Presented at
Black Hat Asia 2021 Virtual,
May 6, 2021, 2:20 p.m.
(40 minutes)
<div><span>You probably know this movie scene where the hacker of the group remotely disables the alarm before the other guys break in to execute a perfectly planned heist? Great, so this presentation is about how you do it in real life!<br><br></span></div><div><span><br></span></div><div><span>In this talk, we'll present two remote code execution vulnerabilities (CVE-2020-25189 and CVE-2020-25185) which we found in a popular physical security system by Paradox. We'll start by explaining the ecosystem of a modern physical security system - the different components, sensors, and protocols involved. Then we'll focus on how we found these RCEs, going over the stages of the process such as firmware acquisition, decryption and reverse engineering of the embedded bare-metal firmware. We'll be diving into the various difficulties of exploiting this specific firmware, which runs exclusively on a cheap STM32 processor and plain LwIP network stack, no operating system or RTOS whatsoever. We'll explain the details of the ROP-chain used to overcome limited charset and show how our shellcode manipulates the device's internal VFS in order to communicate back before disarming the device. Finally, we'll present a demo of the exploit.</span></div>
Presenters:
-
Omri Ben-Bassat
- Security Researcher,
as Omri Ben Bassat
Omri Ben-Bassat is a Malware Analyst and Reverse Engineer with vast experience in dealing with Nation-sponsored cyber attacks as an ex-officer at the IDF's CERT. Omri is currently doing IoT vulnerability research for IoT.
Links:
Similar Presentations: