With a good firmware disassembly and JTAG debug access to the WRT120N, it’s time to start examining the code for more interesting bugs. As we’ve seen previously, the WRT120N runs a Real Time Operating System. For security, the RTOS’s administrative web interface employs HTTP Basic authentication: 401 Unauthorized Most of the web pages require authentication, but there are a handful of URLs that are explicitly allowed to bypass authentication: bypass_file_list(“/cgi-bin/login /images/ /login…”); Full list of bypass files Any request whose URL starts with one of these strings will be allowed without authentication, so they’re a good place to start hunting for bugs. Some of these pages don’t actually exist; others exist but their request handlers don’t do anything (NULL subroutines). However, the /cgi/tmUnBlock.cgi page does have a handler that processes some user data: cgi_tmUnBlock function handler The interesting bit of code to focus on is this: