To test if opkg would indeed download packages from a custom network connection, I set up a local web server and created a file consisting of random bytes. Opkg downloads packages from , so my plan was to let this domain name point to 127.0.0.1 from which Mayhem is serving. Mayhem can serve data either from a file or from a network socket. I found this vulnerability initially by chance when I was preparing a Mayhem task for opkg. My research on OpenWRT has been a combination of writing custom harnesses, running binaries of the box without recompilation, and manual inspection of code. For ForAllSecure, I’ve been focusing on finding bugs in OpenWRT using their Mayhem software.
