Loading…
BSidesSF 2021 has ended
Back To Schedule
Sunday, March 7 • 3:30pm - 4:10pm
IoT Village

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.


Streaming at https://youtu.be/Zhu00aOcF3w

Embedded device researchers often come across traditionally valuable vulnerabilities, such as command injection, whose exploitation is limited to authenticated, LAN-side users. From an attacker’s point of view, these restrictions are less than ideal for remote compromise. How can such bugs be weaponized for use in actual exploits? For the Lenovo ix4-300d NAS, the key to a successful attack lies in the victim’s web browser. In this livestream, ISE Labs will demonstrate the chaining of two unrelated vulnerabilities against the ix4-300d—cross-site scripting and command injection—to show how remote, unauthenticated adversaries can abuse the browser to gain root access to LAN targets.

Join us at Discord here: https://discord.gg/dC4729FHEY
Join our labs here: https://labs.iotvillage.org/

Sunday March 7, 2021 3:30pm - 4:10pm PST
Stream