Download as PDF, PPTX
![Defining MQTT
~ Wikipedia: MQTT
(originally an initialism of MQ Telemetry Transport[a]) is a lightweight, publish-subscribe, machine to
machine network protocol for message queue/message queuing service. It is designed for connections
with remote locations that have devices with resource constraints or limited network bandwidth, such as
in the Internet of Things (IoT). It must run over a transport protocol that provides ordered, lossless, bi-
directional connections—typically, TCP/IP.[1] It is an open OASIS standard and an ISO recommendation
(ISO/IEC 20922).](https://image.slidesharecdn.com/ramatrinanda-mqtthackingrceinsmartrouter-241029234334-c8d2d991/75/IDSECCONF2024-Rama-Tri-Nanda-MQTT-hacking-RCE-in-Smart-Router-pdf-5-2048.jpg)
Uploaded byidsecconf
IDSECCONF2024 - Rama Tri Nanda - MQTT hacking, RCE in Smart Router.pdf
The document discusses vulnerabilities in the Mosquitto protocol utilized in smart routers, specifically focusing on a targeted analysis of the Ruijie EW-300N router. It describes the MQTT protocol's characteristics and outlines methods for exploiting a specific vulnerability (CVE-2024-42936) linked to the router's service. The document concludes with suggested solutions, including awaiting firmware updates and avoidance of the product.
More Related Content
![[DO07] マイクロサービスに必要な技術要素はすべて Spring Cloud にある](https://cdn.slidesharecdn.com/ss_thumbnails/do07-170620022806-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to IDSECCONF2024 - Rama Tri Nanda - MQTT hacking, RCE in Smart Router.pdf
![Computer Networks 01[1 using all terms].pptx](https://cdn.slidesharecdn.com/ss_thumbnails/computernetworks011-251214040533-327dd9f8-thumbnail.jpg?width=640&height=640&fit=bounds)
IDSECCONF2024 - Rama Tri Nanda - MQTT hacking, RCE in Smart Router.pdf
- 1. Mosquitto Hacking Remote Code Executionin Smart Router @smrx86
- 2. WHoami WHoami Father of oneson Security consultant @xynexis Int’l since 2015 Independent security researcher. Speaker @Idsecconf 2013, 2014, 2015, 2019, 2020.2022,2023, 2024
- 3. Agenda Defining MQTT Agenda The targetsAnalysis Exploitation
- 4.
- 5. Defining MQTT ~ Wikipedia:MQTT (originally an initialism of MQ Telemetry Transport[a]) is a lightweight, publish-subscribe, machine to machine network protocol for message queue/message queuing service. It is designed for connections with remote locations that have devices with resource constraints or limited network bandwidth, such as in the Internet of Things (IoT). It must run over a transport protocol that provides ordered, lossless, bi- directional connections—typically, TCP/IP.[1] It is an open OASIS standard and an ISO recommendation (ISO/IEC 20922).
- 6. MQTT publisher 33% MQTT Topology MQTT Broker 33% MQTTSubscriber 33%
- 7. Smarrouter ruijie EW-300N. TheTargets The Targets
- 8.
- 9. The Targets The Targets systemtype : MT7628 machine : EW300N cpu model : MIPS 24KEc V5.5 MemTotal : 59720 kB WAN port : 1 LAN port : 4 Voltage : 12V 1Ampere Flashrom : SOIC NOR FLASH 16 MB MD AY2329 25Q128S18 ReyeeOS 1.300.1422
- 10.
- 11.
- 12.
- 13.
- 14. Sniif mobile appwith Burpsuite Dynamic Analysis
- 15. debug web cloud DynamicAnalysis
- 16. TApp WAN portwith WIRESHARK Dynamic Analysis
- 17. TApp WAN portwith Non-HTTP Proxy Extension for Burp Suite (NoPE) https://github.com/summitt/Nope- Proxy Dynamic Analysis
- 18.
- 19.
- 20. message from router (mqtt_pub)to MQTT broker
- 21. Vulnerable router service (/usr/sbin/mqlink.elf~ CVE-2024-42936)
- 22. Vulnerable router service (/usr/sbin/mqlink.elf~ CVE-2024-42936)
- 23.
- 24.
- 25.
- 26. Solutions Solutions . - waitfor fixed firmware . - Don’t buy this product
- 27.