156 - Pwning Scoreboards, uClibC, and PS5 Exploitation
The core issue is the use of MAP_FIXED flag with mmap. Basically
pthread_allocate_stack for every thread it creates, starting its mapping a new
STACK_SIZE memory segment to a fixed address (calculated relative to
THREAD_STACK_START_ADDRESS and the number of threads already allocated). The problem is that using the
MAP_FIXED flag means that if the desired memory address overlaps a region already allocatead, the overlapped region will simply be unmapped and given over to this new call, potentially corrupting libraries with stack data.
Great series of posts covering the authors research progress and eventual owning of a wireless scoreboard system. Unlike a lot of the attacks we cover, this had more of a hardware and even radio signal focus. What is most interesting is the inclusion of the dead-ends and the thought process involved. Eventually the author manages to sniff the (rather simple) AES key by man-in-the-middle-ing the communication bus but there were several other ideas explored first. While the others did not work, they were educational.
The third post dives into figuring out the actual radio signal being sent, breaking the state of the LFSR RNG in use for “data whitening” by bruteforce. And talks about some interested possible attack that could have been pulled off now that they reversed the encryption key and could maliciously communicate with the scoreboard.