HITB AMS abstract

1. Broken, Abandoned, and Forgotten Code: A Secret Passage to Persistent SOHO Router Ownage
2.  
3. This talk will describe how partially implemented functionality that has long since been abandoned and forgotten can be exploited to gain complete, persistent control of a Netgear wireless router. In it, I will describe a hidden SOAP action I discovered in the vendor's UPnP stack that, at first glance, appeared to allow unauthenticated remote firmware upload to the router. After a bit of reverse engineering, it became appearent this functionality was never fully implemented, and could never work properly in the wild. What started out as an investigation into a hidden SOAP handler turned into something resembling a stroll through someone's unfinished virtual world, where a step through the wrong door without looking could lead to oblivion.
4.  
5. I set out to discover how to specially craft a malicious firmware image and a SOAP request that would route around the many bugs and incomplete implementation such that I could take persistent control of the router. Ultimately, I had to overcome the program's misuse of the Unix sockets API, lazy, improper parsing of the SOAP request and firmware image, broken memory allocation and freeing, and other pitfalls. One of my self-imposed restrictions was not to exploit any of the bugs I encountered along the way. They were obstacles to be overcome. In the end, I succeeded in pushing a firmware of my creation to the device, and this is the story of how I did that. Come for the talk, stay for the live demo on actual hardware! I will flash a firmware to the Netgear wireless router that will be indistiguishable from the original, yet provide persistent, backdoor access.