Hack2Win 2017 D-Link 850L Results

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

On June 11th 2017 we announced the first online version of our ‘Hack2Win’ hacking competition. We allocated $10,000 USD as pay outs to valid submissions, and 2 months of competition time – by making the product available on the internet – to allow everyone a chance to hack it. The device was made publicly accessible on July 3rd.

We were pleasantly surprised to get the first submission on June 12nd, just one day after we advertised our competition. But unfortunately that submission didn’t work on our hardware revision, and thus was not considered for a prize.

Subsequent submissions were not far behind: on Jun 29th, a LAN – Unauthorized RCE as root, was received.

On June 30th we received another submission – one that allowed remote retrieval of the admin password from both the WAN and LAN interfaces.

On July 3rd we received the submission that ended the competition – an Unauthenticated Remote Code Execution from both the WAN and LAN interfaces.

Once this last submission arrived, we ended the competition having reached the goal of owning the device from both the LAN and WAN sides.

D-Link has been contacted and the full write-up will be published after the vendor releases patches for these vulnerabilities.

What’s interesting is that all 3 researchers that submitted the vulnerabilities found the same similar security issue – but from there, each researcher exploited the vulnerability in a different way. Only one of the researchers successfully exploited the vulnerability and achieved unauthenticated remote code execution from WAN.

Prizes:

  • 1st place goes to Zdenda – 5,000$ USD for the unauthenticated Remote Code Execution from WAN
  • 2nd place goes to Peter Geissler – 2,500$ USD for retrieving admin password from WAN
  • 3rd place goes to Pierre Kim- 2,500$ USD for the unauthorized RCE as root from LAN

Our main takeaway from this competition is how talented researchers out there are. Our research community members are really good at finding vulnerabilities in products, and when there is a clear goal they will reach it. In addition, we decided that we need to challenge them more and more frequently 🙂

Our next target won’t be as easy as a D-Link router – and the prizes will rise accordingly. Stay tuned.

Hack2Win 2017 – The Online Version

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

We proud to announce the first online hacking competition!

The rules are very simple – you need to hack the D-link router (AC1200 / DIR-850L) and you can win up to 5,000$ USD.

To try and help you win – we bought a D-link DIR-850L device and plugged it to the internet (we will disclose the IP address on 1st of July 2017) for you to try to hack it, while the WAN access is the only point of entry for this device, we will be accepting LAN vulnerabilities as well.

If you successfully hack it – submit your findings to us ssd[]beyondsecurity.com, you will get paid and we will report the information to the vendor.

The competition will end on the 1st of September 2017 or if a total of 10,000$ USD was handed out to eligible research.

Product details:

  • Model: DIR-850L
  • Product name: AC1200
  • Firmware: FW1.14.B07
  • Updated: Latest == 02/17/2017
  • Hardware version: A1

Prizes:

  1. Unauthenticated Remote Code Execution – up to 5,000$ USD
  2. Authentication Bypass (bypassing authentication mechanism without any knowledge, or resetting of the password to the default) – up to 2,500$ USD
  3. Information Disclosure (access to current password) – up 1,000$ USD
  4. Other – the amount paid will depend on the risk and seriousness of the vulnerability

The total amount paid during the contest will be up to 10,000$ USD.

If more than one person submits an unauthenticated RCE, the first one to submit the vulnerability to us will win the amount promised, while the other person will receive 50% of the above promised amount.

All items will be considered, unless they are a duplicate – duplication will be considered for any vulnerability that targets the same URL or mechanism to preform the attack.

For any duplicate submissions we will receive, we will give the researcher a free T-shirt as well as an acknowledgement in the vendor’s advisory and our advisory for finding the vulnerability.

Judging Criteria

  • The participant uses an unknown vulnerability (no record of it can be found Google, Exploit-DB, etc)
  • Complexity of attack – what was required to achieve the attack
  • Innovative method – SQLi, RCE, etc from least to most innovative
  • Whether Attack affects the LAN or WAN – more points if it affects the WAN
  • What is achieved by the attack – no access is given to the challengers, so they would need to reach from no-access to some access – therefore a guest access would be considered less valuable than root
  • Write-up Quality – the best write up (in English), most detailed, best explanation, etc

Device Settings
The router will be accessible to participants via IP we will disclose the IP address on 1st of July 2017.

The router has been updated to the latest version available from the vendor website (http://support.dlink.com/ProductInfo.aspx?m=DIR-850L at the time of writing its Security Advisement (1.14B07 h2ab BETA1))

We left the default settings, and the only non-default setting is that we changed the password for the ‘admin’ account and enabled the “Remote Management” feature.

