Profile cover photo
Profile photo
Dragos Ruiu
Stop, Think, Pwn.
Stop, Think, Pwn.
About
Communities and Collections
View all
Posts

Post has attachment
An oldie but still a good one. Hacking the VideoCoreIV(VC4) GPU with ThreadX RTOS in RaspberryPis. The reason we don’t have OpenBSD on the Raspi is because the CPU in the world’s most popular computer is really an ARM core bolted onto a four core GPU that boots off the proprietary blob on first FAT partition, and then powers up the ARM and loads the OS (being Linux or barely functional Ethernet only Net/FreeBSD at this time). While making some concessions to documenting this master processor, Broadcom claims to have “open sourced” the architecture. However despite this label no-one has fully reverse engineered it or produced an open source boot loader. Everything on that platform still counts on the proprietary boot binary blob, and this still even holds true for the just newly released 3B+. This presentation and the corresponding docs by hermanhermitage on github are still the best available documentation about what is going on with that processor and the binary blobs it uses. Let me put a challenge out there. If someone was able to generate an alternative fully open source boot blob, not only would we probably get OpenBSD on this popular platform faster (as opposed to never), but I can offer you a blanket invitation and free all expense trip to any of our conferences in Hong Kong, Tokyo, or Vancouver to tell us about it. Heck, if someone did that, I’d throw in two speaking slots at any two of them to explain it to folks...

Related VC4 Assembler/Dissasembler:

http://maazl.de/project/vc4asm/doc/

Another toolset:

https://www.elesoftrom.com.pl/blog/en/vc4-3d-ide-tools.php

The state of open source ARM Graphics:

https://nullr0ute.com/2017/09/the-state-of-open-source-accelerated-graphics-on-arm-devices/

https://youtu.be/eZd0IYJ7J40
Add a comment...

Post has attachment
tl;dr - you still have to pretty much treat wifi as an open book for clever attackers.

Most, if not all, WiFi access points rekey group keys very often, leading to weak keys from poor random number generators, leading to enabling sniffing and injection. Some are much worse than others.

The solution is to decrease group rekey intervals if possible on your router/AP to very long periods.

echo "wpa_group_rekey = 86400" >/etchostapd.cof #(up from default 600s)

https://goo.gl/UjbTiX

Also, most commercial access points are still vulnerable and unpatched for this group key reinstallation problem. (Hint: if the vendor didn't release an update in the last few months for it, most didn't, and you installed it and updated everything then ok, otherwise ruh-roh shaggy.) I especially love the Android 6.0 problems with all zero keys, almost every legacy android device orphaned by manufacturers for updates out there is still open. https://goo.gl/u72fux

(You are still better off nuking multicast and peer to peer broadcast traffic on your over the air nets, and disabling that altogether, regardless of how many "service discovery" protocols you'll break!)

My conclusion: you are more secure with an embedded computer and hostapd for your wifi.
Add a comment...

Post has attachment
If you have/use any of these Western Digital MyCloud drives, recommend disconnecting them immediately and transitioning the data on them to another product as soon as possible. Hardwired network backdoor (u: mydlinkBRionyg p: abc12345cba) no vendor response for six months.

http://goo.gl/9hyREs
Add a comment...

Post has attachment
Add a comment...

Post has attachment
A compendium of Windows one liners to download and execute arbitrary remote code. http://goo.gl/bWth1V
Add a comment...

Post has attachment
‪<yoda>

underestimate the power of this code signing certificate cloning attack by @mattifestation and CA chain installation, you should not

</yoda>
http://goo.gl/7HEPoH
Add a comment...

remote ldpreload rce cgi vuln in popular embedded small web server GoAhead (Motorola, D-link, HP...) http://goo.gl/6JC9JD
Add a comment...

Post has attachment
‪Kismet development has been proceeding impressively.
Now decodes DJI DroneID on WiFi as well as a new capture architecture
http://goo.gl/zkVPYf
Add a comment...

Post has attachment
tl;dr All HP laptops have a trivially enablable keylogger built in via “debugging code” in the SynTp.sys Synaptics touchpad driver. Setting one registry setting starts saving all keycodea in WPP “performance profiling” traces.
http://goo.gl/gFx7G6

Updates are available at HP http://goo.gl/CnEcCX or Windows Update. Do update.

Oh also apply the Windows emergency hotfix for a remote code execution on Defender, that was released yeaterday that is also being actively exploited. Also do update, ASAP.
http://goo.gl/VKe67H

HP keylogger
HP keylogger
zwclose.github.io
Add a comment...

Post has attachment
All ur mem r belongs 2 us:

Thunderbolt / native pcie dma attacks.

The little kid in me loves that the Spartan-6 Xilinx FPGA Eval Kit tag line on the box festooned with a wistful engineer looking at arrow shaped diagrams shooting towards racks of electornics and arrays of antennas is “THE PROGRAMMABLE FOUNDATION FOR TARGETED DESIGN PLATFORMS“ and whichever marketing person fumbling for a pseudo-militariatic jargon phrase to use as a suitably nebulous and non-specific slogan probably had no clue how close to the mark he/she/they was/were going to hit with this particular bit of marketing mumbo-jumbo. Heh....

https://github.com/Cr4sh/s6_pcie_microblaze

or use the SP605 with an FTDI UMFT601X-B and use ufrisk/pcileech

Breaks past the 4G boundary. Slowly but surely.
Add a comment...
Wait while more posts are being loaded