tags:pwn2owntp-linkrouteriotcryptostack_overflowOOB_read original link: Pwn2Own: WAN-to-LAN Exploit Showcase newsletter link: exploits.club Weekly Newsletter 29
Exploits Club Summary:
Claroty Team82 released a write-up for the first stage of their SOHO smashup exploit chain at Pwn2Own 2023 Toronto. This post discusses the WAN exploit they achieved against the TP-Link ER605 router. It starts by enumerating the attack surface, leading to the team targeting the binary handling DDNS services on the device. After understanding the custom protocol, the team identified three vulnerabilities. The first allowed them to impersonate the DDNS server due to symmetric encryption via a hardcoded key and no additional auth checks. After that, they leveraged two buffer overflows, the first to leak data back to their malicious server to break ASLR and the second to pop RCE. Part 2 should be coming to discuss pivoting to exploit the Synology BC500 IP camera.