The Missing Link: Draytek’s New RCEs Complete the Chain
O. Gianatiempo, G. Aznarez
DEF CON 33 · Day 1 · Main Stage
This talk, presented by Gastonas Narees and Octavio Gianatiempo, security researchers at Faraday, unveils new pre-authentication remote code execution (RCE) vulnerabilities in Draytek routers. Building upon their previous research at DEF CON, which focused on achieving kernel-level persistence on these devices, the speakers demonstrate how these latest discoveries can be chained with older vulnerabilities to achieve a full exploit chain: from an unauthenticated internet-facing attack to deep, persistent compromise of the router's operating system. The presentation meticulously details the technical intricacies of these vulnerabilities, their exploitation, and their potential connection to widespread router reboots observed in early 2024.
AI review
Solid embedded security research that delivers on its title — Gianatiempo and Narees actually complete the chain they promised, with two original pre-auth RCEs, a credible hypothesis tied to observed real-world events, and a live demo that goes all the way to persistent kernel access. Not quite five stars because the TR-069 vector gets abandoned mid-exploit and the slab allocator abuse, while well-executed, isn't a technique that'll make allocator experts gasp — but the end-to-end rigor and real-world relevance keep this firmly in 'strong accept' territory.