Comments on: JTAG attacks and PR submarines

By: jk

jk — Mon, 18 Aug 2008 13:04:05 +0000

Have a look at http://www.jtagtest.com/ ; it might be quite useful for reverse engineering. They also have a large pinouts database at http://www.jtagtest.com/pinouts/

By: JooGuan

JooGuan — Thu, 14 Jun 2007 06:00:01 +0000

This talk had been presented in SyScan’06 in Singapore (http://www.syscan.org/syscan06/index.html), the same time when Joanna Rutkowska first presented her “Blue Pill” – Subverting Vista Kernel for Fun and Profit. This JTAG attacks didn’t create much attention in that conference, one of the reasons probably was everyone were focusing on “Blue Pill”.

Anyway, IMO, Jack had successfully get people’s attention to look into other possible attack vector. He deserves the credits.

By: Nate Lawson

Nate Lawson — Fri, 04 May 2007 22:35:28 +0000

ivan, thanks for the analysis. I’ve posted a followup, comparing the two news articles and how they differ so much. The reporter can’t be blamed since it’s clear he could get it right when given the right information.

http://rdist.root.org/2007/05/04/second-try-gets-it-right/

By: ivan

ivan — Fri, 04 May 2007 02:46:43 +0000

Hm ok, now that the mist cleared up a bit: Barnaby’s talk was awesome, he _DID_ the work from the bottom up, describing and explaining JTAG, how to identify the interface, build hw to use it, how to debug using it with gdb, then found a hole in the firmware of an ARM-based DSL/wireless router, wrote the exploit and had it deliver a payload that intercepts and injects _in-transit_ a malicious executable into a binary being downloaded. The demo of the later part did not work but it was clear beyond any reasonable doubt that this presentation was not FUD. As for the new class of attack… it is not (but that doesn’t matter anyway, it was incredibly good work). What was mentioned as a new class of attack basically revolved around exploitable NULL pointer de-references and example of which (and which i presume to be quite common in many code portions) was shown with a code snippet using a malloc wrapper that returns NULL on error (ie. out of memory) and then with the callee wrongly using the returned pointer to write to where it points to. If the underlying OS has memory page zero actually mapped the bug becomes an exploitable bug and can be exploited very reliably if at page zero the OS happens to place the IDT (which is the case with the firmware of the ARM-based device that Barnaby demo’ed).

However this is not a new type of attack as some very clever fellows demonstrated in 1994:
http://packetstorm.linuxsecurity.com/poisonpen/8lgm/ptchown.c

Mr. Anonymous: I doubt Nate would have any problems understanding the technical details of the alleged ‘new class of attack’, he just made the wrong assumptions based on somebody else’s description of what Barnaby Jack’s talk was about.

By: newsham

newsham — Thu, 26 Apr 2007 20:56:43 +0000

I’ve had lots of conversations about this with lots of people. Most people saying Nate was dead wrong. I don’t agree completely.
– press gets it wrong, often because of press releases. Dead on.
– barnaby jack was complicit and is peddling fud. Completely off.

Lots of good discussions coming out of this, but also I think a lot of people think an apology is due. I would agree.

Congrats on the talk, Mr Jack.

By: Heh

Heh — Mon, 23 Apr 2007 19:35:16 +0000

Open mouth, insert foot.