{"id":8311,"date":"2017-07-11T14:20:45","date_gmt":"2017-07-11T22:20:45","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/11\/news-2085\/"},"modified":"2017-07-11T14:20:45","modified_gmt":"2017-07-11T22:20:45","slug":"news-2085","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/07\/11\/news-2085\/","title":{"rendered":"Hack2Win 2017 D-Link 850L Results"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 11 Jul 2017 08:36:11 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3310\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3310');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p>On June 11th 2017 we announced the first online version of our &#8216;Hack2Win&#8217; hacking competition. We allocated $10,000 USD as pay outs to valid submissions, and 2 months of competition time &#8211; by making the product available on the internet &#8211; to allow everyone a chance to hack it. The device was made publicly accessible on July 3rd.<\/p>\n<p>We were pleasantly surprised to get the first submission on June 12nd, just one day after we advertised our competition. But unfortunately that submission didn&#8217;t work on our hardware revision, and thus was not considered for a prize.<\/p>\n<p>Subsequent submissions were not far behind: on Jun 29th, a LAN &#8211; Unauthorized RCE as root, was received.<\/p>\n<p>On June 30th we received another submission &#8211; one that allowed remote retrieval of the admin password from both the WAN and LAN interfaces.<\/p>\n<p>On July 3rd we received the submission that ended the competition &#8211; an Unauthenticated Remote Code Execution from both the WAN and LAN interfaces.<\/p>\n<p>Once this last submission arrived, we ended the competition having reached the goal of owning the device from both the LAN and WAN sides.<\/p>\n<p>D-Link has been contacted and the full write-up will be published after the vendor releases patches for these vulnerabilities.<\/p>\n<p>What&#8217;s interesting is that all 3 researchers that submitted the vulnerabilities found the same similar security issue &#8211; but from there, each researcher exploited the vulnerability in a different way. Only one of the researchers successfully exploited the vulnerability and achieved unauthenticated remote code execution from WAN.<\/p>\n<p>Prizes:<\/p>\n<ul>\n<li>1st place goes to Zdenda &#8211; 5,000$ USD for the unauthenticated Remote Code Execution from WAN<\/li>\n<li>2nd place goes to Peter Geissler &#8211; 2,500$ USD for retrieving admin password from WAN<\/li>\n<li>3rd place goes to Pierre Kim- 2,500$ USD for the unauthorized RCE as root from LAN<\/li>\n<\/ul>\n<p>Our main takeaway from this competition is how talented researchers out there are. Our research community members are really good at finding vulnerabilities in products, and when there is a clear goal they will reach it. In addition, we decided that we need to challenge them more and more frequently \ud83d\ude42<\/p>\n<p>Our next target won&#8217;t be as easy as a D-Link router &#8211; and the prizes will rise accordingly. Stay tuned.<\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\" alt=\"Print Friendly\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3310\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/pf-button.gif\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Tue, 11 Jul 2017 08:36:11 +0000<\/strong><\/p>\n<p>On June 11th 2017 we announced the first online version of our &#8216;Hack2Win&#8217; hacking competition. We allocated $10,000 USD as pay outs to valid submissions, and 2 months of competition time &#8211; by making the product available on the internet &#8211; to allow everyone a chance to hack it. The device was made publicly accessible &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3310\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Hack2Win 2017 D-Link 850L Results<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[12603,10757],"class_list":["post-8311","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-hack2win","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8311"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8311\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}