Monday, December 29, 2003
A really long stupid post about hacking a building badge system |9:50 AM| This is long and weird, you may want to just skip to the next post.
I came up with an odd idea on how to hack a computer about 2 years ago or so. Images that you view in a compressed form (.jpgs for example) are still decompressed into something like .bmps in the memory of the computer.
Most of the recent security flaws in computers (and of all things, SNTP) have been the result of "buffer overruns". If an application is expecting a string of data between certain sizes, say a name of an employee, (2-50 characters) it isn't going to expect to run into anyone with a name greater than 250 characters in length. If the application or the computer has only set aside 250 characters worth of memory for that bit of data, bad things can happen if you put more than that in. If the application doesn't check the length of the info before it "looks" at it (puts it into memory) you can actually overwrite the application itself, the one the computer is keeping in memory, and make the computer run your code. (this is in certain cases only, obviously).
Not making sense? Alright, say you wrote an application that takes control of a computer, and put it all into one line of text, and at the front of it put a 250 character string of info, then fed it into the application that takes names. It would fill up the 250 character allocation and spill over into the memory of the computer, and your application would then be what the computer is running. (This isn't exactly what's going on, but it gets most of the point across).
Anyhow, that's a buffer overrun. Back to the images. As the computer is processing images, decompressing them from .jpg, what if it ran into an image that had a line of pixels that when decompressed from 8K was now suddenly 1024K? Or larger than that? If it wasn't expecting a gargantuan jump in size, you could fill up the area of memory allocated, and then you could (possibly) take control of a system. As in, I make a file that appears to be a .jpeg image, embed it in an HTML document and send someone a link to said document. The .JPG is actually a pile of code that I want run on the guy's system with a huge fucking line somewhere in there to be decompressed.
I was told by a couple computer security folks that it wouldn't work like that, but a couple months later there was a patch by microsoft to fix a bug JUST like what I'm describing. Dammit, kinda.
Now what the fuck was all that about? Well, while bitching abour door security I realized that these magnetic badges must send some tiny bit of info to the sensor. Like, an 8 or 16 character badge ID. The system running it looks at the ID and then lets me into the building (or not).
What if the badge reader got about 10,000 characters? It's only expecting 8. I bet the security software isn't checking to make sure the badge ID is only 8 characters.
The equipment and coding of such a device is well beyond my reach, but certainly not everyones. It is possible that a person could hack a door or building in this fashion.
A really long stupid post about hacking a building badge system |9:50 AM| This is long and weird, you may want to just skip to the next post.
I came up with an odd idea on how to hack a computer about 2 years ago or so. Images that you view in a compressed form (.jpgs for example) are still decompressed into something like .bmps in the memory of the computer.
Most of the recent security flaws in computers (and of all things, SNTP) have been the result of "buffer overruns". If an application is expecting a string of data between certain sizes, say a name of an employee, (2-50 characters) it isn't going to expect to run into anyone with a name greater than 250 characters in length. If the application or the computer has only set aside 250 characters worth of memory for that bit of data, bad things can happen if you put more than that in. If the application doesn't check the length of the info before it "looks" at it (puts it into memory) you can actually overwrite the application itself, the one the computer is keeping in memory, and make the computer run your code. (this is in certain cases only, obviously).
Not making sense? Alright, say you wrote an application that takes control of a computer, and put it all into one line of text, and at the front of it put a 250 character string of info, then fed it into the application that takes names. It would fill up the 250 character allocation and spill over into the memory of the computer, and your application would then be what the computer is running. (This isn't exactly what's going on, but it gets most of the point across).
Anyhow, that's a buffer overrun. Back to the images. As the computer is processing images, decompressing them from .jpg, what if it ran into an image that had a line of pixels that when decompressed from 8K was now suddenly 1024K? Or larger than that? If it wasn't expecting a gargantuan jump in size, you could fill up the area of memory allocated, and then you could (possibly) take control of a system. As in, I make a file that appears to be a .jpeg image, embed it in an HTML document and send someone a link to said document. The .JPG is actually a pile of code that I want run on the guy's system with a huge fucking line somewhere in there to be decompressed.
I was told by a couple computer security folks that it wouldn't work like that, but a couple months later there was a patch by microsoft to fix a bug JUST like what I'm describing. Dammit, kinda.
Now what the fuck was all that about? Well, while bitching abour door security I realized that these magnetic badges must send some tiny bit of info to the sensor. Like, an 8 or 16 character badge ID. The system running it looks at the ID and then lets me into the building (or not).
What if the badge reader got about 10,000 characters? It's only expecting 8. I bet the security software isn't checking to make sure the badge ID is only 8 characters.
The equipment and coding of such a device is well beyond my reach, but certainly not everyones. It is possible that a person could hack a door or building in this fashion.
0 Comments:
View My Stats
-->
