SSD Advisory – Hack2Win – Cisco RV132W Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in Cisco RV132W Wireless N VPN version 1.0.1.8

The Cisco RV132W Wireless-N ADSL2+ VPN Router is “easy to use, set up, and deploy. This flexible router offers great performance and is suited for small or home offices (SOHO) and smaller deployments.”

The vulnerabilities found are:

  • Information Disclosure That Leads to Password Disclosure
  • Unauthenticated WAN Remote Code Execution

Credit
A security researcher from, NHSC, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
Cisco were informed of the vulnerabilities and released patches to address them: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-rv13x

CVE: CVE-2018-0125 / CVE-2018-0127
Continue reading SSD Advisory – Hack2Win – Cisco RV132W Multiple Vulnerabilities

SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in AsusWRT Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to LAN remote command execution on any Asus router.

AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT graphical user interface gives you easy access to the 30-second, 3-step web-based installation process. It’s also where you can configure AiCloud 2.0 and all advanced options. ASUSWRT is web-based, so it doesn’t need a separate app, or restrict what you can change via mobile devices — you get full access to everything, from any device that can run a web browser”

The vulnerabilities found are:

  • Access bypass
  • Configuration manipulation

Credit
An independent security researcher, Pedro Ribeiro (pedrib_at_gmail.com), has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Asus were informed of the vulnerabilities and released patches to address them (version 3.0.0.4.384_10007).

For more details: https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/

CVE: CVE-2018-5999 and CVE-2018-6000

Continue reading SSD Advisory – Hack2Win – Asus Unauthenticated LAN Remote Command Execution

Hack2Win eXtreme

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Hack2Win is a hacking competition we launched 5 years ago.

The competition had so far two flavors – Hack2Win Online and Hack2Win CodeBlue.

We decided to go big this year and with Hack2Win eXtreme!

Hack2Win eXtreme will focus on two primary targets, browsers and mobile.

We have up to $500,000 USD to give away!

The competition will take place during the beVX conference, on September 20-21, 2018.

Continue reading Hack2Win eXtreme

Hack2Win – Code Blue 3rd Edition

Hi everyone,

We are excited to announce our 3rd Hack2Win Code Blue competition!

This year we have changed the format, raised the difficulty level and increased the prizes.

The goal of the event is to find who can gain the highest privileges on any of the target software and hardware.

Prizes for this contest will total $50,000 USD!

In the new format we have:

  • 3 categories, in each category we will have a 2 products from different vendors
  • Each category has different prizes
  • Each category’s highest prize will be given to the first eligible submission
  • A Quadcopter will be given to one participant who will be “the best of the show”

Category 1 – CMS
Prizes:

  • WAN RCE – 10,000$ USD
  • Information disclosure that leads to password disclosure / Authentication bypass – 5,000$ USD
  • Pre-Authenticated XSS / Rest password – 2,500$ USD

Products:

(*) Each of those plugins has at least 900K active installations

(**) Each of those plugins has at least 500K active installations

Category 2 – Routers
Prizes:

  • WAN RCE – 10,000$ USD
  • LAN RCE / Information disclosure that leads to password disclosure / Authentication bypass – 5,000$ USD
  • Rest password – 2,500$ USD

Products:

Category 3 – NAS
Prizes:

  • WAN RCE – 5,000$ USD
  • LAN RCE / Information disclosure that leads to password disclosure / Authentication bypass – 2,500$ USD
  • Rest password – 1,250$ USD

Products:

Judging Criteria

  • New – the attack uses an unknown vulnerability (no record of it can be found on Google, Exploit-DB, etc)
  • Complex – what was required to reach a successful attack
  • Innovative – we regard an RCE as more innovative than SQLi, for example
  • LAN or WAN – more points if the attack comes from the WAN side
  • What is gained – we give no initial access to the challengers, so any type of access is an achievement. Of course, a guest level access would be considered less valuable than root
  • Write-up Quality – how well is the write up (in English): including details, explanations, etc

Device Settings
All the devices will be factory reset – i.e. default settings, and the only non-default setting would be the password for the ‘admin’ (or equivalent) account as documented in the product’s user guide, and the WiFi password (if applicable).

What counts as ‘hacked’
A device would be considered ‘hacked’ if the participant can prove they:

  • Gained access to the device’s post-authentication admin web interface (remember – you will not be given any credentials)
  • Changed some configuration value, like the WiFi password
  • Made the device do something it’s not supposed to do: like execute code, or open a port/service which was previously closed (like SSH, telnet, etc)

What we won’t count as a ‘hacked’

  • Causing a malfunction to the device, DoS / XSS / CSRF, making it unresponsive, making it no longer boot, etc
  • Usage of any known method of hacking – known methods including anything that we can find on Google/Bing/exploit-db/etc – this includes: documented default password (that cannot be changed), known vulnerabilities/security holes

Eligibility
The contest is open to anyone who is at the legal age to receive a contest prize in your country, if you are not allowed to receive prizes – and please make sure to check this before participating – you may want to team up with a person that is eligible.

The contest is not allowed to anyone working for one of the vendors, or is involved in development of the above devices.