HackDig : Dig high-quality web security articles for hackers

Press backspace 28 times to hack a Linux PC with Grub2

The researchers Hector Marco and Ismael Ripoll have found that the Grub2 authentication could be easily defeated by hitting backspace 28 times. A couple of researchers from the University of Valencia’s Cybersecurity research group, Hector Marco and Ismael Ripoll, have found that the Grub2¬†bootloader is plagued by a serio
Publish At:2015-12-17 13:50 | Read:3912 | Comments:0 | Tags:Hacking Breaking News authentication LINUX Grub2 embedded sy

Reversing Belkin’s WPS Pin Algorithm

After finding D-Link’s WPS algorithm, I was curious to see which vendors might have similar algorithms, so I grabbed some Belkin firmware and started dissecting it. This particular firmware uses the SuperTask! RTOS, and in fact uses the same firmware obfuscation as seen previously on the Linksys WRT120N: DECIMAL HEXADECIMAL DESCRIPTION ---
Publish At:2015-04-11 00:05 | Read:12102 | Comments:0 | Tags:Embedded Systems Reverse Engineering Security

Hacking the D-Link DIR-890L

The past 6 months have been incredibly busy, and I haven’t been keeping up with D-Link’s latest shenanigans. In need of some entertainment, I went to their web page today and was greeted by this atrocity: D-Link’s $300 DIR-890L router I think the most “insane” thing about this router is that it’s running the same buggy fir
Publish At:2015-04-11 00:05 | Read:10363 | Comments:0 | Tags:Embedded Systems Reverse Engineering Security

Reversing D-Link’s WPS Pin Algorithm

While perusing the latest firmware for D-Link’s DIR-810L 80211ac router, I found an interesting bit of code in sbin/ncc, a binary which provides back-end services used by many other processes on the device, including the HTTP and UPnP servers: Call to sub_4D56F8 from getWPSPinCode I first began examining this particular piece of code with the hopes of
Publish At:2014-10-31 23:25 | Read:8239 | Comments:0 | Tags:Embedded Systems Reverse Engineering Security

Exploiting a MIPS Stack Overflow

Although D-Link’s CAPTCHA login feature has a history of implementation flaws and has been proven to not protect against the threat it was intended to thwart, they continue to keep this feature in their products. Today we’ll be looking at the CAPTCHA implementation in the D-Link DIR-605L, which is a big-endian MIPS system running Linux 2.4. A pr
Publish At:2014-08-10 15:15 | Read:7464 | Comments:0 | Tags:Embedded Systems Reverse Engineering Security Tutorial

Reverse Engineering a D-Link Backdoor

All right. It’s Saturday night, I have no date, a two-liter bottle of Shasta and my all-Rush mix-tape…let’s hack. On a whim I downloaded firmware v1.13 for the DIR-100 revA. Binwalk quickly found and extracted a SquashFS file system, and soon I had the firmware’s web server (/bin/webs) loaded into IDA: Strings inside /bin/webs Based o
Publish At:2014-08-10 15:15 | Read:4108 | Comments:0 | Tags:Embedded Systems Security

Cracking Linksys “Encryption”

Perusing the release notes for the latest Linksys WRT120N firmware, one of the more interesting comments reads: Firmware 1.0.07 (Build 01) - Encrypts the configuration file. Having previously reversed their firmware obfuscation and patched their code to re-enable JTAG debugging, I thought that surely I would be able to use this access to reverse the new enc
Publish At:2014-08-10 15:15 | Read:4093 | Comments:0 | Tags:Embedded Systems Reverse Engineering Security

WRT120N fprintf Stack Overflow

With a good firmware disassembly and JTAG debug access to the WRT120N, it’s time to start examining the code for more interesting bugs. As we’ve seen previously, the WRT120N runs a Real Time Operating System. For security, the RTOS’s administrative web interface employs HTTP Basic authentication: 401 Unauthorized Most of the web pages requi
Publish At:2014-08-10 15:15 | Read:11275 | Comments:0 | Tags:Embedded Systems Security Tutorials

Hacking the D-Link DSP-W215 Smart Plug

The D-Link DSP-W215 Smart Plug is a wireless home automation device for monitoring and controlling electrical outlets. It isn’t readily available from Amazon or Best Buy yet, but the firmware is up on D-Link’s web site. The D-Link DSP-W215 TL;DR, the DSP-W215 contains an unauthenticated stack overflow that can be exploited to take complete contro
Publish At:2014-08-10 15:15 | Read:6119 | Comments:0 | Tags:Embedded Systems Reverse Engineering Security

Hacking the DSP-W215, Again

D-Link recently released firmware v1.02 for the DSP-W215 to address the HNAP buffer overflow bug in my_cgi.cgi. Although they were quick to remove the download link for the new firmware (you must “Use mobile application to upgrade device”), I grabbed a copy of it before my trip to Munich this week, and the 8 hour flight provided plenty of quality
Publish At:2014-08-10 15:15 | Read:6624 | Comments:0 | Tags:Embedded Systems Security Tutorial

Hacking the DSP-W215, Again, Again

Here we go again…again. In the last DSP-W215 exploit, I mentioned that the exploit’s POST parameter name had to be “storage_path” in order to prevent the get_input_entries function from crashing prematurely. That’s because there is another stack overflow, this time in the replace_special_char function, which is called by get_inp
Publish At:2014-08-10 15:15 | Read:5856 | Comments:0 | Tags:Embedded Systems Security Tutorial

Hacking the DSP-W215, Again, Again, Again

So far, the vulnerabilities found in the DSP-W215 have only been practically exploitable from the LAN, unless someone was foolish enough to make their smart plug remotely accessible on the Internet. The typical way for external attackers to target internal web servers, such as the one running on the DSP-W215, is through CSRF. The problem is that any web brow
Publish At:2014-08-10 15:15 | Read:6594 | Comments:1 | Tags:Embedded Systems Security Tutorial

Tools

Tag Cloud