DNS Remote Code Execution: Finding the Vulnerability 👾 (Part 1)
Ғылым және технология
Learn tricks and techniques like these, with us, in our amazing training courses!
flashback.sh/training
In 2019 and 2020, we DOMINATED the router Wide Area Network or WAN category in the Pwn2Own hacker competition. In this category, hackers attack network devices with previously unknown vulnerabilities, from external networks such as the Internet.
Unfortunately, by 2021 our competitors reversed engineered our techniques, and the game was up.
Today, we are starting a video series where we will show you our tips, tricks and techniques to find and exploit WAN vulnerabilities in network devices. And we're starting with a beautiful DNS exploit that got us $20,000 in prizes.
Let's get ready to PWN!
In this video, we will tell you the story of how we found CVE-2020-10881 in the Pwn2Own Tokyo 2019 hacking competition and present our Game Plan for exploiting it :-)
00:00 - Intro
00:50 - WAN vs LAN
03:12 - Target Introduction and Recon
05:23 - Finding an Open Port and Fuzzing It
07:48 - Quick Look in Ghidra for Crash Investigation
10:38 - What is conn-indicator Doing?
12:30 - DNS Protocol
17:50 - A Deeper Look in Ghidra
20:33 - DNS Packet Parsing and the Vulnerability
24:51 - Radek's Evil Game Plan
28:03 - Our Training
Did you enjoy this video? Then follow us on Twitter, and subscribe to our channel for more awesome hacking videos.
~ Flashback Team
flashback.sh
/ flashbackpwn
Background track: "Hackers" by Karl Casey @WhiteBatAudio
Пікірлер: 172
I love how this video starts by explaining what LAN is, and 2 minutes later it's binary reverse eng
@xephael3485
6 ай бұрын
Yeah it goes from basic concepts to insanity and no time at all
@spookycode
3 ай бұрын
0-100 really fast
Great format. This is so clearly described and spoken that I listened to it a SECOND time, as a “podcast”. Thanks for going that extra “kilometer” and describing what’s on-screen.
Excellent documentation and walk through. I love your stuff.
When you showed your "Fuzzer" i totally lost it. Haven't had such a good laugh in years in this topic. But if i think about it some more, it is just about perfect. Easily accessible (but not perfect) entropy to cause spasms in badly written code. Being more or less available on any machine with and OS (no, Windows is not an OS, it's malware) means you can do preliminary tests even in absence of your "fav tools".
@antiquark6253
Жыл бұрын
I didn't get the joke :( was the netstar + grep somehow the fuzzer? Bc it looks it's only returning a specific line of Info from the previous, full, netstat cmd. Not seeing the usefulness unless 'conn' is supposed to be significant and understood as the grep string prior to beginning
@DasIllu
Жыл бұрын
@@antiquark6253 piping /dev/urandom into a program was the fuzzer iirc. Urandom generates a never ending stream of random bytes. And like a thousand monkeys with a thousand typewriters, it will eventually come up with a sequence that breaks the program under test.
@antiquark6253
Жыл бұрын
@@DasIllu oh I see now, the multi tiled terminals had me confused to what he was referring to, but I never thought to use nc that way. Very cool trick thx for illuminating that
Can't wait to see the detailed analysis of Part2.
Waiting for part 2! Amazing work!
Glad to see you back :)
keep up the great work. sometimes people feel like so many things are common sense and dont explain the things that help people understand stuff. thank you for such a detailed video
Incredible work. I'm blown away to see this entire research from start to finish, including the thought process. Well done. I hope to one day be able to do what you do!
Awesome stuff! waiting for the 2nd video.
This is what I have been waiting for a long time
w8 for second part. Thanks!
Best hackers from pwn2own 😊
Excellent documentation we want 2part😊
Hyped for the second part, hope it comes soon!
So awesome that you guys share this knowledge, really, keep up the great work!
Love your voice, is so soothing for teaching/learning. Thanks!
I appreciate every video in this channel, This is very useful. Thank you, guys.
hell I really appreciate what this guys are doing, because I don't understand 70% of what they are talking about. There is soooo much to learn and it seems scary 🤯
Amazing video. Subscribed
Nice video, added this to my watch list, will comeback and share my thoughts, for the time being its time to work.
Can't wait for part 2! :)
@FlashbackTeam
10 ай бұрын
It should be out very soon. We are on the last stretch in recording.
This is what we are looking for, nice job . Keep it up. Happy hacking
I’m thinking about making a similar video but mine are done in documentary format‼️
The jump scare at 1:21
Awaiting part 2!
