it one char at a time.
Well done Flashback Team!
Really nice and clear breakdown guys and congrats on the bounty!
Loved it, great explanation with the reversing, thanks guys!
Great video and explanation!
Perfect explanation, I'm going to copy the part where you go in motorcycles 😄
Your getting a sub from me I love how you go into full detail although I wish you told us what disassembler you used
kurrrrrwa Pedro, we have to do it
Wow! Thank you so much for your work on this video. Explanations are great for someone starting out like me.
Awesome work! Wait for more and learn from you.
Absolutely fantastic explanation. Really enjoyed it and understood it!
Beautiful! Are there vulnerabilities in later TP-Link routers?
Absolutely, many of them, just google it!
Great video guay! Where do you get the arm articulated for connect the pins?
Someone help me with a little "slap" on how to get the online interface login once I'm in it. 🤔 (I know the basics and the location of the hash required for encryption. But it has nothing to do with the online superficial passw)
I had a lot of fun with the video anyway! Anyway, I had a great time with the video, let there be more of these tplink stuff..! ✔ 😎
Thank you guys. Absolutely awesome video! Really well structured and presented.
Excellent explanation, super cool method of exploit!
Got damn it congrats flashback team !!!!
Hii! Nice video.
Could you please explain in more detail about the logistics of sending the packet carrying the payloads?
I want to know exactly what steps are taken to create the desired packet, what does it look like, how is it crafted, how it is sent, and how the target is made to receive it - is there no preceding functions the target must execute to prepare for handling this onemesh request? What would it look like if it were TCP?
Sorry if the answers are obvious, I am out of my depth at this level of exploitation and would love to learn.
Thanks for the comments! You'll find full details in our advisories:
github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md
github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2020/minesweeper.md
Nice work guys. Congratulations on the win. Have you always come across routers with root? What about routers with embedded microcontrollers.
I already didn't buy TP-Link for other reasons. This is just the final nail in the coffin. Sadly, alot of even reputable brands do similar things. Would love to see if Asus, Netgear, Eero and others have the same flaws. Makes you understand why Cyclops Blink was so effective in spreading.
Now i am going to try this on my own router.Amazing Amazing Amazing !
Great job guys. And great video.
Really enjoyed this explanation. Great job guys
Really enjoyed the video.. especially the 13 character limit part..
Out of curiosity, is there any reason tp link left the uart open or was it something they just overlooked?
P.S extra kudos to the subtle humor you injected into this video.
I think they assumed physically removing a Rx line would be enough. We see a lot of devices with enabled UART.
@@FlashbackTeam I see.. Yeah it was odd to see the uart still being there because it seemed like such an obvious security hole. Good job still!
@@FlashbackTeam is that why you bridged it with a paperclip?
UART can usually be used to recover softbricked systems.
Amazing, cant wait for next video
Great Job! Super good video! keep on
Thanks for the awesome video, Can you make more video on router hacking and what is the ghidra theme you guys are using :)
We will definitely do more videos on embedded device hacking. We will use routers as an example, but actually many devices are similar to routers, such as firewalls, network devices and embedded devices in general.
The Ghidra theme is Ghidra.Hues: github.com/pedrib/ghidra.hues
Great video,it's the first exploit that I actually understood,but i hope you cover more about the initial reversing process and how you managed to find the exploitable function upon the thousands of other stuff or just like some general tips for simplying the undreadable code into a simpler one(I would understand if you want to keep like the scripts you used for your own)
Not rushed at all, excellent!
What was the disassembler/IDE Radek was using?
Thank you! I think you are asking about Ghidra? It's a tool for reverse engineering of binaries.
@@FlashbackTeam Yes, that's what I was asking for, thanks.
But holy crap, developed by the US NSA?!? 😲
And too bad they chose Java. Ugh.
@@gearboxworks it's open source tho. There are commercial alternatives like IDA Pro or binary ninja.
@@FlashbackTeam Yes, of course, as it is on GitHub with an O/S license.
I'm just surprised that the NSA open-sourced it. That's like something Snowden would do, but without it being official!
Great video! Is there an STL for the articulated arms?
Hi. Thanks!
I didn't print the arms myself but bought it directly from Giuseppe. But I think he links the files under CC license. Take a look here: www.thingiverse.com/thing:2427726
I saw similar product from sensepeek.com/ but didn't use them myself yet.
This video was amazing! Right to the point and I understood everything! thank you!
The best type of learning ... by peeking over the shoulder of a master
"urmom" LOL, love how they the used the word in every part of the exploit
Great video, enjoyed a lot! Clever exploit:)
does this still work if the router was flashed with something like openwrt? or is this specific to the stock os? Anyways great job explaining!
wow pretty straight forward explaination
Really good video guys. But this only worked because you were on the same network as the router. How to exploit it if you are not on the LAN?
The vulnerabilities demonstrated in this video are only exploitable over the LAN. It is impossible to exploit them over the WAN in the default router configuration.
We used it to win the Pwn2Own Tokyo 2019 TP-Link LAN category.
only after this vid i understood purpose for all those exercises with "draw piramid with numbers using C lang")))))))))
thanks a lot!
It’s awesome guys. It’s very interesting. Thank you for explanation
great presentation, very clearly communicated
thank you guys, great video!
Very cool, nice job, guys.
you guys are awesome. Love from India 😍🙏🏻
Thank you so much for explaining the process.