Full Report
The authors decided to take a look at the TP-Link ER605 router and attack it from the WAN network. When looking at the attack surface, they decided to check out the dynamic DNS (DDNS) provider Comexe that was used by the router. There are many custom components to the DDNS, which is super scary on something that's externally accessible. The device tries to access its DDNS servers of the Comexe servers. To get the servers IP, it tries to resolve it with a regular DNS query. After getting the IP address, a connection over UDP is made with encrypted data with a hardcoded key. Since there is no host validation via TLS or something similar, an attacker can just impersonate the process to receive and send requests to the client device! This requires a MitM to do. With an easy authentication bypass in the bag, there is now more attack surface. When parsing the response code, it assumes it uses the length of the bytes for the length of a strncpy and copies the bytes, leading to a buffer overflow on the stack. With 800 bytes at their disposal, they could trivially overwrite EIP on the stack to get code execution. They found several more overflows like this but this was the most juicy. Not so fast! Even though there are no stack canaries, the device has ASLR. Another buffer overflow they found was the copying of a user controlled buffer into the globals section that should only be 0x80 in size. Using this overflow, we can corrupt various parts of the globals to affect the program. For instance, even though the length of a DNS entry was 0x80, this can be corrupted to allow for larger values. Using this bug, we can write more data to the stack to corrupt a return length on the call, resulting in a large OOB. With this, they can read the address of libc from the stack. Now, they can use the RET2LibC attack to get code execution on the device! From there, they wanted to pivot to another target - the Synology IP camera. Within this, they found a fairly simple buffer overflow onto the stack when parsing JSON data via sscanf(). Since this API requires no authentication, we're in business! On the stack, was a function pointer that they could set to system and the parameter happened to be controlled by them as well! The binary used many protections, such as RELRO and NX but not stack canaries. Additionally, ASLR/PIE was used on the device but only 8 bits of random for the app code and 12 bits of random for the heap. So, how do we defeat this? Brute force! The heap can easily be sprayed by providing a ton of data. The location of system appears to be brute forced, since 1/256 is doable on this program. They had some troubles with encoding as well, since everything had to be valid UTF-8 characters and couldn't contain actual nullbytes. But, they worked through this. Overall, a solid post on the bug hunting experience in pwn2own! There's a major difference between real world exploits and CTFs which I enjoy seeing
Analysis Summary
# Research: Pwn2Own Toronto 2023: WAN-to-LAN Exploit Showcase
## Metadata
- **Authors:** Sharon Brizinov, Noam Moshe, Tomer Goldschmidt
- **Institution:** Claroty Team82
- **Publication:** Claroty Research Blog
- **Date:** July 9, 2024
## Abstract
This research details a multi-stage exploit chain targeting the TP-Link ER605 router and the Synology BC500 IP camera. By exploiting the Dynamic DNS (DDNS) implementation on the router's WAN interface, researchers achieved Remote Code Execution (RCE) with root privileges. Using the compromised router as a pivot point, they then successfully attacked a Synology IP camera within the local network, demonstrating a complete "WAN-to-LAN" compromise.
## Research Objective
The study aims to demonstrate the feasibility of bypassing Network Address Translation (NAT) and firewall protections by exploiting vulnerabilities in edge devices (routers) to move laterally into a protected local area network (LAN).
## Methodology
### Approach
1. **Attack Surface Analysis:** Identification of WAN-accessible services, specifically custom DDNS protocols.
2. **Reverse Engineering:** Analyzing the `cmxddnsd` binary and proprietary Comexe DDNS protocol.
3. **Vulnerability Discovery:** Identifying memory corruption and logic flaws.
4. **Exploit Development:** Chaining multiple vulnerabilities to bypass modern mitigations (ASLR, NX).
5. **Lateral Movement:** Using the compromised router to proxy traffic to internal IoT devices.
### Dataset/Environment
- **Hardware:** TP-Link ER605 (VPN Router) and Synology BC500 (IP Camera).
