About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Exploiting a Blind Format String Vulnerability in Modern Binaries: A Case Study from Pwn2Own Ireland 2024 - 1530

synacktivPosted 1 Year Ago
  • Pwn2Own is a prestigious hacking competition for various devices. This entry was for the Synology TC500 camera running ARM 32-bit. The authors found a format string vulnerability in a custom print_debug_msg function that was passing inputs into vsnprintf.
  • Since the format string was in a debug log, it was blind. Additionally, ASLR, NX, Full RELRO, and PIE were all enabled on this device. On top of this, the payload was restricted to 128 bytes and could not contain nullbytes or characters lower than 0x1F.
  • Format string vulnerabilities are ridiculously powerful. The specifiers allow for reading and writing to arbitrary spots in memory if you know what you're doing. Initially, they used the vulnerability to edit a pointer to a looping variable to be somewhere else on the stack via a single-byte write of the pointer. This variable was then being written to with our input. In practice, we could edit the location some data was going to be written to with relative bytes, giving an effective relative out-of-bounds write primitive.
  • Once they had an arbitrary write on the stack, they needed to build a ROP chain. In the vulnerable function, they used the unused stack space. Using the format string specifier %*X$c, it's possible to read a value on the stack from a specific offset. This value is then stored in an internal character counter. Using the %Y$c will increase the count further by the value we control. Since the first value can be from the stack and we control the second one, we can effectively bypass ASLR and PIE!
  • Once the values are set, %Z$n can be used to write the value onto the stack. Using this over and over again gave them a solid ROP chain to eventually call system(). To hijack the control flow, the same relative write trick could be used to overwrite the return address on the stack to point to the ROP chain.
  • Modern binary protections are not enough for security with capable folks like the ones at synacktiv. An awesome post on their exploit path for this. It's sad that this was patched before the competition :(

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed