Small Office and Home Office (SOHO) wireless routers have terrible security. That’s nothing new. But it is somewhat sad that manufacturers just keep repurposing the same broken firmware. Case in point: D-Link’s new DIR-890L, which looks like a turtled hexapod. [Craig] looked behind the odd case and grabbed the latest firmware for this device from D-Link’s website. Then he found a serious vulnerability.
The usual process was applied to the firmware image. Extract it, run binwalk to find the various contents of the firmware image, and then extract the root filesystem. This contains all the code that runs the router’s various services.
The CGI scripts are an obvious place to poke for issues. [Colin] disassembled the single executable that handles all CGI requests and started looking at the code that handles Home Network Administration Protocol (HNAP) requests. The first find was that system commands were being built using HNAP data. The data wasn’t being sanitized, so all that was needed was a way to bypass authentication.
This is where D-Link made a major error. They wanted to allow one specific URL to not require authentication. Seems simple, compare string A to string B and ensure they match. But they used the strstr function. This will return true if string A contains string B. Oops.
So authentication can be bypassed, telnetd can be started, and voila: a root shell on D-Link’s most pyramid-shaped router. Oh, and you can’t disable HNAP. May we suggest OpenWrt or dd-wrt?
Except for the really terrible Nintendo 64 port, StarCraft has always been bound to desktop and laptop PCs. Blizzard could take the code for StarCraft, port it to an ARM platform, put a version on the Google Play an iTunes store, and sit there while the cash rolls in. This would mean a ton of developer time, though, and potentially years tracking down hard to find bugs.
Or one random dude on the Internet could port StarCraft to an ARM platform. Yes, this means all the zerg rushes and dark templar ambushes you could possibly want are available for tablets and Raspberry Pis.
This godlike demonstration of compiler wizardry is a months-long project of [notaz] over on the OpenPandora team. Without the source for StarCraft, [notaz] was forced to disassemble the Win32 version of the game, convert the disassembly to C with some custom tools, and recompile it for ARM while linking in all the necessary Win32 API calls from the ARM port of Wine. Saying this was not easy is an understatement.
If you have an OpenPandora and want to relive your heady days of youth, you can grab everything you need here. For anyone without an OpenPandora that wants to play StarCraft on a Raspi, you might want to get working on your own recompiled port. Video below.
Continue reading “Playing StarCraft On An ARM”
The folks at Matasano Security and Square have teamed up to build an online capture the flag (CTF) competition. The Microcorruption CTF focuses on embedded security and challenges players to reverse engineer a fictional “Lockitall LockIT Pro” lock system.
Each level places you in a debugging environment with a disassembly listing, live memory view, register view, and debugging console. You can set breakpoints, step through code, and modify registers like in a real debugging environment. Your goal is to figure out how to bypass the lock to collect bearer bonds.
While the device and motive may be fictional, the assembly is actual MSP430 code. The debugger is similar to GDB connected to a remote target using OpenOCD. There’s even a manual (PDF) to help you get up to speed with writing MSP430 code for the device.
This CTF looks like a great introduction to embedded security, and doesn’t require buying real hardware. It even includes a full tutorial to get you started.
[Troy Wright] acquired a lot of twenty broken Dell Axim PDAs. This type hardware was quite popular a decade ago, but looks archaic when compared to a modern cell phone. That’s why he was able to get them for a song. After a bit of work he managed to resurrect eight of the units, but was dismayed to find there’s no published method for controlling the back light from software. For some reason this is a deal-breaker for his project. But he knew it was possible because there are some apps for the device which are able to set the back light level. So he found out how to do it by reverse engineering the software.
The trick is to get a hold of the code. Since it’s not open source [Troy] used IDA, a graphical disassember and debug suite. He had some idea of what he was hunting for as the Windows CE developer documentation does mention a way to directly control the graphical hardware independently from the display driver. A few hours of pawing through assembly language, setting break points, and testing eventually led him to the solution.
It’s fun to pick apart code, but it gets more difficult when you’re talking about binaries. [Joby Taffey] opened up the secrets to one of [Travis Goodspeed’s] hacks by disassembling and sniffing the data from a Zombie Gotcha game binary.
We looked in on [Travis’] work yesterday at creating a game using sprites on the IM-ME. He challenged readers to extract the 1-bit sprites from an iHex binary and that’s what got [Joby] started. He first tried to sniff the LCD data traces using a Bus Pirate but soon found the clock signal was much too fast for the device to reliably capture the signals. After looking into available source code from other IM-ME hacks [Joby] found how the SPI baud rate is set, then went to work searching for that in a disassembly of [Travis’] binary. Once found, he worked through the math necessary to slow down communication from 2.7 Mbit/s to 2400 bps and altered the binary data to match that change. This slower speed is more amenable to the Bus Pirate’s capabilities and allowed him to dump the sprite data as it was sent to the LCD screen.