Journey to Command Injection - Hacking the Lenovo ix4-300d
Offered By: Security BSides San Francisco via YouTube
Course Description
Overview
Explore the process of chaining multiple vulnerabilities to fully compromise the Lenovo ix4-300d network attached storage (NAS) device in this 26-minute conference talk from Security BSides San Francisco. Discover how to combine command injection, cross-site scripting (XSS), and cross-site request forgery (CSRF) to create a remote exploit that requires minimal user interaction. Learn how an attacker can craft a malicious link that, when accessed by the victim, allows for the extraction of all information stored on the NAS and execution of arbitrary operating system commands. Follow the speaker's journey from identifying the initial command injection vulnerability to developing a sophisticated exploit that hijacks browser storage values, issues malicious requests, and ultimately opens a remotely accessible operating system shell on the compromised device.
Syllabus
BSidesSF 2019 - Journey to Command Injection: Hacking the Lenovo ix4-300d (Rick Ramgattie)
Taught by
Security BSides San Francisco
Related Courses
A Journey Into Synology NASHack In The Box Security Conference via YouTube Smart Muttering - A Story and Toolset for Smart Meter Platform
44CON Information Security Conference via YouTube IoT Bug Hunting - From Shells to Responsible Disclosure
RSA Conference via YouTube Cracking Kyocera Printers
Hack In The Box Security Conference via YouTube Arbitrary Code Execution on RISC-V Using Fault Injection
nullcon via YouTube