- **Network:** A standard SOHO (Small Office/Home Office) layout with a WAN-facing router and internal LAN devices.
### Tools & Technologies
- **Static/Dynamic Analysis:** Standard R.E. tools for binary analysis.
- **Exploitation Techniques:** Return-Oriented Programming (ROP), Ret2LibC, Heap Spraying, Brute-forcing.
- **Networking Tools:** `socat` for proxying, `iptables` for firewall manipulation.
## Key Findings
### Primary Results
1. **Authentication Bypass (CVE-2024-5242):** The Comexe DDNS implementation lacked server host validation (no TLS/SSL), allowing an attacker with Man-in-the-Middle (MitM) capabilities to impersonate the DDNS provider.
2. **Stack-Based Buffer Overflow (CVE-2024-5243):** A flaw in parsing DDNS response codes allowed for EIP/RIP control through an unchecked `strncpy` operation.
3. **Information Leak (CVE-2024-5244):** A global buffer overflow enabled the researchers to corrupt the `sendSize` variable, leading to an Out-of-Bounds (OOB) read that leaked LibC addresses to bypass ASLR.
4. **Secondary Target Compromise:** A `sscanf` buffer overflow in the Synology BC500's unauthenticated JSON parsing allowed for RCE on the camera via a system call.
### Novel Contributions
- **Custom Protocol Exploitation:** Highlighting the dangers of proprietary, unencrypted DDNS protocols in edge security devices.
- **Creative ASLR Bypass:** Using a global variable overflow to influence a secondary function's stack behavior for data exfiltration.
## Technical Details
The TP-Link exploit chain is a manual masterclass in memory corruption:
1. **The Leak:** By overflowing a global buffer (limited to 0x80 bytes), the researchers corrupted a length value. This caused the router to send back more data than intended in a UDP packet, including stack pointers and LibC addresses.
2. **The Pivot:** Once ASLR was defeated, they leveraged an 800-byte stack overflow in the `_checkPkt` frame. By crafting a ROP chain, they redirected execution to `system()`.
3. **The Local Attack:** On the Synology camera, the team encountered a 1/256 brute-force challenge due to 8-bit PIE randomness. They used heap spraying to increase the success rate and overcame UTF-8 character restrictions (no null bytes) to execute the final payload.
## Practical Implications
### For Security Practitioners
- Infrastructure is only as secure as its weakest WAN-facing component. Even "secure" VPN routers can house legacy or poorly implemented custom protocols.
### For Defenders
- **Hardening:** Disable unused features like DDNS if not required.
- **Monitoring:** Look for unusual UDP traffic on port 9994 or unexpected DNS resolutions to third-party DDNS providers.
- **Patch Management:** Ensure TP-Link ER605 is updated to Build 20240119 or later.
### For Researchers
- Proprietary "cloud discovery" or "update" protocols remain a fertile ground for high-impact vulnerabilities.
## Limitations
- The initial router exploit requires a **Man-in-the-Middle (MitM)** position. While difficult on the open internet, this is achievable via ISP compromise, DNS poisoning, or local network positioning.
- The Synology exploit relied on a brute-force approach against ASLR, which may cause service instability or crashes before succeeding.
## Real-world Applications
- **Red Teaming:** Demonstrates how to pivot from a peripheral device to high-value internal assets (like IP cameras or NAS units).
- **IoT Security:** Serves as a case study for implementing TLS and robust input validation in embedded systems.
## Future Work
- Investigation into other proprietary DDNS providers supported by TP-Link and other major router vendors.
- Analysis of "Part 2" (forthcoming) focusing deeper on the lateral movement and Synology-specific exploitation.
## References
- [Claroty Team82 Research](https://claroty.com/team82/research)
- [ZDI-24-833 (Synology Advisory)](https://www.zerodayinitiative.com/advisories/ZDI-24-833/)
- CVE-2024-5242, CVE-2024-5243, CVE-2024-5244