Software analysisThose blessed with access would be able to download a certain 855.zip, containing a PDF file with instructions—just as described by the manufacturer—and several binaries:·      A855-01.bin appears to contain an exception vector table·      B855-01.bin contains the bulk of software—the whopping 439KB·      C855-01.bin looks like default configuration data, and·      M855-01.rfs proved to be a file system with a lot of XML files.By trimming the first 8 bytes of B855-01.bin and loading it into Ghidra at address 0x1B000000, it is possible to explore the software in further detail. The address was hinted at by the contents of A855-01.bin, where many non-zero little-endian words started with 1B00.The software was then explored both statically in Ghidra and dynamically by interacting with the exposed web server to confirm our hypotheses, but more on that in the text below.Now, without any further ado, let’s get right to the issues that were discovered and look at them in more detail. Note: all symbol names listed below are based on the reverse engineering effort and the fact that the software, at least the web server part, was based on the embOS/IP middleware package from Segger as evidenced by the contents of the Server HTTP header.ZDI-24-671: Configuration backup missing authenticationThis was the initial report by Gjoko Krstic of Zero Science Lab, which prompted further investigation by the ZDI team.The gist of the issue is dead simple: accessing a certain URL will result in obtaining a configuration backup, identical in format and size to what is supplied in the software update—like so: