Ghosts'n'gadgets: common buffer overflows that still haunt our networks
2024-10-24 , Europe - Main Room

Stack smashing has become very different in the 21st century. Binary hardening
mechanisms used by default by all modern OSes make it nearly impossible to
exploit trivial buffer overflows. Since 1996, machines have evolved
significantly and you cannot even follow the original "Smashing the stack
[...]" tutorial by Aleph One on a modern computer.

Yet, there are other kinds of machines that are lacking all the binary
hardening we now take for granted. Because of that, they are ideal "target
practice" material for those who wish to learn about exploiting stack-based
buffer overflows or use them for causing real damage. Too bad these
machines "sit" on the edge of home and enterprise networks, often being the
only barrier between that the attackers need to overcome for a complete PWN.

In this talk I will demonstrate how we could smash the stack of two networking
devices from two different vendors (a wireless gateway, and a high-throughput
VPN concentrator), allowing for unauthenticated root access. I will also
present the vulnerability root-cause analysis and offer insights on why such
attacks are still viable in 2024.


I will start the talk with an introduction of the two vulnerable devices,
followed by a quick overview of the vulnerability research activities we have
performed against them.

Next, we will go over the root-cause analysis of these vulnerabilities,
focusing on two stack buffer overflow vulnerabilities that allow for Remote
Code Execution.

I will then demonstrate how we used these vulnerabilites to pop a root shell
on both devices (interestingly, they are designed not to allow any kind of
root access to the users). I will discuss the binary hardening mechanisms we
had to bypass (or lack thereof), and demonstrate the exploits in action.

See also: Slides (1.9 MB)

Stanislav Dashevskyi is a Security Researcher at Forescout. He received his PhD from the International Doctorate School in Information and Communication Technologies (ICT) at the University of Trento (Italy) in 2017. His main research interests are open source software, software security, and vulnerability analysis.