What counts as ‘hacked’
A device would be considered ‘hacked’ if the participant can prove they:

  • Gained access to the device’s post-authentication admin web interface (remember – you will not be given any credentials)
  • Changed some configuration value, like WiFi password
  • Made the device do something it’s not supposed to do: like execute code, open a port/service which was previously closed (like SSH, telnet, etc)

What we won’t count as a ‘hacked’

  • Causing a malfunction to the device, DoS / XSS / CSRF, making it unresponsive, making it no longer boot, etc
  • Usage of any known method of hacking – known methods including anything that we can use Google/Bing/etc to locate – this includes: documented default password (that cannot be changed), known vulnerabilities/security holes (found via Google, exploit-db, etc)

Eligibility
The contest is open to anyone who is at the legal age to receive a contest prize in your country, if you are not allowed to receive prizes – and please make sure to check this before participating – you may want to team up with a person that is at the legal age to receive prizes.

The contest is not allowed to anyone working for D-Link, or are involved in development of the above device.

Submitting your findings
In order to submit your findings – please send us email to ssd[]beyondsecurity.com with the following title: “Hack2Win [TYPE-OF-VULNERABILITY] [YOUR-NAME]”

The email should contain the following information:

  1. Vulnerability Title
  2. Date of submission
  3. Description of Vulnerability
  4. Configuration Requirements (if needed)
  5. Vulnerability Requirements (if needed)
  6. Vulnerability Summary Information
  7. Affected Versions Tested
  8. Attack Vector
  9. Exploitation Impact (Code Execution, Denial of Service, etc)
  10. Exploitation Context (runs on Server/ attacks User)
  11. Vulnerability Technical Details
  12. Exploitation

Please use the following gpg encryption key when submitting us a report:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.5
Comment: Hostname: pgp.mit.edu

