💡Pedro and Radek targeted the LAN interface of the TP-Link AC1750 Smart Wi-Fi router using various bugs.
🔒They exploited a command injection vulnerability to execute their code on the router.
💰With their successful exploit, they earned $5,000 in the Pwn2Own competition.
🌐The TP-Link Archer AC1750 router, known for its simplicity, was the target of their attack.
🔧They used a paper clip to connect to the router's UART interface for initial root access.
How did they find the command injection vulnerability?
—Pedro and Radek used an automated script to identify potentially vulnerable parts of functions and quickly found a vulnerable system() function call.
How did they gain root access to the router?
—By connecting to the router's UART interface, they were able to gain initial root access and bypass any debugging restrictions.
What exploit technique did they use?
—They injected commands into the router's slave_mac field, which allowed them to escape the lua command and achieve command injection.
Did they find any other vulnerabilities in the router?
—While they focused on the command injection vulnerability, they also discovered that the router's RX line was not connected, but were still able to exploit it by improvising.
What was their overall prize in the Pwn2Own competition?
—Pedro and Radek earned a total of $30,000 on their first day at the Pwn2Own competition.
00:01Pedro and Radek targeted the LAN interface of the TP-Link AC1750 Smart Wi-Fi router.
00:10They exploited a command injection vulnerability to execute their code on the router.
00:19With their successful exploit, they earned $5,000 in the Pwn2Own competition.
01:21The TP-Link Archer AC1750 router was their target, known for its simplicity.
02:45They used a paper clip to connect to the router's UART interface for initial root access.