I don't think I've ever said "Oh my God you can do that?!" so many times while watching a video haha. Amazing stuff
Thanks so much, we are learning! 😍
Amazing work... !
Crazy ammount of research, good job
You are a legend people. Proud of taking your courses.
@FlashbackTeam
Жыл бұрын
We're not affiliated with TryHackMe and have not developed any courses or tutorials for them :-) Our courses are developed and taught by us privately, check flashback.sh/training
Found Your channel from @liveoverflow Great Content 🙌🙌
lmao i love these videos you two are relatable yet much smarter...ive learned quite abit watching you guys thanks💯
Waiting for part 2!
After the first 30 seconds, I subed and liked the vid.
Smart fridge 😂 01:32
This is the most realistic and valuable hacker video I have ever seen
i have been trying to get into this for the long time. i feel like i don't understand programming which makes hacking so difficult. i love your moto at the end. i love the training at the end you talked about. i need to spend a lot more time getting a better understanding of programming so i can understand how to do what your trying and make money ethical hacking.
@M4D4F4K4.
Жыл бұрын
The chances are slim to none unless you get a degree lol although they hire people who don’t have one, they are talented ones who just moves to action when others thinking how to get into this 😂
@letsplaywar
Жыл бұрын
@@M4D4F4K4. i am hopeless. i will figure something out.
Regardless of the exploit, it's pretty disturbing that stock router firmware is spamming DNS requests to arbitrary commercial domains, just to blink an LED light...
Best series ✨
LETS GOOOOOOOOOOOOOOO i love yall
thank you for your hard work!!!!
Hi. I’m Japanese, and I could understand your video because of your very smart and cool presentation. Thank you for uploading this video! (I’m sorry about being not good at English.)
16:59 does offset to name point to start of length+string or can if point to another compression mode?
Very appreciate your sharing
Thanks a lot!
Amazing !!
Wooowww amazing!!!! But how did you run MIPS executable on PC? Or you we're was on target via ssh?
Can't wait until the second part pops out. I really want to hit the ground running with this kind of exploitation
Thank you for this
Thanks for sharing
The best Pedro.
what a nice research
Vamos 🔥🔥🎉
Your thumbnail is shokingly un clickbaity for sucha good video...
Thats another lvl...
This is 💎
Can you link the video you recommended that we watch on the beginning of the video?
just wondering, what firmware and version did the router have installed?
The best
Isso sim é qualidade parabéns
@jheimissantos8682
Жыл бұрын
verdade
this is cool. what O.S are you using though
It's shocking how it's making unsolicited DNS queries for random domains for completely unrelated companies. Concerning. If I was watching the WAN and saw these random requests coming from a router, I'd be concerned it was compromised in some way, not operating normally with stock firmware...
@lukasandresson3990
Жыл бұрын
Ghidra makes it easy to reverse engineer. You would think there would be standard practices on operational flow that prevents the behaviour. Standard Libraries for dns handling.
@FlashbackTeam
Жыл бұрын
conn-indicator needs to know when it has network connectivity, and the programmers chose this way to verify it. This is normal, and in this specific case quite benign in our opinion, as the DNS domains it is trying to query are well known. The mistake here was to make their own DNS parser (why TP-Link? WHY???). They could have used a shell script and standard utilities for checking connectivity, and a separate binary for controlling the LED lights! If this makes you worried, then have a look at what your phone, Windows or MacOS computer is doing for the same connectivity checks, without any user program running or any kind of user interaction, you will be VERY surprised 🙈
@friedrichhayek4862
9 ай бұрын
@@FlashbackTeam As a Linux user, no idea how it does the check, likely it will not be google.
I have a Question for Experts what I can not extract from that what is. My Provider had a Damage in a Knot where a Car crashed in.... first the internetconnection was lost, a few Minutes....after That it was ok for a few Minutes.... then it crashed again and was a longer Time out of Order. Since that I can not connect my Handy and my TV but every other Device works as usual. One Thing is that my Handy and the TV dont find the Port anymore... How is that possible?
I feel like $20k is a paltry sum to pay hackers for a hardware (firmware?) Bug on a device sold to hundreds of thousands of people
I have no clue wtf your saying half the time but, I still watch hoping something will stick. something better than nothing, right? I love hearing the actual thought process of the hack as if you're going threw it for the first time. I like this very much.
What toolsets(s) are you using ie caller??
Seeing my exact router in this vid is funny and terrifying
TP-Link be like: - Unit testing? Nah bro, we in China trust each other
If the CPU used by a server had as its lowest-level language a managed language, say for instance a Lips CPU, where there is no memcpy and other such potentially bug-infested C code behind the Lisp code, then how would you find a vulnerability?
