How We Hacked a TP-Link Router and Took Home $55,000 in Pwn2Own

  Рет қаралды 369,073

Flashback Team

Flashback Team

Күн бұрын

Learn tricks and techniques like these, with us, in our amazing training courses!
flashback.sh/training
In this video we will show you how we found and exploited a chain of vulnerabilities in the TP-Link Archer AC1750 to win $5,000 in Pwn2Own Tokyo 2019.
We bagged a total of $55,000 hacking routers in this competition!
00:00 Intro
01:48 Finding debug interface
04:35 Finding the vulnerability
06:23 Vulnerability details
15:20 Exploit demo
16:33 Outro
For in-depth details, refer to our advisories:
www.flashback.sh/blog/lao-bom...
www.flashback.sh/blog/mineswe...
The two advisories complement each other. The first one describes the process we used to pwn this router in 2019, and the second one how we found in 2020 that TP-Link improperly patched the command injection. We used that knowledge to improve the exploit so that it works on old and newer "patched" firmware.
The command injection described in this video is the improved one.
The vulnerabilities exploited in this video are:
- CVE-2020-10882
- CVE-2020-10883
- CVE-2020-10884
- CVE-2020-28347
All vulnerabilities have been fixed by TP-Link in current firmware versions.
Intro material comes from the ZDI KZfaq channel under CC-BY.
Did you enjoy this video? Then follow us on Twitter, and subscribe to our channel for more awesome hacking videos.
~ Flashback Team
flashback.sh
/ flashbackpwn

Пікірлер: 361
@coreyfournier3345
@coreyfournier3345 Жыл бұрын
As a software developer I would have liked to hear what could have been done to prevent this. Obviously not running everything as root to start with.
@FlashbackTeam
@FlashbackTeam Жыл бұрын
Several mistakes were committed: - running everything as root - mounting the root file system as read-write - hardcoding the encryption key - enabling a network service when it's not necessary (we hadn't configured this feature, it is enabled by default) But most importantly, input wasn't sanitised. Notice that it expects a MAC address, which has a very strict and well known format: aa:bb:cc:dd:ee:ff After copying to an intermediate buffer with a limited size (as they did correctly), they should have validated the MAC address before proceeding. This could have easily been done with a regex, such as: ^[a-fA-F0-9]{2}(:[a-fA-F0-9]{2}){5}$ In addition, they could have introduced additional security controls, such as a properly configured firewall, sandboxing, etc.
@supermaster2012
@supermaster2012 Жыл бұрын
@Ralph Reilly there's a reason for this, it saves manufacturing costs as they can just flash the same exact image over and over and let the device bootstrap when it's booted up for the first time.
@itzurabhi
@itzurabhi Жыл бұрын
for the C, C++ devs : -Wall -Wextra -Wconversion -Werror
@TonyLee_windsurf
@TonyLee_windsurf Жыл бұрын
@@supermaster2012 One can use public key encryption, at lease hide the private key. Harder for hacker to create diff encrypted pkt.
@thoriumbr
@thoriumbr Жыл бұрын
@@TonyLee_windsurf You can't "hide" the private key, as the software will need it to decrypt the packet. Hard coding the key is terrible because every single router using the same firmware uses the same key. If the key was saved on a file, and checked and generated if the file was missing, it would not be possible to hack every router without physical access to it first.
@HritikV
@HritikV 3 жыл бұрын
It wasn't rushed at all. A perfect explanation at a perfect pace.
@jaimedpcaus1
@jaimedpcaus1 Жыл бұрын
What was "connected pin to line" what was that? What did he say?
@johntoterhi6293
@johntoterhi6293 3 жыл бұрын
Great work guys! Pedro’s explanation of the team’s process of auditing system calls is exceptional. This kind of breakdown is something I rarely see covered in detail.
