We successfully exploited two discontinued network devices at DistrictCon’s inaugural Junkyard competition in February, winning runner-up for Most Innovative Exploitation Technique. Our exploit chains demonstrate why end-of-life (EOL) hardware poses persistent security risks: when manufacturers stop releasing updates, unpatched vulnerabilities remain frozen in time like fossils, creating perfect targets for attackers.Both of the devices we exploited, a Netgear WGR614v9 router and a BitDefender Box V1, were fairly popular devices designed to protect your home network. But since both have gone years without updates, we were able to fully exploit them remotely from the local network.Figure 1: DistrictCon trophyWith the second DistrictCon Junkyard competition being announced for early 2026, we would like to share our experience and research from the first one. Our full analysis is available on the Trail of Bits exploits repo for readers interested in the complete technical details.First, we developed three ways (videos 1, 2, and 3) to hack the Netgear router by chaining multiple LAN-side vulnerabilities in the UPnP daemon, including authentication bypass, buffer overflows, and command injection, which gave us a remote root shell. We then exploited the Bitdefender Box (video) by leveraging a LAN-side unauthenticated firmware downgrade vulnerability combined with command injection in the firmware validation process, which also gave us a remote root shell.Device analysis and firmware extractionFor the Netgear device, we disassembled it and identified debugging interfaces, data storage chips, and the SOC. Since Netgear provides firmware online, we downloaded it rather than extracting it ourselves. We used binwalk and unblob to recursively unpack the firmware, ran a port scan to identify interesting network services, and logged in to the serial console to check running processes, LAN-facing services, CPU specs, kernel version, and enabled mitigations. We initially looked at ...
First seen: 2025-07-29 09:37
Last seen: 2025-07-29 17:42