How can a vulnerable router be exploited?

Sometimes I come across articles that write about vulnerable IoT-devices and that there are a lot of routers that are not sufficiently protected.

I own a router myself which has SSH access and I was wondering what possible attack vectors exist because I can’t think of many except forwarding ports by looking up the ARP table and even then you need to know what kind of device is at the other end.

I also don’t understand how malware could for example take over my router and add it to a botnet when it is not possible to execute shell commands, usually you can only execute commands within a (I presume) secured environment and that is limited to a few commands. So they should not be able to upload a binary and execute it.

Can string comparison realistically be exploited in a timing attack on a web server?

Suppose you have the following code in Node:

const { token } = req.body const hash = crypto.createHmac('sha256', SECRET).update(token).digest('hex') const user = await User.findById(req.session.userId)  if (hash === user.rememberMeHash) {/*...*/} 

The string comparison above is deemed vulnerable to a timing attack because it can leak the character position on a mismatch, so the correct way is

// Hashes are already equal in length because the same hash function was used if (crypto.timingSafeEqual(new Buffer(hash), new Buffer(user.rememberMeHash)) 

While true in principle, I can’t see how this leak is practically possible. To get reliable time measurements, you’d need to

  • isolate the code snippet to avoid interference from side effects (request handling, Express routing, DB queries);
  • run a large number of empirical tests in a strictly identical environment (same CPU & memory usage, processes, OS);
  • have access to a local server instance that has no traffic or intervention from outside.

None of these are realistic in a distributed system, much less to an attacker with no privileged access and no knowledge of the specific hashing algorithms and secret keys employed.

In practice, you will necessarily get varying and inconsistent results when timing any code, particularly one that is just-in-time compiled like JavaScript. This is well understood in algorithm analysis which doesn’t directly measure algorithm runtime because these measurements are acutely sensitive to the underlying hardware, software, compiler, language, etc. In this particular case, compared to a database query or a network call (or even script processing when running node binary on a .js file), string comparison takes a minuscule amount of CPU time to process.

Now, also consider that the above code runs across a cluster of servers behind a load balancer. As such, HTTP response times will vary depending on other incoming and ongoing requests (i.e. website traffic), background processes, hosting provider uptime, network fluctuations (e.g. speed drops), use of Tor or a VPN, and hundreds of other factors.

Considering a real-world web server architecture, how can a mere string comparison ever be exploited in a timing attack?

How can HTTP Parameter Pollution be exploited?

In HTTP Parameter Pollution, I know theory how it work; you inject multiple HTTP parameters with the same name to trigger bugs in the server, but I can’t understand how one can exploit this.

When I send some request using this technique and for example I know that the server is using last occurrence of parameter, how this technique can be useful, because no matter what, server this uses last occurrence, so it doesn’t matter what were other occurrences right? Or when server does concatenate parameters with same name, some server script will get concatenated result.

What was the security flaw in WhatsApp that NSO exploited?

Vulnerabilities like BroadAnywhere and StageFright were identified and fixed a few years back, and any self-respecting company would have taken note of that and examined their software for similar bugs. So I’m not very convinced that WhatsApp’s so-called zero day exploit was something unknown to the company.

What was the security flaw? Was it similar to StageFright, where an underflow/overflow allowed malware to be injected? Could it have been an intentional backdoor introduced by the parent company to read messages (like how they stored passwords in plaintext), and NSO (or any random hacker) got wind of it?

Android exploited – elevated privileges – SE Policy exploit – system as root – dual boot – living in my ramdisk. What now? [on hold]

Ive been chipping away at this for days and going in circles so I need to put this out there – somewhere.

My Samsung s9+ hasnt been acting properly for a long time – but in the past few weeks this thing has become a nightmare. Calls and messages come through sometimes days late or apparently days early as the time is changed routinely. The OS is constantly reverting back to some kind of stock image (android pie it is not) with settings completely reset. Weird errors have forced resetting several times and my photos have all been destroyed in random ways (faces altered, photos smudged, scratched out etc). Daily backups have been ignored.

I will attach some of the snide logs this thing generates as well as the init.rc and build.props (fstab goldfish files etc) – im not sure what is handy so i will wait for a response as i have most system documents. These system files and logs that show that adbd is placed in the privileged position pre init – it then discards any update or change installing instead from a hidden partition (or network – the thing is never offline or properly shut down). There it remaps me to a virtual disk and assumes root control of my operating system. I am not sure if it is timed or if there is someone behind it – but as i get close to removing the files (or think i do) it will pretend to brick for an hour or two and then suddenly leap into recovery mode.

Now im not concerned with the causes or what its doing. In its current condition i cant factory reset or erase with odin as it has positioned itself to respond to exactly this threat. Before the setup screen presents this thing has root access and is busy setting tasks and countdowns – similar behaviour is manifesting itself in my PC but i think this exploit has had longer to stretch out on the phone. Can anyone offer any assistance. Its sending me nuts being trapped fixing the damn thing.

Can deleting a non-inherited object more than once be exploited for code execution?

When assigning priority for a bug, we had an internal discussion whether in C++ deleting an object more than once can result in code execution if the pointer to object can be corrupted. For the objects having virtual destructor the answer seem to be obvious here.

However what is not obvious whether this could be exploited for code execution when a deleted object is either a standard type (i.e. long), an array, or an instance of a class which does not have virtual table.

Can this situation result in code execution on any existing popular implementations?

Can Android 5’s own device encryption mechanism be exploited by a malware?

My wife’s phone can’t boot into android and instead displays a message that encryption has failed and all data is lost. She did not start the encryption process by herself. Now my question is: can android 5’s own encryption mechanism be hijacked by ransomware? (and not by means of some custom implementation manually encrypting contents of the photo folder for example)

Right now I’m trying to get to the data using TWRP, but I think to no avail as the internal storage folder is empty..

The android she was using was cyanogenmod 12.1 (android 5.1.1) for a galaxy s3 gt-i9300.

Why the encryption process itself failed, I don’t know but it could be due to low battery as when finding it in this state it was at 3% or so. Though as I did encrypt my s3 manually and on purpose, encryption would only start with battery being at 100% and the phone being plugged in. Otherwise it would refuse if my memory serves me right.

Session key is same throughout the session, can this behavior be exploited?

this application uses session key instead of CSRF token but this session key is same throughout the session, its not changing. It only changes if I logout and then again login in the application.

My question is

  1. Is session key and CSRF token similar?
  2. Can this behavior of key remaining same throughout the session be exploited by an attacker in any way?

Can XXE be exploited when disallow-doctype-decl is set to true (Apache)?

I found out that an endpoint of a website may be vulnerable to XXE. They are using Unmarshal as xml parser and when i try to send a post request using common xxe payloads i receive the following response from the server:

[org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 54; DOCTYPE is disallowed when the feature \"http://apache.org/xml/features/disallow-doctype-decl\" set to true.]

Is there any payload that doesn’t need the doctype declaration? Is it possible to exploit this XXE or not?

Can XSS be exploited this way?

As per my understanding, if a cookie doesn’t have domain attribute (explicitly telling where this cookie can be used) By default that cookie will be used by the domain which issued it and all its subdomain and even parent domain of the domain which issued the cookie can’t use it.

(foo.example issued cookies which can be used by it and its subdomain bar.foo.example.com but not its parent domain i.e example.com)

Now, suppose I found XSS vulnerability on foo.example.com and I want to get cookies of example.com . By any means is that possible? Since by default cookies issued by a subdomain can not be used by its parent domain am not able to figure out any way.