Toggle menu
Research 19 March 2018
Unauthenticated Start of Telnetd on Tenda AC15 Router

Introduction We previously showed how the Tenda AC15 router was vulnerable to an unauthenticated remote code execution vulnerability via a stack based buffer overflow. Writing exploits like that can be incredibly interesting, but sometimes, all you need is a GET request to get root. In this post we will outline another vulnerability that allows an […]

Research 19 March 2018
Hard Coded Accounts in the Tenda AC15 Router – CVE-2018-5768

Introduction The Tenda AC15 router was found to contain a variety of unnecessary accounts that contain incredibly weak passwords. Note that these accounts do not allow access to the web interface, but are also not configurable from said interface. This means that without access to the device (such as telnet or ssh), a user cannot […]

Research 21 February 2018
NoMachine Un-initialised Variable Privilege Escalation – A fuzz-less exploit tutorial – CVE-2018-6947

Before we start.. In this post we will be walking through a vulnerability we identified in NoMachine version 6.0.66_2 and lower that can lead to privilege escalation or denial of service. To start this post, we would like to say a massive thank you to the NoMachine team who were awesome, they acknowledged and triaged […]

Research 19 February 2018
FSLabs Flight Simulation Labs Dropping Malware to Combat Piracy? Is this DRM gone mad?

Introduction This morning, Fidus’ Penetration Testing team stumbled upon some troubling posts on Reddit accusing FSLabs of bundling a Google Chrome password stealer into their flagship flight simulator product in order to ‘combat piracy’. Yep, it’s as crazy as it sounds. First thoughts on the matter raises numerous questions: What legal boundaries is this pushing, […]

Research 14 February 2018
Remote Code Execution (CVE-2018-5767) Walkthrough on Tenda AC15 Router

Introduction In this post we will be presenting a pre-authenticated remote code execution vulnerability present in Tenda’s AC15 router. We start by analysing the vulnerability, before moving on to our regular pattern of exploit development – identifying problems and then fixing those in turn to develop a working exploit. N.B – Numerous attempts were made […]

Research 10 January 2018
Rumble In The Jungo – A Code Execution Walkthrough – CVE-2018-5189

Code Execution (CVE-2018-5189) Walkthrough on Jungo Windriver 12.5.1 Introduction Windows kernel exploitation can be a daunting area to get into. There are tons of helpful tutorials out there and originally this post was going to add to that list. This is the story of how I found CVE-2018-5189 and a complete walkthrough of the exploit development […]

Research 17 October 2017
Remote Code Execution (CVE-2017-13772) Walkthrough on a TP-Link Router

Introduction In this post, I will be discussing my recent findings while conducting vulnerability research on a home router: TP-Link’s WR940N home WiFi router. This post will outline the steps taken to identify vulnerable code paths, and how we can exploit those paths to gain remote code execution. I will start by describing how I […]