@TheGrimSniper14
@TheGrimSniper14 3 жыл бұрын
We absolutely love these kinds of detailed breakdown of your thought process while looking at a target. Definitely continue doing these types of videos
@Raintiger88
@Raintiger88 Жыл бұрын
I just found your channel yesterday and I'm really enjoying your videos. The information and quality is unmatched!
@prox5784
@prox5784 3 жыл бұрын
That was fantastic and very well put together. Very educational. So excited to see more of this!
@jacoblpeterson
@jacoblpeterson 2 жыл бұрын
Excellent video. I couldn't stop laughing at the `echo urmom>d` hahaha
@ryanduke6784
@ryanduke6784 11 күн бұрын
My god. I think this is the best channel ive seen so far. These dudes are legit
@surferbum618
@surferbum618 3 жыл бұрын
This was awesome, and thanks for showing your thought process when discovering this vuln. Hope to learn more from you guys in the future
@gauravhksharma5760
@gauravhksharma5760 3 жыл бұрын
Congratulations guys. Looking forward to learning more. Thank you for starting this channel 👍🏼👌🏽
@kltr007
@kltr007 Жыл бұрын
Thank for sharing this. I like the no-nonsense style. For your first video this is a great piece of work. Like your graphics - a picture says more than thousand words. Must have been a lot of work but it pays back.
@sombramurk793
@sombramurk793 Жыл бұрын
Awesome guys! What a video... very clear and objective. The exploit sending one char at a time was really dope
@thefastjojo
@thefastjojo 3 жыл бұрын
explanation in the state of art! Brilliant, and waiting for more, congratulations!
@paramatus3531
@paramatus3531 Жыл бұрын
I like what you have done there. Very straight forward explenation, and I have to slightly disagree with you saying it was rushed. It was perfect. Longer videos are harder to follow and the amount you put in and the little backstories like being in Laos spiced it up a little. I am looking forward to more of your exploits.
@jvidsonyt
@jvidsonyt Жыл бұрын
Awesome video! Great pace and explanation. The file buildup within the 13 char limit is genius haha. Well done!
@13DarkWolf
@13DarkWolf 3 жыл бұрын
Really nice and clear breakdown guys and congrats on the bounty!
@HK-sw3vi
@HK-sw3vi 3 жыл бұрын
mad respect for you guys, what's better than learning from the bests.
@Harshitshukla88
@Harshitshukla88 Жыл бұрын
You guys rocked🔥 lot of learning in a single video from hardware to binary, reverse engineering to maintaining access .....😃
@jahwni
@jahwni 2 жыл бұрын
Loved it, great explanation with the reversing, thanks guys!
@myname-mz3lo
@myname-mz3lo 10 ай бұрын
the way you created a file one character at a time is so smart . i would have felt so stuck with the 13 characters .
@wowimoldaf
@wowimoldaf Жыл бұрын
This is very, very well graphiced exploit explanation. Huge thanks, there are million exploit explanations but i never seen like this one.
@sven5666
@sven5666 Жыл бұрын
Thank you guys. Absolutely awesome video! Really well structured and presented.
@iikon69
@iikon69 Жыл бұрын
Great work, love the thought behind constructing the final final in chunks due to the character limitation.
@kevinnyawakira4600
@kevinnyawakira4600 3 жыл бұрын
That was pretty cool. I will like to see more videos like this one. Also a video of how someone can get started in hardware hacking, tools required will be appreciated
@kshitijnalawade8554
@kshitijnalawade8554 3 жыл бұрын
idk what I should comment now.. Everything I wanted to say like 'this is awesome' and stuff has been said by everyone.. But I'm still commenting to let you guys know that we really need more of this great content from you guys!! Really appreciate it!!
@somsiri9319
@somsiri9319 3 жыл бұрын
Great work! Looking forward to the next video.
@JoshDavidLevy
@JoshDavidLevy 3 жыл бұрын
Really enjoyed this explanation. Great job guys
@JK-pb3vj
@JK-pb3vj 2 жыл бұрын
Blyat, this is the best router exploit video on KZfaq by a long way! More of this guys ✌️
@brotatobrosaurus5411
@brotatobrosaurus5411 Жыл бұрын
Nice exploit, even better explanation! Great work.
