Reversing Belkin’s WPS Pin Algorithm – /dev/ttyS0

After finding D-Link’s WPS algorithm, I was curious to see which vendors might have similar algorithms, so I grabbed some Belkin firmware and started dissecting it. This particular firmware uses the SuperTask! RTOS, and in fact uses the same firmware obfuscation as seen previously on the Linksys WRT120N: DECIMAL HEXADECIMAL… Continue reading

Hacking the D-Link DIR-890L – /dev/ttyS0

The past 6 months have been incredibly busy, and I haven’t been keeping up with D-Link’s latest shenanigans. In need of some entertainment, I went to their web page today and was greeted by this atrocity: D-Link’s $300 DIR-890L router I think the most “insane” thing about this router is… Continue reading

Reversing D-Link’s WPS Pin Algorithm – /dev/ttyS0

While perusing the latest firmware for D-Link’s DIR-810L 80211ac router, I found an interesting bit of code in sbin/ncc, a binary which provides back-end services used by many other processes on the device, including the HTTP and UPnP servers: Call to sub_4D56F8 from getWPSPinCode I first began examining this particular… Continue reading

A Code Signature Plugin for IDA – /dev/ttyS0

When reversing embedded code, it is often the case that completely different devices are built around a common code base, either due to code re-use by the vendor, or through the use of third-party software; this is especially true of devices running the same Real Time Operating System. For example,… Continue reading

Hacking the DSP-W215, Again, Again, Again – /dev/ttyS0

So far, the vulnerabilities found in the DSP-W215 have only been practically exploitable from the LAN, unless someone was foolish enough to make their smart plug remotely accessible on the Internet. The typical way for external attackers to target internal web servers, such as the one running on the DSP-W215,… Continue reading

Hacking the DSP-W215, Again, Again – /dev/ttyS0

Here we go again…again. In the last DSP-W215 exploit, I mentioned that the exploit’s POST parameter name had to be “storage_path” in order to prevent the get_input_entries function from crashing prematurely. That’s because there is another stack overflow, this time in the replace_special_char function, which is called by get_input_entries if… Continue reading

Hacking the DSP-W215, Again – /dev/ttyS0

D-Link recently released firmware v1.02 for the DSP-W215 to address the HNAP buffer overflow bug in my_cgi.cgi. Although they were quick to remove the download link for the new firmware (you must “Use mobile application to upgrade device”), I grabbed a copy of it before my trip to Munich this… Continue reading

Hacking the D-Link DSP-W215 Smart Plug – /dev/ttyS0

The D-Link DSP-W215 Smart Plug is a wireless home automation device for monitoring and controlling electrical outlets. It isn’t readily available from Amazon or Best Buy yet, but the firmware is up on D-Link’s web site. The D-Link DSP-W215 TL;DR, the DSP-W215 contains an unauthenticated stack overflow that can be… Continue reading

WRT120N fprintf Stack Overflow – /dev/ttyS0

With a good firmware disassembly and JTAG debug access to the WRT120N, it’s time to start examining the code for more interesting bugs. As we’ve seen previously, the WRT120N runs a Real Time Operating System. For security, the RTOS’s administrative web interface employs HTTP Basic authentication: 401 Unauthorized Most of… Continue reading

Cracking Linksys “Encryption” – /dev/ttyS0

Perusing the release notes for the latest Linksys WRT120N firmware, one of the more interesting comments reads: Firmware 1.0.07 (Build 01) – Encrypts the configuration file. Having previously reversed their firmware obfuscation and patched their code to re-enable JTAG debugging, I thought that surely I would be able to use… Continue reading