Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

APC is a subsidiary of Schneider Electric. They have Smart-UPS (Uninterruptible Power Supply) that provide emergency backup for ICS, server rooms, hospitals and many other things. Finding vulnerabilities in these products could be quite bad for the world.

The reason for the name TLSStorm is that the vulnerabilities originate in the TLS handling. In order to handle the TLS communications, they use nanoSSL. However, by not properly handling the errors from this library, many security issues arise from it.

When doing the initial TLS handshake, there is a ClientHello and a ServerHello message. After this, they exchange cipher suites. However, if the client decides to use a cipher suite that the server does not support then the exchange will fail. According to the documentation of nanoSSL, this should result in the termination of the connection.

In the case of the software using the library, not error checking was done from the function. This saves the TLS master session key as ZERO. Hence, by using TLS resumption, it is possible to convince the server that this is a trusted user, bypassing the certificate validation. Neat!

While reassembling a packet, there is a maximum size that the payload can be (2389). Anything bigger than this and the library will return an error message and not reallocate the buffer. If an attacker sends a packet with a huge length field, the buffer will never get reallocated and it will copy in packet data until that length is reached. Another neat bug!

The final one is that the firmware updates use symmetric encryption in order to keep it from being tampered with. However, an attacker can figure out the key, reencrypt their own package and upload the firmware. Instead, they should be using a digital signature to validate that the firmware is legit.