@cq_YT
@cq_YT 3 жыл бұрын
Awesome work! Wait for more and learn from you.
@orenishay4175
@orenishay4175 3 жыл бұрын
This video was amazing! Right to the point and I understood everything! thank you!
@anitsh
@anitsh 3 жыл бұрын
Loved the experience watching the video. As a n00b, I'm thankful for the details presented and would request that even more videos with even more details would be much appreciated. And wish both of you the very best.Cheers,
@localman9341
@localman9341 3 жыл бұрын
Amazing content guys. Waiting for more🙃
@davidbristoll195
@davidbristoll195 Жыл бұрын
Very cleverly done. I really enjoyed watching 👍
@pincombe
@pincombe Жыл бұрын
Great video, first time I've been aware of a reverse shell before really interesting stuff!
@geraldamasi1559
@geraldamasi1559 2 жыл бұрын
The explanation is quite good and making it seem easy. Good guys
@thebrotherhood1675
@thebrotherhood1675 3 жыл бұрын
brilliant waiting for more!
@Barqi
@Barqi 3 жыл бұрын
You guys did an amazing job in explaining the exploitation process. For a next video I would love to see more on how you reverse engineer/decrypt the code and the process of analyzing it. Thanks for giving back to the community! You rock!
@FlashbackTeam
@FlashbackTeam 3 жыл бұрын
Thanks for the feedback! We will show that in detail in future videos. Bear in mind there was a serious reverse engineering effort behind all of this. Most functions in the binary were not even defined, and all symbols are our names (the binary had few symbols).
@Barqi
@Barqi 3 жыл бұрын
@@FlashbackTeam I understand. But what for me personally would be super interesting to see, is how to start turning that binary code into code. I think that there are not that many videos on hardware > code > recognising exploitable functions. Again, thanks for giving back to the community!
@RafaelKarosuo
@RafaelKarosuo Жыл бұрын
@@FlashbackTeam I was thinking "how on earth you got all those symbols if the code wasn't compiled for debugging", thanks for the clarification, a lot of effort indeed.
@murrij
@murrij Жыл бұрын
Wow! Thank you so much for your work on this video. Explanations are great for someone starting out like me.
@rdarkmind
@rdarkmind Жыл бұрын
Money well deserved! This was just beautiful. Thanks for sharing guys. I'd have to re-watch the reverse engineering part of the system calls a few times to understand what's happening though 😅
@ninoivanov
@ninoivanov Жыл бұрын
... fiiiiinally an actually GOOD channel on such topics...
@neuronwave
@neuronwave Жыл бұрын
Absolutely fantastic explanation. Really enjoyed it and understood it!
@th3p1tbulll
@th3p1tbulll Жыл бұрын
Very nice job! Congratulations boys!!!
@NetworkITguy
@NetworkITguy Жыл бұрын
I never get tired of your voice ;)
@EJohnson688
@EJohnson688 3 жыл бұрын
Nice work, thanks for the great deep dive! Keep up the great work on developing that specialty education platform :)
@FlashbackTeam
@FlashbackTeam 3 жыл бұрын
Thanks, will do!
@aracystic28
@aracystic28 3 жыл бұрын
This is amazing. Good job guys!
@DefconUnicorn
@DefconUnicorn Жыл бұрын
Really nice work dudes, love the idea of building it one char at a time.
@MarKac9090
@MarKac9090 3 жыл бұрын
awesome video! very interesting to watch because you explain it VERY well
@1337BR3AK
@1337BR3AK 2 жыл бұрын
Great video and explanation!
@marcos251
@marcos251 3 жыл бұрын
This is amazing! Great work
@bobbydedman5899
@bobbydedman5899 Жыл бұрын
Great job guys. And great video.
