CVE-2017-11361 post-remedy: Is it fixed?

A couple of days ago I wrote about CVE-2017-11361, which described abusing misconfigured Access Control Lists to gain root access to Inteno routers. Inteno has recently deployed a quick-fix, removing access to the file:read and all router.dropbear calls. Does this stop people with malicious intent from accessing the router?

» read more

CVE-2017-11361: Inteno misconfigured ACLs leading to information disclosure and logging in as root

Recently, while testing the security of Inteno routers, I found a misconfiguration in the Access Control Lists, which allows any authenticated user to see the contents of any file, write their own files and add an SSH key to the router, allowing for easy log in as root. By default, the consumer is only provided with the user account and the built-in support and admin accounts are not accessible. This vulnerability is dangerous as by default, the password for user is the same as the pre-set Wi-Fi key, or in some cases user, allowing for easy authentication. This vulnerability has been assigned CVE ID: CVE-2017-11361 and a CVSSv3 score of 8.8.

» read more

Installing custom OpenWRT on an Inteno (DG301) router

Soon after getting an Inteno DG301 router from my ISP Telia, I poked around the firmware trying to find out more about its internals. It became apparent that the iopsys firmware running on the machine was a customised version of OpenWRT. The modifications by Inteno include making it more fool-proof for consumers, removing any easy access to its internal settings in the process. It’s not possible access SSH without proper keys, and Telnet is disabled, even in OpenWRT’s failsafe mode. In addition to the provided user account, there are also the support and admin accounts, but the passwords for these are not known. I did manage to dump most of the filesystem by abusing an insecure default option in the router’s bundled Samba and found a couple of other exploitable bugs, however, I still didn’t have proper shell access or a way to invoke opkg to install my own packages.

» read more

ksoft's Easy Auto Refresh extension is selling your data

I was doing some work with Burp Suite through Chrome (which I don’t often do) and very soon I realised that all of my requests were being relayed to a domain After probing around a bit, I narrowed it down to the Easy Auto Refresh plugin for Chrome, which currently has over half a million downloads. Disabling this plugin also stopped all requests to

» read more

Restoring stock BIOS on a Braswell Chromebook with a broken rom

Since Braswell is still widely unsupported in the world of Chromebooks (no public Tianocore/Windows rom released yet), one can expect to run into many issues when developing for these Chromebooks.

One of these issues I encountered was being unable to flash anything internally after flashing a Tianocore rom. This seems to be an issue with coreboot, and until it is fixed upstream, you will get this message trying to probe the chip:

Programmer does not support specified bus
Error: Programmer initialization failed.
» read more