09-05, 13:30–14:00 (Europe/Amsterdam), Second track
How many times do we need to kill the NsaRescueAngel? What's up with this messed up python webserver? Why the hell did this command injection get reimplemented?! Those were my words whilst digging into ZyXEL's NAS326 firmware from which I found multiple zeroday vulnerabilities earlier this year, which this talk will use for a case study and discuss the consequences of bad design and subpar patching.
The talk will begin with a short story on how the entire process started before proceeding into details on the NsaRescueAngel backdoor (CVE-2024-29972). Once there is a basic understanding of the core requirements set to exploit it we will move along into the authentication mechanisms present. It's flaws, consequences and results (CVE-2024-29974, CVE-2024-29972, CVE-2024-29976). Further on the talk will investigate a python code injection caused by the architectural design of a CherryPy webserver present on the machine (CVE-2024-29973), how the framework design caused the developers to first fix one zeroday found by IBM (CVE-2023-27992) and in a future update reimplement it once more. Finally previous patches performed on the code injection will receive a brief investigation and conclusions for the set questions will be drawn.
Key questions the talk intends to address
- What were the actual vulnerabilities I found?
- Insight into patterns and trends observed in past CVEs
- Can we expect to see more of them?
I'm the type of guy who finds it funny when my car engine is full of glitter or when my home router runs a minecraft server. I entered the computer security field due to movies (HACKERS) and youtube videos before proceeding to study for a master of science in engineering: computer security degree. My professional experience includes being the head of IT for the student union at BTH along with part-time and now full-time work at Vulnerability Research in Outpost24. My primary interest is focused on computers, hardware, software architecture and cars.