So far, the vulnerabilities found in the DSP-W215 have only been practically exploitable from the LAN, unless someone was foolish enough to make their smart plug remotely accessible on the Internet. The typical way for external attackers to target internal web servers, such as the one running on the DSP-W215,… Continue reading
Here we go again…again. In the last DSP-W215 exploit, I mentioned that the exploit’s POST parameter name had to be “storage_path” in order to prevent the get_input_entries function from crashing prematurely. That’s because there is another stack overflow, this time in the replace_special_char function, which is called by get_input_entries if… Continue reading
D-Link recently released firmware v1.02 for the DSP-W215 to address the HNAP buffer overflow bug in my_cgi.cgi. Although they were quick to remove the download link for the new firmware (you must “Use mobile application to upgrade device”), I grabbed a copy of it before my trip to Munich this… Continue reading
The D-Link DSP-W215 Smart Plug is a wireless home automation device for monitoring and controlling electrical outlets. It isn’t readily available from Amazon or Best Buy yet, but the firmware is up on D-Link’s web site. The D-Link DSP-W215 TL;DR, the DSP-W215 contains an unauthenticated stack overflow that can be… Continue reading
Here are the slides from my short talk on getting started using JTAG. Thanks to everyone who came out!
Just got back from the EELive conference in San Jose – great talks, great people, and way better weather than we had back here on the east coast. For those interested, the slides for my talk, “Finding and Reverse Engineering Backdoors in Consumer Firmware” can be found here. If you… Continue reading
Since starting our in-seat Embedded Device Exploitation class, we’ve been getting queries about offering the class online. Well, good news: it’s coming! But, we need to gauge interest before deciding to go all-in, so if you want to see EDE offered online, go to www.edetraining.com and submit your email address…. Continue reading
In honor of all the good fun we’ve had at Linksys’ expense, students can use the promotional code LINKSYS to get a 30% discount off our Embedded Device Exploitation course on March 10th!
With a good firmware disassembly and JTAG debug access to the WRT120N, it’s time to start examining the code for more interesting bugs. As we’ve seen previously, the WRT120N runs a Real Time Operating System. For security, the RTOS’s administrative web interface employs HTTP Basic authentication: 401 Unauthorized Most of… Continue reading
Our next Embedded Device Exploitation class will be held March 10-14th, 2014 in Columbia, MD. Registration is now open!