Abstract

Hacking through the WAN (Wide Area Network) interface of a consumer or enterprise network router requires different approaches and techniques than hacking through the LAN (Local Area Network) interfaces. 

WAN interface services are usually much better protected and firewalled than in a LAN interface, and usually there are no network services accessible from the WAN. However, using the techniques we have developed we were able to demonstrate 6 unique successful WAN exploits during our Pwn2Own adventures. In this talk, we will present our exploits and methodology that we kept private for our own use until now.

Description

The network router defines the boundary between a trusted home or enterprise network and the Internet.

Controlling a router is of great interest for lawful operators, botnets and ransomware groups and allows for stealthy infiltration of a home or enterprise network. This is clear with the recent expansion of botnets created from insecure network routers by exploiting WAN (Wide Area Network) / Internet facing interface vulnerabilities.

However, in the last couple of years most vendors have drastically improved the security of their newer products, especially in the WAN interface side. A locked down firewall, use of binary protections and secure default configurations raise the bar and force an attacker to be more creative. It’s not a walk in a park anymore!

In this talk, we will present a series of techniques that we used to discover multiple vulnerabilities affecting the WAN / Internet facing network interfaces of consumer and enterprise grade routers.

These techniques and vulnerabilities are unique due to complexities of exploitation over the Internet, however, mostly result in 100% reliable, unauthenticated code execution as root in the target devices, and in some cases install permanent “backdoors” that survive factory resets.

Using these techniques, we have won multiple prizes in several Pwn2Own competitions as the Flashback Team, winning it outright in 2020 and amassing over $150,000 in cash prizes over the course of three years.

We will explain and demonstrate three different exploits we used in these competitions, with a step-by-step tale of our adventures while researching, discovering and exploiting each vulnerability.

We will present 3 complete exploits: 2 memory corruption exploits and 1 logical vulnerability. At the end of the talk, we will release full advisories and Metasploit modules (pending authorization from Zero Day Initiative).  

 Planned Structure

  1. Introduction
  2. Consumer vs Enterprise Grade Routers vs ISP routers
  3. LAN vs WAN Exploitation
  4. Firewall Bypasses
  5. Insecure Update Mechanisms
  6. Attacking Core Router Services
  7. Exploitation Over the Internet
  8. Persistency
  9. Lessons Learned
  10. Future WAN Attacks

About the speakers

Pedro Ribeiro is a vulnerability researcher and reverse engineer with over 12 years of industry experience. Pedro has found and exploited hundreds of vulnerabilities in software and hardware products. He has over 150 CVE identifiers attributed to his name (most of which resulting in unauthenticated remote code execution) and has authored over 50 Metasploit modules that have been released publicly. Besides his vulnerability research activities, he is the founder and director of a penetration testing and reverse engineering consultancy based in London.

Radek Domanski started his professional career 12 years ago securing large networks and systems and transitioned afterwards into offensive security. He worked on high profile projects within the largest Internet Service Provider in Europe and in the research center of one of the world’s largest telecommunications equipment companies. Radek found a number of critical vulnerabilities in real products and systems that are used by millions of users worldwide.