Seamlessly Discovering Netgear Universal Plug-and-Pwn (UPnP) 0-days

Introduction A Vulnerability Researcher’s Favorite Stress Relief Continuing in our series of research findings involving Netgear 1 products, 2 this blog post describes a pre-authentication vulnerability in Netgear SOHO Devices that can lead to Remote Code Execution (RCE) as root. While our previous research investigated the Netgear web server and update daemons, the issues described in this blog revolve around the device’s UPnP daemon. Anyone with Small Offices/Home Offices (SOHO) device vulnerability research experience will be familiar with UPnP. UPnP servers allow any unauthenticated device on the network to connect to the server and reconfigure the network to support its operations. For instance, the Xbox One uses UPnP to configure port forwarding necessary for gameplay. However, this service provides a large attack surface for the device, as it must allow unauthenticated requests and parse complex input to handle those requests. Further, the UPnP service on SOHO devices has pr

Escalating XSS to Sainthood with Nagios

Introduction If you’re running a big enough network, chances are you have a monitoring server tucked away somewhere, silently watching and waiting to let you know if something goes wrong. This same quiet IT warrior is also a juicy target for attackers because it both houses a large amount of data about your network and also serves as an ideal launching point from which to move laterally within the network. Given the importance of such a target, one naturally would expect that the monitoring server would be housed internally within a network and inbound network access would be tightly controlled, but that doesn’t mean there’s no way in. Take Nagios as an example. Nagios’s primary user interface is a web application that is designed to execute administration tasks. As a result, there are many places where it handles commands that run with elevated privilege. This means is that there are many ways that a small issue can snowball into a big problem for a network, and the amount of flex

Geeking Out on IBM i - Part 2

(This is part 2 of a three part series.  To view part 1, click here ) Network Configuration This part in the three-part "Geeking Out on IBM i" series focused on network configuration. This series is an effort to make IBM i (AS/400) lingo and concepts easily accessible to the hacker community, hoping to reduce the barrier of entry for security research. Configuring the IBM i Network Interfaces was an interesting challenge for me, a primarily Linux/Unix person.  When we finally got time to work on this project, Michigan was just heading into COVID19 lockdown, and remote-access to the machine was becoming urgent.  That made all of this a little more stressful.  I found a couple different “configuring TCP/IP on IBM i” articles on the Internet.  As usual, they were written for other versions of the OS, probably naming the system “AS/400” or “iSeries.”  This created some anxiety for this newly-minted IBM i geek.  I guess I have seen the exact same thing on all the different versio