@aaryanbhagat4852
@aaryanbhagat4852 2 жыл бұрын
Excellent explanation, super cool method of exploit!
@JBarszczu
@JBarszczu 2 жыл бұрын
This is the best hardware hacking video I have seen in my life. Thank you!
@markooo4429
@markooo4429 3 жыл бұрын
Amazing, cant wait for next video
@nsknyc
@nsknyc 3 жыл бұрын
ah so late for this, but absolutely worth the watch. Congrats guys on this fantastic job. "Looks juicy" my new favorite phrase :p
@karolinajoachimczyk3168
@karolinajoachimczyk3168 Жыл бұрын
Panowie, super robota, jako początkujący embeddeddev bardzo dziękuję za content!
@hanshansli2238
@hanshansli2238 10 ай бұрын
thank you guys, great video!
@electrowizard2658
@electrowizard2658 20 күн бұрын
great video loved it !!
@zillzone
@zillzone 3 жыл бұрын
Excellent walkthrough thank you!!
@teslastellar
@teslastellar Жыл бұрын
Thank you so much for explaining the process.
@jamesrussell-ui6gd
@jamesrussell-ui6gd Жыл бұрын
great breakdown!
@danielmonzon7396
@danielmonzon7396 3 жыл бұрын
Wow, impressive work guys, learnt so much in a single video. As feedback I would say that it would be cool to have a quick look on the exploiting writing process ;)
@FlashbackTeam
@FlashbackTeam 3 жыл бұрын
Thank you for your feedback! We will go into depth on that in the next videos!
@danielmonzon7396
@danielmonzon7396 3 жыл бұрын
@@FlashbackTeam u are welcome, can't wait to watch them :P
@KaleshwarVhKaleshwarVh
@KaleshwarVhKaleshwarVh 3 жыл бұрын
@@FlashbackTeam yes, I guess, the length of the video doesn't matter for people who will wanna learn. So go for it.
@ruslanshuster9124
@ruslanshuster9124 Жыл бұрын
Great video, enjoyed a lot! Clever exploit:)
@florianmaetschke9054
@florianmaetschke9054 Жыл бұрын
Great Job! Super good video! keep on
@simyaci12
@simyaci12 3 жыл бұрын
Very inspiring, you both are epic. Thank you for sharing.
@randomguy3784
@randomguy3784 3 жыл бұрын
Excellent work!
@DursunX
@DursunX Жыл бұрын
non-programmer here i love this breakdown. i get to witness the mindset of successfully exploiting a vulnerability (within a 13 character limitation). i actually got it. most of it made sense even to an 'illiterate' bystander like myself. pwn bounty well deserved!
@neroux712
@neroux712 Жыл бұрын
From a developer sight of view, it makes me now think twice about validation of strings from not trust able sources, as the exploit would break if any function in the call chain would check the input values fully also for injection. Very interesting how "easy" it is to gain access when you reach a specific level of knowledge, very nice video and remote Injection method of the remote shell!
@depth5322
@depth5322 Жыл бұрын
It’s awesome guys. It’s very interesting. Thank you for explanation
@der-andy2407
@der-andy2407 Жыл бұрын
Great work guys
@saketsrv9068
@saketsrv9068 2 жыл бұрын
You guy's are insane, please release nore videos. Highly appreciated
@thatguyinelnorte
@thatguyinelnorte 3 жыл бұрын
Well done Flashback Team!
@helmutzollner5496
@helmutzollner5496 Жыл бұрын
Great stuff! Thank you for sharing.
@machazard009
@machazard009 Жыл бұрын
Nice work guys. Congratulations on the win. Have you always come across routers with root? What about routers with embedded microcontrollers.
@alreadyputitup
@alreadyputitup Жыл бұрын
great presentation, very clearly communicated
@DrewMarold
@DrewMarold Жыл бұрын
Very cool, nice job, guys.
