Can you still trust your network card? - Agence nationale de la ...

More documents

Recommendations

Info

The vulnerability Crash analysis Proof of concept code injection (1/2) On this particular NIC and firmware version, an attacker is able to perform arbitrary code execution: Initial jump ◮ an attacker can overwrite a return address in the stack; ◮ she can find a stable (for a firmware version) memory address for username; ◮ she can put exploit code in username and jump there. Stage 1 ◮ username is 255 chars (minus padding), not much instructions; ◮ but the attacker has access to network buffers; ◮ she can put code in a previously sent packet and jump there. SGDSN/ANSSI – http://www.ssi.gouv.fr/trustnetworkcard 38/51
The vulnerability Crash analysis Exploit and stage 1 0x1c000 0x1befc 0x14940 0x1bfc4 Stack nop nop nop nop addiu $1,$1, 1 Username Heap SGDSN/ANSSI – http://www.ssi.gouv.fr/trustnetworkcard 39/51
Page 1 and 2: Can you still trust your network ca
Page 3 and 4: Impacts on security If an attacker
Page 5 and 6: What won’t be described today Thi
Page 7 and 8: Network interface controller The Ne
Page 9 and 10: Network interface controller The Ne
Page 11 and 12: Remote administration protocols ASF
Page 17 and 18: Remote administration protocols RMC
Page 19 and 20: Remote administration protocols RMC
Page 21 and 22: Remote administration protocols Sum
Page 23 and 24: Protocol analysis Protocol security
Page 25 and 26: Protocol analysis Implementation pr
Page 27 and 28: The vulnerability Instrumenting the
Page 37: The vulnerability Crash analysis Ch
Page 41 and 42: The vulnerability Crash analysis St
Page 43 and 44: Real impact What can be done in the
Page 45 and 46: Real impact Controlling the host Us
Page 47 and 48: Real impact Controlling the host De
Page 49 and 50: Real impact Controlling the host Co
Page 51: Real impact Controlling the host Qu

Can you still trust your network card? - Agence nationale de la ...

Create successful ePaper yourself

Delete template?

Save as template?