Wow 😮👍👍👍❤️🔥
Anybody knows which code editor he is using there?
Nice presentation. You touched on a couple points that are just outside my full understanding. Specifically, at the segmentation fault, what makes a memory address "unmapped". Is it unmapped because it is outside the allocated stack frame? Anyway, really nice work! Thank you.
@FlashbackTeam
Жыл бұрын
Hi Matthew, glad you liked the video! You are correct. When a program starts, it allocates ("maps") memory ranges for the stack, the heap, libraries, the executable code, etc. These regions are not contiguous in memory. For example let's say a stack of 0x1000 in size, mapped in memory starting from 0x10000, which means its range is 0x10000 to 0x11000. Then we have a heap of size 0x1000, which is mapped at 0x12000 to 0x13000. In this example, if we try to access memory at 0x11001, it will cause a segmentation fault, as that memory is not mapped to either the heap or the stack. This was exactly what happened in the example in the video, albeit with different (more realistic) addresses.
Part 2 when? :D
Why KZread am recommended video this me not know but watch interesting brain capacity limited open to expansion thank you I will sub
This is so cool and amazing !
Vendor-supplied router firmwares that use ancient kernel and code is commonly recognized to be insecure. This is why I always use OpenWRT
Mantap :D
It seems almost impossible for a regular person to be able to protect themselves over someone accessing their computer or phone. After having all of my data stolen from a big tech company it has been so difficult to feel safe.
Thanks this was very helpful! I wonder why they used DNS instead of ICMP? Surely DNS was never intended for such things?
@khatharrmalkavian3306
Жыл бұрын
More and more places blocking ICMP these days. Moreover, even if they wanted to ping a well known CNAME, it would still require a DNS query, so just doing the query is more efficient, since it's only checking for connectivity.
I won the last 3 years WASP competition, but my method for doing this cannot be disclosed because of the damage it will cause, here is a sample of what i know: bluetooth follows the standard made by cisco on their routers where you make one the master the rest just follow. the same applies in Bluetooth yet here the clients that connect allow you root access to them as the technology defined.
It didn't occur to me until watching this video, but AI would be amazing at reverse-engineering like this. Renaming functions and variables and creating comments based on context is already so close to how AI models interpret code.
@skeeberk.h.4396
Жыл бұрын
Catch up, Ppl been doing this ever sense chatgpt hit the streets
@maktiki
Жыл бұрын
AI has not catched up to thinking like this.
@skeeberk.h.4396
Жыл бұрын
@@maktiki Lol , Yes it did, There plenty of Plugins that do just That Already
@azurescenss
Жыл бұрын
I feel like half of the hacking attempts at this point are *most likely* made by AI botnets that are programmed to execute these types of attacks using rogue / zombie ip's that operate on virtual machines that can't be traced.
@skeeberk.h.4396
Жыл бұрын
@@azurescenss 💀🧢
🖤
why does conn-indicator need to parse dns response? can't it just receive response, ignore contents, turn on LED?
@FlashbackTeam
Жыл бұрын
How would it know it received a valid response to its request if it doesn't parse it?
At 6:50 you mention that you're using gdb while having a laugh for your buddy who uses a 'lame java's one, were you referring to ghidra? Lol
Please release a course in hacking please i want to learn or atleast link a good course that is useful to learn deep hacking please!!
we're waiting for the part 2 for 2 week 😭😭
@huskytail
Жыл бұрын
Just came here to find it but I will have to join the queue waiting for part 2 😅
@amyn86
11 ай бұрын
@@huskytail 3month of waiting im not interested anymore i well unsubscribe they don't respect us ....
@huskytail
11 ай бұрын
@@amyn86 I must confess I had even forgotten about it.
i watched the video, but i feel sad i am understanding very little. i didn't know you had a real world hacker course.
Which OS you are using?
@FlashbackTeam
Жыл бұрын
Pedro prefers Debian, and Radek likes Ubuntu more.
Just another example of cops thinking they're above those they're supposed to serve
looks like dns reading memory overflow
Samsung Qualcomm mobile dead boot unbrick, can you 'hack' it ?
Where is part 2?
👍👩💻
Excellent on how to also think it up. Not just run some tools.
DAYRIIN FIHA KHOBARAAAAA2 WLA
@abdelhamidnaceri9431
Жыл бұрын
WAYLI LA RAHOM MACHI KHOBARA2
What knowledge should i have to understand this video ??!!
No mamen están cabrones
no one talking about cornhub??
Another piece of software that forgot to never trust user input 🙃