Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Tesla is a high class and amazingly technical car brand. Finding vulnerabilities in Tesla could potentially lead to stolen property and control over the driving of the car.

All Tesla's comes with a hardcoded WiFi SSID that can be connected to. Other researchers had discovered a hardcoded password, which allows anybody to join this WiFi network. This is a vulnerability by itself but just allows the research to be possible.

While reversing the Tesla, they found an open source library called Connman that was being used. This application is a lightweight DHCP server and client with a DNS forwarder. Because the parsing in this small module looked poor, they wrote an AFL harness and found several bugs in it quickly.

Within the forwarding functionality they got a crash in the uncompress function for backreferencing previous strings of characters to get the new one. This function contains a fixed size memcpy that does NOT check the actual size of the buffer. By creating a very small buffer, this resulted in a stack based buffer overflow.

But what about stack canaries!? The exploitation came to a halt because the binary contained stack canaries. There are three options for bypassing the stack canaries: brute force it, leak it or jump over it. It turned out that option 3 (jump over it) was the way to go.

The parsing in this function goes in a loop over a set of strings. When it finds a string it will use the string length (calculated by strlen) to iterate the next string pointer. By overflowing directly in front of the canary, the program can be tricked to continually iterate past the expected buffer to jump over the stack canary!

By jumping over the stack canary, the return address can be overwritten! This was a super awesome trick that was particular to this situation but worked quite well. Now, we have code execution... but what about ASLR?

To break ASLR, a leak was required. This was done by targeting the DHCP implementation .By sending a DHCP packet with no option data, a path was found that assumed this was filled out. Eventually, when this information was sent back, it contained uninitialized memory, resulting in a leak of library addresses and stack addresses.

To make this bug more powerful, the length of the domain that is being offered changes the stack address being viewed! By adding this padding, different parts of the stack can be read in order to leak the necessary locations.

The full exploit uses the two bugs above to create a ROP chain. This ROP chain marks part of the stack as executable with mprotect then executes some small shellcode. This shellcode loads the second stage shellcode into a heap buffer then executes.

The exploit uses a drone. This is because an attacker needs to be near the car in order to attack it. Damn, using a drone to control a Tesla is pretty amazing!

The author includes a few pointers at the end:

• Automotive research is possible without the actual hardware, use emulation!
• Stack overflows are still a problem despite the mitigations.
• Understand the bugs you fuzzed. Otherwise, you will miss some amazing gems.
• Infotainment Systems have become similar to desktop systems.