Sea Security Response

We reported a total of 51 bugs (low to critical impact) for IoT devices used by Singapore Smart City and Smart Building. event.ntu.edu.sg/SPIRITCYBER-24

[ZDI-24-417|CVE-2023-26322] Xiaomi Pro 13 isUrlMatchLevel Permissive List of Allowed Inputs Remote Code Execution Vulnerability (CVSS 8.8; Credit: Team Orca of Sea Security) zerodayinitiative.com/advisories/ZDI…

[ZDI-24-826|CVE-2024-32766] (Pwn2Own) QNAP TS-464 Improper Validation Authentication Bypass Vulnerability (CVSS 9.8; Credit: Tri and Bien Pham (@bienpnn) from Team Orca of Sea Security) zerodayinitiative.com/advisories/ZDI…

[ZDI-24-827|CVE-2024-32766] (Pwn2Own) QNAP TS-464 username Command Injection Remote Code Execution Vulnerability (CVSS 8.8; Credit: Tri and Bien Pham (@bienpnn) from Team Orca of Sea Security) zerodayinitiative.com/advisories/ZDI…

[ZDI-22-1118|CVE-2022-2586] (Pwn2Own) Linux Kernel nft_object Use-After-Free Privilege Escalation Vulnerability (CVSS 8.8; Credit: Team Orca of @seasecresponse) zerodayinitiative.com/advisories/ZDI…

Canonical has submitted a patch for Linux kernel, which fixed one of the bugs we used at the last #Pwn2Own Vancouver🥳 openwall.com/lists/oss-secu…

Forgot to mention that if you have any suggestions or questions, feel free to ask us here or send an email to ssrc@sea.com.

First part of how we exploited the NetUSB kernel module on TP-Link Archer C7 AC1750 and Netgear R6700 routers. This part focuses on setting up an environment to load and debug the module using Buildroot and QEMU. blog.security.sea.com/posts/netusb-e…

Confirmed! Bien Pham (@bienpnn) successfully demonstrated a UAF elevation of privilege on Ubuntu Desktop - earning $40K and 4 Master of Pwn points! #Pwn2Own #P2O15

Success! - Bien Pham (@bienpnn) demonstrated a local elevation of privilege on Ubuntu Desktop. On to the disclosure room to confirm! #Pwn2Own 2022 #P2O15

Confirmed! And for our last confirmation of the day, Keith Yeo (@kyeojy) scored a full win with a Use-After-Free exploit on Ubuntu Desktop, earning $40K and 4 Master of Pwn points. That means that ALL attempts on Day 1 of #Pwn2Own 2022 were successful!

Success! Keith Yeo (@kyeojy) demonstrated a local elevation of privilege on Ubuntu Desktop. On to the disclosure room at #Pwn2Own 2022!

Confirmed! Team Orca of Sea Security (security.sea.com) successfully demonstrated 2 bugs (OOB Write & UAF) for $40K and 4 Master of Pwn points. #Pwn2Own #P2O15

Success! Team Orca of Sea Security (security.sea.com) demonstrated a local elevation of privilege on Ubuntu Desktop. On to the disclosure room at #Pwn2Own 2022! #P2O15

It's really late now, but here is how we exploited the RV340 router at the last Pwn2Own Austin. More articles coming soon :) blog.security.sea.com/posts/pwn2own-…

A collision after dark. @bienpnn was able to get a root shell via the LAN interface on the NETGEAR R6700. However, his two bug chain had been previously seen in the contest. He still wins $2,500 and .5 Master of Pwn points. #Pwn2Own #P2OAustin

During #Pwn2Own #AfterDark, @bienpnn from Team Orca of Sea Security targeted the WAN interface of the NETGEAR R6700v3 in the router category. Unfortunately, he could not get his exploit to work within the time allotted. #P2OAustin

Confirmed! trichmitrich used nearly all the time on the clock, but his command injection bug is unique. His takeover of the Cisco RV340 via the WAN interface earns him $30,000 and 3 Master of Pwn points. #Pwn2Own #P2OAustin

Confirmed! trichimtrich leveraged an integer overflow to gain code execution via the LAN interface of the NETGEAR R6700v3 router. They win another $5,000 and 1 more point towards Master of Pwn. #Pwn2Own #P2OAfterDark

Confirmed! @bienpnn's last attempt of day 1 was successful. He used a single OOB Read bug to take over the TP-Link AC1750 via the LAN interface. This unique bug chain earns him another $5,000 and 1 Master of Pwn point. #Pwn2Own #P2OAustin