YoVDO

Journey to Command Injection - Hacking the Lenovo ix4-300d

Offered By: Security BSides San Francisco via YouTube

Tags

Security BSides Courses Cybersecurity Courses Ethical Hacking Courses Cross-Site Scripting (XSS) Courses Cross-Site Request Forgery (CSRF) Courses Command Injection Courses Exploit Development Courses Embedded Device Security Courses

Course Description

Overview

Explore the process of chaining multiple vulnerabilities to fully compromise the Lenovo ix4-300d network attached storage (NAS) device in this 26-minute conference talk from Security BSides San Francisco. Discover how to combine command injection, cross-site scripting (XSS), and cross-site request forgery (CSRF) to create a remote exploit that requires minimal user interaction. Learn how an attacker can craft a malicious link that, when accessed by the victim, allows for the extraction of all information stored on the NAS and execution of arbitrary operating system commands. Follow the speaker's journey from identifying the initial command injection vulnerability to developing a sophisticated exploit that hijacks browser storage values, issues malicious requests, and ultimately opens a remotely accessible operating system shell on the compromised device.

Syllabus

BSidesSF 2019 - Journey to Command Injection: Hacking the Lenovo ix4-300d (Rick Ramgattie)


Taught by

Security BSides San Francisco

Related Courses

A Journey Into Synology NAS
Hack In The Box Security Conference via YouTube Smart Muttering - A Story and Toolset for Smart Meter Platform
44CON Information Security Conference via YouTube IoT Bug Hunting - From Shells to Responsible Disclosure
RSA Conference via YouTube Cracking Kyocera Printers
Hack In The Box Security Conference via YouTube Arbitrary Code Execution on RISC-V Using Fault Injection
nullcon via YouTube