Posted on December 6, 2024 • 11 minutes • 2240 words Table of contents Introduction sysupgrade.openwrt.org Command injection SHA-256 collision Brute-forcing the SHA-256 Combining both attacks Reporting the issue Conclusion Shameless plug Introduction Hello, I’m RyotaK (@ryotkak ), a security engineer at Flatt Security Inc. A few days ago, I was upgrading my home lab network, and I decided to upgrade the OpenWrt on my router.1 After accessing the LuCI, which is the web interface of OpenWrt, I not...