Hacking conferences often feature a Capture the Flag, or CTF event. Typically, this is a software hacking challenge that involves breaking into targets which have been set up for the event, and capturing them. It’s good, legal, hacking fun.
However, some people are starting to build CTFs that involve hardware hacking as well. [Balda]’s most recent hardware hacking challenge was built for the Insomni’hack 2014 CTF. It uses an MSP430 as the target device, and users are allowed to enter commands to the device over UART via a Bus Pirate. Pull off the exploit, and the wheel rotates to display a flag.
For the first challenge, contestants had to decompile the firmware and find an obfuscated password. The second challenge was a bit more complicated. The password check function used memcpy, which made it vulnerable to a buffer overflow attack. By overwriting the program counter, it was possible to take over control of the program and make the flag turn.
The risk of memcpy reminds us of this set of posters. Only abstaining from memcpy can 100% protect you from overflows and memory disclosures!
How can you avoid using memcpy? Sometimes you simply have to copy binary-memory. I tend to almost always use it with a fixed length though.
My writeup: http://blog.dragonsector.pl/2014/03/insomnihack-ctf-2014-life-is-even.html
[Eric], did you mean abstaining from strcpy? That matches the posters and makes more sense.
I think this article misinterprets the goal of http://natashenka.ca/posters which IMHO is to warn against C functions that write into a string (or an array) without explicitly passing the size of the memory buffer together with the pointer, because that creates too many ways for the buffer to be overflowed. For example, the site says strlcpy() is safe.
Now, memcpy() is safe in this respect, while strcpy() is not.
You will be amazed how many people still think strcpy() is the same as memcpy(). Just ask my coworkers…
I’ll admit, that second link made me laugh. However, wouldn’t this still be considered software hacking? You are still using some form of code to access the program counter.