@recepyoldas9894
@recepyoldas9894 3 жыл бұрын
was perfect exploit and explaning
@flinkiklug6666
@flinkiklug6666 Жыл бұрын
Verry nice job. I don’t understand what you exactly does but it is so a nice idea. I want to learn this. Sooo nice
@gcberto
@gcberto 3 жыл бұрын
Great work!
@ivanprincipato
@ivanprincipato 2 жыл бұрын
Thank you so much for sharing , I learned a lot from this video 🙏
3 жыл бұрын
Awesome, thanks for sharing it!
@ogiogi2714
@ogiogi2714 3 жыл бұрын
Got damn it congrats flashback team !!!!
@ui4lh
@ui4lh Жыл бұрын
Pure genius the writing to a shell script and then executing lol
@lucasamorim1300
@lucasamorim1300 3 жыл бұрын
Great explanation! Thank you!
@tyaprak
@tyaprak Жыл бұрын
A perfect explanation. Great.
@trevorsmith5991
@trevorsmith5991 Жыл бұрын
Worked , thanks a lot!
@renify_
@renify_ Жыл бұрын
wow pretty straight forward explaination
@niczoom
@niczoom Жыл бұрын
Great video, thanks for the tips.
@theblankuser
@theblankuser Жыл бұрын
Dope and well explained
@Bianchi77
@Bianchi77 11 ай бұрын
Nice video, thanks for sharing :)
@matthew423
@matthew423 3 жыл бұрын
Great stuff!
@Ragekillen
@Ragekillen Жыл бұрын
Your getting a sub from me I love how you go into full detail although I wish you told us what disassembler you used
@MagicPlants
@MagicPlants Жыл бұрын
Printing one char at a time to a file due to the charlimit then executing the file was genius!
@greob
@greob 3 жыл бұрын
Well done, no problem with the video. Thanks for sharing.
@andrecinelli
@andrecinelli Жыл бұрын
Very nice video!
@ruimineiro746
@ruimineiro746 Жыл бұрын
Muito fixe !! Grande Pedro !!
@davidraber-radakovits1572
@davidraber-radakovits1572 Жыл бұрын
GND pins are usually easy to find by eye since they're most often connected to a GND plane instead of a line.
@gaborungvari784
@gaborungvari784 Жыл бұрын
this was very good!
@loocatme6779
@loocatme6779 Жыл бұрын
You, Sir, are a scholar and a certified badass.
@josephseed3393
@josephseed3393 9 ай бұрын
Amazing video! You guys are convincing me to get into IoT and hardware hacking
Hacker's Guide to UART Root Shells
17:40
Flashback Team
Рет қаралды 454 М.
DNS Remote Code Execution: Finding the Vulnerability 👾 (Part 1)
29:31
How To Choose Ramen Date Night 🍜
00:58
Jojo Sim
Рет қаралды 61 МЛН
Sigma Girl Education #sigma #viral #comedy
00:16
CRAZY GREAPA
Рет қаралды 16 МЛН
How This Speaker Broke Physics.
10:32
The Studio
Рет қаралды 177 М.
Extracting Firmware from Embedded Devices (SPI NOR Flash) ⚡
18:41
Flashback Team
Рет қаралды 511 М.
Fun With HARDWARE HACKING!!! - UART ROOT SHELLS and Finding SECRETS!
31:15
everything is open source if you can reverse engineer (try it RIGHT NOW!)
13:56
Low Level Learning
Рет қаралды 1,2 МЛН
Hack everything: re-purposing everyday devices - Matt Evans
50:39
Linux.conf.au 2012 -- Ballarat, Australia
Рет қаралды 796 М.
Добавления ключа в домофон ДомРу
0:18
Airpods’un Gizli Özelliği mi var?
0:14
Safak Novruz
Рет қаралды 6 МЛН
IPad Pro fix screen
1:01
Tamar DB (mt)
Рет қаралды 3,6 МЛН
M4 iPad Pro Impressions: Well This is Awkward
12:51
Marques Brownlee
Рет қаралды 6 МЛН