06-18-2023, 08:16 AM
This Forum owner give me good vibe, so i contribute my one of new 0 day, i find, on Peplink router, are used by the companies around as SD Wan, Wan Aggregation tool, it give root shell on a boot sector by way of buffer overflow i will not provide code, just research :). Peplink router use recieve buffer, and they also use Wan Smoothing, and speed fusion. Let us talk speed fusion. Speed fusion allow peplink router use any data sources and fuze them together for a 25% overhead to increase bandwidth. This no design fuze two small make big bc of overhead instead designed to take two big and make one really big. The Technology uses DPI to filter packets at the packet level and forward them in and then forward them on. Now. Since this is huge huge news. We talk about use of exploit. Since Speed fusion uses multiple wans, u can imagine NIC assoc no have big ram or rom capacity in fact less than RPi on most of the PLC nic, but they are also like stated on recieve buffer for the DPI, and the other peplink features, This receive buffer overflows to the main lan of the router and when used in combo with buffer OF, you find that you are able to get in in very little effort. sometime on bigger one shell spawn native to that vlan but i was able use vlan hopping to escalate quite easily from there.... Pep link in any police, air, fire, ambulance and other govt vehicles, they have Geo-fencing equipped also, so locally searching for the beacons is a very good way to identify router. Buy old pep-link use old pep link for research but read the docs, They overview all of this and if u know what i know u know, u know this is buffer over-flow PoC.. but they also have receive buffer built in on all nic and main SD wan plc, so this said, use of buffer overflow.. These routers if your buffer overflow has proper code, when used with nic, there is info steps, NIC will only receive traffic from designated signals set up but then it aggregates signal using speed fusion, which runs similar to a vpn by encapsulating all the packets into a tunnel and using the combined wan speed to make an aggregated smoother wan connection for consumer. Also it allows for some do cellular. So, To buffer script, should run, SD Wan signal packet with same info as source so firewall will receive it buffer overflow, code right with binary encoding correctly formatted to same as host formatting should spawn root shell on router., fragment it correctly and ensure it is an active line, with this proof of concept i have been able to successfully, gain shells on router across Thailand pep link secret sauce is this speed fusion, but also Speed fusion cloud, which is where an aggregate host use pep link virtual wans and fuze virtual wan with physical wan through use of Vlan type technology spoof speed-fusion, execute vlan hopping, root access 0 day configured. , This is highly insecure because of how exchange take place for this if user have speed fusion cloud enable they then have given open door if u cannot perform either of these attack broke down like this. U need learn more, these are very easy, and the Sorry for English, not normal term use but. Read 0 day for pep-link from past few on cve, this problem is persistent problem, and also may be easily accessed and replicated using cradle point and any of the other SD Wan, Multi Wan Signal Combo devices. This is not unique to peplink, As i learn this work on cradlepoint some model as well. They firewalls on peplink are much worse tho, n they r much cheaper so much more everywhere.