Learn tricks and techniques like these, with us, in our amazing training courses!
https://flashback.sh/training
In this video we will show you how we found and exploited a chain of vulnerabilities in the TP-Link Archer AC1750 to win $5,000 in Pwn2Own Tokyo 2019.
We bagged a total of $55,000 hacking routers in this competition!
00:00 Intro
01:48 Finding debug interface
04:35 Finding the vulnerability
06:23 Vulnerability details
15:20 Exploit demo
16:33 Outro
For in-depth details, refer to our advisories:
https://www.flashback.sh/blog/lao-bomb-tplink-archer-lan-rce
https://www.flashback.sh/blog/minesweeper-tplink-archer-lan-rce
The two advisories complement each other. The first one describes the process we used to pwn this router in 2019, and the second one how we found in 2020 that TP-Link improperly patched the command injection. We used that knowledge to improve the exploit so that it works on old and newer "patched" firmware.
The command injection described in this video is the improved one.
The vulnerabilities exploited in this video are:
- CVE-2020-10882
- CVE-2020-10883
- CVE-2020-10884
- CVE-2020-28347
All vulnerabilities have been fixed by TP-Link in current firmware versions.
Intro material comes from the ZDI YouTube channel under CC-BY.
Did you enjoy this video? Then follow us on Twitter, and subscribe to our channel for more awesome hacking videos.
~ Flashback Team
https://flashback.sh
https://twitter.com/FlashbackPwn