Join us at hack.lu 2025 — Info & Registration
Duration: 30 min
Type: Talk
Speakers: Stanislav Dashevskyi
Abstract
The operating systems of many proprietary consumer- and enterprise-grade
networking devices do not allow for easy customization. Even when SSH access is
available, it often supports only a limited set of tightly controlled commands,
offering no way to install new binaries — or to understand what the existing
ones actually do.
The Internet is full of guides on “jailbreaking” proprietary routers — an
unfortunate necessity for users who want deeper control over the hardware
they’ve paid for.
In contrast, open-source router OSes like OpenWrt provide full SSH access. This
seemingly simple feature sends a clear message: “This device is truly yours, and
you’re welcome to inspect or improve it — even find security bugs, if you’re so
inclined.”
But what happens when a proprietary OS is built on top of an open one like
OpenWrt?
In this talk, we’ll take you on a journey through reverse engineering OS
binaries based on OpenWrt, used by a major vendor [REDACTED]. We were surprised
to discover that they had patched the Lua compiler for the sole purpose of
hindering static analysis.
We’ll demonstrate several techniques for “owning” a line of devices from this
vendor — from rediscovering a “patched” backdoor in the restricted SSH service,
to identifying an authenticated OS command injection vulnerability buried deep
in a custom Lua module.
These findings could enable full remote takeover of the devices — so it’s no
wonder the vendor didn’t allow SSH access in the first place…
Description
N/A
