MSP430-Based CTF Hardware Hacking Challenge

Hardware 'Flag'

Hacking conferences often feature a Capture the Flag, or CTF event. Typically, this is a software hacking challenge that involves breaking into targets which have been set up for the event, and capturing them. It’s good, legal, hacking fun.

However, some people are starting to build CTFs that involve hardware hacking as well. [Balda]‘s most recent hardware hacking challenge was built for the Insomni’hack 2014 CTF. It uses an MSP430 as the target device, and users are allowed to enter commands to the device over UART via a Bus Pirate. Pull off the exploit, and the wheel rotates to display a flag.

For the first challenge, contestants had to decompile the firmware and find an obfuscated password. The second challenge was a bit more complicated. The password check function used memcpy, which made it vulnerable to a buffer overflow attack. By overwriting the program counter, it was possible to take over control of the program and make the flag turn.

The risk of memcpy reminds us of this set of posters. Only abstaining from memcpy can 100% protect you from overflows and memory disclosures!

 

Comments

  1. Dodo says:

    How can you avoid using memcpy? Sometimes you simply have to copy binary-memory. I tend to almost always use it with a fixed length though.

  2. Sergiusz Bazanski says:
  3. Chris C. says:

    [Eric], did you mean abstaining from strcpy? That matches the posters and makes more sense.

  4. fede.tft says:

    I think this article misinterprets the goal of http://natashenka.ca/posters which IMHO is to warn against C functions that write into a string (or an array) without explicitly passing the size of the memory buffer together with the pointer, because that creates too many ways for the buffer to be overflowed. For example, the site says strlcpy() is safe.
    Now, memcpy() is safe in this respect, while strcpy() is not.

  5. HackJack says:

    You will be amazed how many people still think strcpy() is the same as memcpy(). Just ask my coworkers…

  6. Rollyn01 says:

    I’ll admit, that second link made me laugh. However, wouldn’t this still be considered software hacking? You are still using some form of code to access the program counter.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,050 other followers