On June 11th 2017 we announced the first online version of our ‘Hack2Win’ hacking competition. We allocated $10,000 USD as pay outs to valid submissions, and 2 months of competition time – by making the product available on the internet – to allow everyone a chance to hack it. The device was made publicly accessible on July 3rd.
We were pleasantly surprised to get the first submission on June 12nd, just one day after we advertised our competition. But unfortunately that submission didn’t work on our hardware revision, and thus was not considered for a prize.
Subsequent submissions were not far behind: on Jun 29th, a LAN – Unauthorized RCE as root, was received.
On June 30th we received another submission – one that allowed remote retrieval of the admin password from both the WAN and LAN interfaces.
On July 3rd we received the submission that ended the competition – an Unauthenticated Remote Code Execution from both the WAN and LAN interfaces.
Once this last submission arrived, we ended the competition having reached the goal of owning the device from both the LAN and WAN sides.
D-Link has been contacted and the full write-up will be published after the vendor releases patches for these vulnerabilities.
What’s interesting is that all 3 researchers that submitted the vulnerabilities found the same similar security issue – but from there, each researcher exploited the vulnerability in a different way. Only one of the researchers successfully exploited the vulnerability and achieved unauthenticated remote code execution from WAN.
- 1st place goes to Zdenda – 5,000$ USD for the unauthenticated Remote Code Execution from WAN
- 2nd place goes to Peter Geissler – 2,500$ USD for retrieving admin password from WAN
- 3rd place goes to Pierre Kim- 2,500$ USD for the unauthorized RCE as root from LAN
Our main takeaway from this competition is how talented researchers out there are. Our research community members are really good at finding vulnerabilities in products, and when there is a clear goal they will reach it. In addition, we decided that we need to challenge them more and more frequently 🙂
Our next target won’t be as easy as a D-Link router – and the prizes will rise accordingly. Stay tuned.