Profile cover photo
Profile photo
Dragos Ruiu
Stop, Think, Pwn.
Stop, Think, Pwn.
Communities and Collections
View all

‪Steal the Hash via SCF file on passwordless share

Post has attachment
Nice write up on developing exploits for loads of strcpy vulnerabilities in TP-Link access points.

Post has attachment
WiFi random number generator (RNG) algorithm is broken and group keys can be predicted allowing traffic injection and decryption.

The paper and their conclusion:

“Although the generation of pairwise 802.11 keys has been widely analyzed, we have shown the same is not true for group keys. For certain devices the group key is easily predictable, which is caused by the faulty random number generator proposed in the 802.11 standard. This is especially problematic for Wi-Fi stacks in embedded devices, as they generally do not have other (standardized) sources of randomness. Furthermore, we have demonstrated a downgrade attack against the 4-way handshake, resulting in the usage of RC4 to protect the group key. An adversary can abuse this in an attempt to recover the group key.

We also showed that the group key can be used to inject any type of packet, and can even be used decrypt all internet traffic in a network. Combined with the faulty 802.11 random number generator, this enables an adversary to easily bypass both WPA-TKIP and AES-CCMP. To mitigate some of these issues, we also proposed and implemented a strong random number generator tailored for 802.11 platforms.”


P.S. RIP Wil Allsopp may your memories find a place of belonging.

Post has attachment

Post has attachment
The folks from Armis will be presenting their Blueborne Bluetooth bugs and research at PacSec in Tokyo on Nov1/2.

Post has attachment

Post has attachment
If you run Linux somewhere (desktop, routers, IoT, …) check out these vulnerabilities (3 RCE, 1 info leak and 3 DoS) in the DNS Masquerade (dnsmasq) software nearly every distro installs. Time to update. Exploitable through DNS and DHCP.

Conversation with a customer this morning on unrelated matter.

Me(aside): oh yeah a heads up, did you see the Linux dnsmasq thing and update?

Customer: yeah saw that, we don’t run any Linux.

Me(incredulous): Really? You have an office wifi network?

Customer: yeah.

Me: I bet you are. The answer “we aren’t running Linux” makes me think “you need to look.”

Post has attachment

Post has attachment
Well isn’t that amusing, a “dumb” Cisco eight port office switch that sends Realtek RRCP Ethertype 0x8899 packets on its own....

Post has attachment
How timely.

‪About that Broadcom WiFi chip firmware you haven’t updated yet on all your devices because you (erroneously) thought it only affected Android.

BroadPWN Volume 2 part 1
iPhone Exploitation.
Wait while more posts are being loaded