1/7
3 CVEs in QNAP NAS firmware (QTS/QuTS hero).
3 different bug classes, each surfaced with a different technique.
Smooth process with QNAP PSIRT. Short thread on how I found each one ↓
1/7
3 CVEs in QNAP NAS firmware (QTS/QuTS hero).
3 different bug classes, each surfaced with a different technique.
Smooth process with QNAP PSIRT. Short thread on how I found each one ↓
major progress on the emulated mt7622 project -- network transport, interrupts, DMA scatter, and a lil injector script to emulate a STA with real 80211 frames. good enough to trigger one of the over-the-air bugs in the wifi driver ;)
I believe validating and parsing SSL certificates on embedded systems is still challenging. Enabling MITM would open up more attack vectors. I came across this nice blog post that highlights a vulnerability in Nintendo Switch’s SSL certificate validation.
https://t.co/lzMukLdceR
@tdinh_me Thank you for sharing honest and transparent feedback of your journey. Typically people don’t mention that preparation phase ( 7 + 2 ) just show the end result to public which quite misleading 🙂
Straight to the point tips to develop efficient fuzzing harness.
I think one of the key aspects is to make sure that cleanup is done properly between runs. For in-process binary mode, an extra care to reset CPU state should be made.
https://t.co/aM5W4ledXA
Another LibAFL feature that I find particularly useful is the possibility to add custom modules when initializing QEMU. It is a clean way to add syscalls hooking intrinsically to emulator and avoid playing with LD_PRELOAD.
Paper: https://t.co/SYwVoW7bsU
How to get ready for your weekend hiking?
+ Select trail and prepare your backpack
+ Prepare LibAFL template and scale it over multiple targets and cores
I’ve been using LibAFL for fuzzing some IoT firmwares and I am quite amazed by how much you can customise your fuzzer 🤯
One of the many advantages of LibAFL is the ability to create parametrized harness module to be able to scale. I highly recommend to check the paper and talk
paper: https://t.co/e7kBkG6GEh
talk: https://t.co/GDWpj7rJ7A
Another cool challenge from @Raspberry_Pi and @hextreeio , the focus this time is SCA . The news after first edition gave me the impression that the AES will be hardware-based engine but it is SW implementation, maybe for 3rd edition!
The new @Raspberry_Pi RP2350 Hacking Challenge: Second Edition just went live!
The first one was a huge success, with amazing attacks on the OTP secrets!
Now we want to see your side-channel attacks: Can you break the new, hardened AES implementation?
https://t.co/FBZKQmGLq6
@Sakana_Walnut Yes, it depends to the method you’re using to run your client! If you are using Launcher module, you can specify the number of cores as shown below.
LibAFL examples are handy: https://t.co/a8yRdsMKYc