In this presentation, we go over the main challenges we faced during our analysis of the top selling router in a local eCommerce, and how we found a zero-click remote unauthenticated RCE vulnerability (CVE-2022-27255). We will do a walkthrough on how we located the root cause of this vulnerability and found that it was ingrained in Realtek’s implementation of a networking functionality in its SDK for eCos devices. Then, we will discuss exploitation and post-exploitation strategies in this type of routers and show a PoC exploit that proves how this vulnerability can be used to execute code and make the device act as a port scanner for its local network.
After that, we will present the method we used to automate the detection of this vulnerability in other firmware images. We reflect on the fact that on most routers this functionality is not even documented and can’t be disabled via the router’s web interface. We take this as an example of the hidden attack surface that lurks in OEM internet-connected devices.
We conclude by discussing why this vulnerability hasn’t been reported yet, despite being easy to spot (having no prior IoT experience), widespread (affecting multiple devices from different vendors), and critical.
Our research highlights the poor state of firmware security, where vulnerable code introduced down the supply chain might never get reviewed and end up having a great impact, evidencing that security is not a priority for the vendors and opening the possibility for attackers to find high impact bugs with low investment and little prior knowledge.
Speaker: Octavio Gianatiempo
Octavio Gianatiempo is a Security Researcher at Faraday and a Computer Science student at the University of Buenos Aires. He’s also a biologist with research experience in molecular biology and neuroscience. The necessity of analyzing complex biological data was his point of entry into programming. But he wanted to achieve a deeper understanding of how computers work, so he enrolled in Computer Science. As a Security Researcher at Faraday, he focuses on reverse engineering and fuzzing open and closed source software to find new vulnerabilities and exploit them..