mQINBFi+n8QBEAC3VZAVDgMRDzFHsrwhgJdLxelthsMt+Mvo42uCFjZcdkKDVC56DixKsA8g
McaUWTazJZ1uH5HE5qq9HPO5zL61LfsMC4beTNnKR7kOsoEpFkEiNzfQZ0k5TeOhts2aW3Wj
gLzcDib/FITpjvvkL75XoZXPjMz3ISqAx9lYi2ZI+UqfwBHyxxlt2FCFzOmbTmnn7NE25Z23
cXZ3cMk2vpItGt6/U6q/lmwG2hpUEAzXKtk3VrH9ULHbvv44RTNroEVsagNA06B6eZpqWVdh
sb6u37nsFKOkt6Fj/fEDiOGXsmqJ418ZLKRyuKAj7d9qbmmPWv16GB9Ovy62TsZrOkFWRUvB
iuoHi+ydOsINp2lzyJlo+8eLDPW0lts/8qa9FCtjD0WwbIrJt6wRuD6C7qXPzG2LxDUG4QQi
5wZOlHAX5WSYDUwkGZzaaQ2mPfPP8u6mLydrUpbF4H9jfhmV+xv8MHdY3fklJNpBSJr+Tsp0
RzE2NAIeWFqW65d62AiphoueZR1lu9EmtSgaAlZ1SG0TNczlZJf6jjd0PqqTc95zKnztKS9n
aHSBoeCzS61SDvluLDJtRXHhIlW4R1EixC7MMM8dyfnNynJ0dlJYMRiyADxqUm/Q+GIue47d
a6OMWr9rB6u/sxOToekukSWsgnpbllZAJsMmc5E62yiEfPN18QARAQABtCdOb2FtIFJhdGhh
dXMgPG5vYW1yQGJleW9uZHNlY3VyaXR5LmNvbT6JAj8EEwEIACkFAli+n8QCGwMFCQHhGFwH
CwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRAtJLJ1setEdSs2D/9ChGLIrvdpRMscMo1A
1Dm2xmHZWWJLNnc3wN4RnGmPche9l5vij0PsDAeeahddCGJ18u4HmLwVk21FGITX5ANo582S
VjIMVXwY7ct6y8z/jAzgqpXDZrbSx/D6UpWydJcgs/VGpcZH8NMWIDytJj7uqvHADbJ87Q/5
jiWM6ukdVubQnUNUAwDFUndOT6tPHB7f3rHl/LolJsH8/pvOxVGUDUSrTf0WLXUpmxvOP/VY
M7aRpM6FGBBcrlKSC/TE+TKKqR8VKaB/1M/iJienHeN5WeLem1Hi3/0EriaSK1xk8wE1u9+E
DiGmZQkFS6uDaNQJs8xcEnST3Xe4USPWXS3vc9F9KxfeQna5Q58MU2zxEs9cyzzP/emlUvxX
K/JxGbS9qL6wWwJvvp47e8m1tgmtXqpG00Nd7B3eI6MWXollCTCIp34ntAYLexXXOIPWJaEz
oFrMHfxD7Cu8tk9WDN6db+GPT97UNLzv1BUtGW/bRGYeB1z0bTw0yscWYQwVnZa4tL1bACsB
MKcvVLKHYBMKax/yfCbZFYOiLwsPI22iU0fpY+ESkRpb6Sjyke72S3qISXemXZiyM6ufA6u/
NDzbZTlLawbCjlaaSlBVOEC7AmDeTJ3VLugFE2G5WXI7sRlFzNV42O4lA/OyQE3qHKeH9CKE
t7V2Q+QM0WF6jlr8QrkCDQRYvp/EARAAtvWXZI2CkUZp+NKkslNpMqBrMwEmmGdImxGNKvKn
VXO0fXieSZ9/q/8U0IFLQR4+bFHQSAzVOgHZfsZej23Q99FoqZDfasOwzsorOfUZyZnBNrZx
USEgZ0HKlkAPPQpeGmh+R2cm+1VNUQCUktm97cBiKahCPT6XRSDnaj2kdRhqcp3GB5BYSYur
StlNL2RbxF01niw/KjzVTaAGrxal84k42Qpe33wDCTUqEHTqFys83W2vDqdhPYI7r6Rm4G1I
XEaCUDELw5dhtZQyolwnQOPBgV+Kq70G5Z0oDBsRIk7yq5gxo0b8NSvxVhH+kXwZ/J/bSGqE
SodnYbHUZ2KwKiHGl0EeqkRFQNlq+8pyoEytdT2893SBOLJ2M3p2d6SFdzkkNrPiNKUDNRPC
vK4iPRkeN92yGXps1OUtU4wYh+AJ8dAgBFQcxz6xIjxZHDR9c6Z94oJI6w9QwTj07+KB3aXP
+eUIvX/pM0X0hSxiC0+Fl3zSxSuk9Vu7K5fZH5xl93NI1ucsyJEv48IBKJ6r7G0RLL+t0Qfi
bE/Vk0yXLtvb/MUZXqy8oGF6o03yXrSchyMGMC4pDUvYhFyrhqOPX/6DO7ZvnCs8RZndAuY4
zBACYgVwt/zvXbkUUCds0d77PyYerbsnOlD1WTNTOjiZhopfTqOXsP0dvwaqt/HDYb0AEQEA
AYkCJQQYAQgADwUCWL6fxAIbDAUJAeEYXAAKCRAtJLJ1setEdZHPD/9pMCajpo8c6uWVW+Uo
YKHh2wW4Hf6hTZlbOHVJg0NjAvsUzcDLRCxoEyuc2dizsTwc54dnLYDqGJ/Q8iLE52WIK83P
oSKt6KFil7/a+2h7YRroXA++yA93+3lCjBG94os/+Dail5nAUg0D5q80NoOxG98VuXhEefdu
zJyyDzygWWuPIqDWCdrkcDAY2qgi9Dop5A0bGDiZ9h/6pNawjvLJWCX2y8Ib54Rw4qyW53EF
EE8B688rmIpq34loH/j6qN4EGWrPyvYZpw71xvio7gEiTbEuaJwlWbGfWjfDJ/r2m83iFhgp
n3/kcGWZgIdM8fA7/s5FalWKcO8HxTUiy8HCxON36JAa/xUjV9QFRmCCXGcr6GNWfCojADTq
VHOpvSryNgz4Spi8iQmryk3aF1Jo6jQZHfKT7852N1cTJN+12r/bKy0lu3Au1amRUa9Zeo8j
PVZnxZtQ+PqoqUt2VRHvaBxOx1QinOTonUuLtdmegf+u2LiBxaCe2QW8CWrFFl09XR3nDWTC
CorsiShnxs0HJC2qQrnYW6kI1vDteJVvnkbo7GKjO0017X2aBGgySENwbbGl+MS5UHTiaEqn
7RpTzWo5bpn5GBEqFXRskHFGVElr94BfT/zpERTNr21ol/f8ySqGziCJwrAigaDlMyYTqv7i
3Y4BBrBVFHNATaV+Pg==
=0Muu
-----END PGP PUBLIC KEY BLOCK-----

Hack2Win 2016 – a CodeBlue Conference Event

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

Hi everyone,

This year again, our Code Blue event will let you win prizes and show your skills in hacking network based devices.

We have selected 9 devices so far for you to try and hack.

We looked wide and far for different devices, all around the 200$ USD range, so that they won’t be expensive for you to buy and try out before the event
Continue reading Hack2Win 2016 – a CodeBlue Conference Event

Hack2Win – 2nd Day and Summary

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom

At the end of day 2 we had a total of 11 people taking place in the hacking contests, with about 30 people watching them hack live. Thank you all!

I’d like to especially mention the skilled security researchers from Korea, who were the ultimate winners of this contest by finding the most impressive vulnerability as selected by the judges.

As a group they were awarded 1st place and won the cash prize.

We are already thinking about next year’s event. It might be fun to change from IP Cameras to other consumer electronics. The IP cameras were not much of a challenge this year with 2 out of the 3 getting hacked, the 3rd getting totally ‘bricked’, not even working after factory reset.

We will keep you posted on the vendor reaction to these vulnerabilities, with updates on fixes they post and of course additional information on what were the researcher’s findings.

Until next year!