This is a report of a 0-day backdoor giving remote root shell access on Teradek IP video devices. Reported the issue to the manufacturer last year, they have released a new firmware version since then, but have not fixed it. That is why this is full disclosure here. Proof of concept is following below.
About the device
The Teradek IP video devices are live streaming devices able to encode video inputs (like SDI, HDMI, etc) to various streaming formats capable of Ethernet transport. There are different IP video devices made by Teradek, but the firmwares seems to be very similar (especially in the backdoor functionality). We have analyzed a Teradek VidiU Go model.
The device has an Ethernet interface and there is a Web management interface accessible at http://<device_ip> by default. The Web management interface is protected by a user-defined password.
Mimikatz integrated in the current Metasploit Framework is a little bit outdated. If you want to use the recent features (like plaintext RDP credential dumping), the Mimikatz Extension (called Kiwi) should be manually updated and compiled into the current framework. Here is how to do it.
The Kiwi Extension
The (in)famous Meterpreter shell payload of the Metasploit Framework allows an attacker to load extensions. Extension loading is implemented by in-memory DLL injections without spawning new processes. If the Meterpreter shell bypasses the AV/EDR solutions, there is a high chance that the extensions are also remaining stealthy.
The great Mimikatz post-exploitation tool by Gentilkiwi…
I have read tons of articles about how does L3 multicast routing across subnets work, but none of them was complete for my scenario. Here is my solution.
The Scenario
I have two sites connected by (L3-routed) WireGuard VPN. If we want to browse a DLNA server (e.g. a NAS serving media files) where the server is at one site and the client device (e.g. a TV) is at the other site, it will not work out-of-the-box because DLNA uses SSDP to discover services which is a multicast protocol reaching only the same subnet by default.
We have to route the SSDP…
The challenge “Baseline test” was a great reverse engineering challenge with hard difficulty at the Hungarian Cyber Security Challenge 2020 CTF Qualifiers hosted by the National Cyber-Security Center of Hungary on the platform Avatao Next.
The challenge
Points: 300
Difficulty: hardAnswer some simple questions.
Instructions
The baseline test is an examination designed to measure any emotional deviance. In addition to the original test, this one has a second part to challenge rationality. Answer every question to fetch the flag.
Accessing the challenge was provided by SSH (cmdline was included in the challenge description), and in the container there was a SUID…
Installing an unsigned iOS app (what is the prerequisite of jailbreaking) using Linux with (semi-)legitimate tools.
Consider the following situation: we have a factory-installed iOS device (iPhone 5S here) with a recent iOS version (12.4.8) and we want to jailbreak it. We have a Linux desktop (Arch Linux in the following guide), a lightning cable for the iPhone device, but nothing more. For example, we have no genuine Apple hardware installed with macOS.
There are a lot of iOS jailbreaking solutions available for free. Most of them are iOS apps distributed in .ipa file format packages. …
Recently I have lost an important phone number accidentally as a consequence of wiping the data partition of my Android device (due to an OS upgrade migrating from the official but unsupported LineageOS branch to my unofficial but up-to-date supported LineageOS builds). All of the data were backed up, but unfortunately, this one phone number was not, and it was important. So I had to recover it somehow.
Because the wiped data partition was encrypted and the encryption keys were lost, any forensics jobs on the wiped partition would have been extremely hard or almost impossible.
Where else could we…
