Cedric Halbronn, Aaron Adams, Alex Plaskett and Catalin Visinescu presented two talks at NCC Con Europe 2022. NCC Con is NCC Group’s annual private internal conference for employees. We have decided to publish these 2 internal presentations as it is expected that the wider security community could benefit from understanding both the approach and methodology which is used when performing vulnerability research for the competition.

The abstracts for these talks were as follows (download links below).

Pwn2Own Austin 2021 – How to win $$$ at a hacking contest?

Abstract: In Nov 2021, NCC Group participated to the Pwn2Own hacking contest for the first time and demonstrated exploit development capabilities against 2 targets: a NAS and a printer. This talk is more about the journey than the actual result. We will explain the decisions we made over time, which ones ended up being partial failures, and which ones led to success.

Description:

The presentation is divided into the following parts:

  1. Initial target choice: we present the Pwn2Own hacking contest rules, the possible targets and how we chose 3 targets
  2. Vulnerability research and exploit development: we explain how we split work between 4 people, the different attempts, failure, achievements. We detail the tools we developed, the debug environments we setup, the hardware attacks we decided to go through to improve debug capabilities. We go over the bugs we found that were not promising and the ones we ended up choosing for exploitation (but without going into technical details since this is proposed as a 2nd talk: “Pwn2Own hacking contest: details of 3 bugs we found and exploited”)
  3. Pwn2Own contest event: we explain how we experienced the contest, what problems we had to deal with to get the exploits to work in the allocated time, and our experience with the contest organizers/vendors post-demonstration.
  4. What to learn from it: We propose some methodology when participating to Pwn2Own and we give insights on what to do better next year to maximize our efforts and exploit even more devices.

Pwn2Own Austin 2021 – Remotely Exploiting 3 Embedded Devices

Abstract: In 2021, NCC Group decided to participate to the Pwn2Own hacking contest and invested some vulnerability research time against 3 targets: a router, a NAS and a printer. This talk is about the resulting exploits’ internals and how we managed to get pre-authentication remote code execution on all 3 devices.

Description:

The talk consists of the following key parts:

  1. The first part of the talk will focus on the Netgear R6700, we will perform an overview of the attack surface, vulnerable areas and describe a stack based buffer overflow which was identified and exploited to remotely compromise the router over a LAN connection.
  2. The second part of the talk will focus on the Western Digital PR4100 NAS chain. We will describe the attack surface, a file format parsing vulnerability and exploit used to remotely compromise the NAS over a LAN connection.
  3. Finally we will describe the tech details of hardware attacks on the Lexmark printer to enable unencrypted firmware dumping and visibility into the internals of the platform. We will describe how we went from zero knowledge of the Lexmark printer environment to achieving a root shell on the device. We will describe a vulnerability identified within the Printer Job Description (PJL) handling code and how this could be exploited to achieve arbitrary file write. We will then describe how this was exploited to obtain a shell.
  4. In conclusion we will highlight areas which the device vendors did well and made it more challenging to develop attacks on the platform together with suggesting improvements which device vendors could make to enhance the security posture of their devices in future.

Published