sigpwny / 2023-ectf-uiuc Goto Github PK
View Code? Open in Web Editor NEWUIUC's Rust PARED implementation for MITRE eCTF 2023
License: Apache License 2.0
UIUC's Rust PARED implementation for MITRE eCTF 2023
License: Apache License 2.0
Vulnerability in current protocol:
an attacker can just send the same signed feature consecutively three times to the car to have it show all three feature flags.
Related vulnerability:
An attacker could send features from the fob to the car out of order to have it send the flags for other feature indices.
The interpretation of MSG_FEAT_#
where # is the number of active valid features is also how the insecure example does this, but obviously they have zero validation.
TLDR: FEAT_#
in protocol does NOT correspond to MSG_FEAT_#
Testing complete. If no error messages show, you may be ready to submit for Handoff.
[12:02:24] SUCCESS [Logger] PASS Substep: Remove Existing Design
[12:02:25] SUCCESS [Logger] PASS Substep: Clone New Design
([email protected]:sigpwny/2023-ectf-sigpwny.git, v1.1)
[12:02:25] SUCCESS [Logger] PASS Substep: Fetch LFS Files
[12:02:25] SUCCESS [Logger] PASS Step: CloneDesign
[12:02:26] SUCCESS [Logger] PASS Substep: Kill Docker Containers
[12:02:26] SUCCESS [Logger] PASS Substep: Remove Docker Containers
[12:02:28] SUCCESS [Logger] PASS Substep: Remove Docker Image
[12:08:05] SUCCESS [Logger] PASS Substep: Build Environment
[12:08:07] SUCCESS [Logger] PASS Substep: Build Tools
[12:08:08] SUCCESS [Logger] PASS Substep: Build Deployment
[12:08:11] SUCCESS [Logger] PASS Substep: Build Unpaired Fob
[12:08:16] SUCCESS [Logger] PASS Substep: Build Car Fob Pair 1
[12:08:22] SUCCESS [Logger] PASS Substep: Build Car Fob Pair 2
[12:08:23] SUCCESS [Logger] PASS Substep: Package Feature 1 for Car 1
[12:08:24] SUCCESS [Logger] PASS Substep: Package Feature 2 for Car 1
[12:08:25] SUCCESS [Logger] PASS Substep: Package Feature 1 for Car 2
[12:08:27] SUCCESS [Logger] PASS Substep: Package Feature 2 for Car 2
[12:08:27] SUCCESS [Logger] PASS Substep: Protect car1 Image
[12:08:27] SUCCESS [Logger] PASS Substep: Protect car2 Image
[12:08:27] SUCCESS [Logger] PASS Substep: Protect fob1 Image
[12:08:27] SUCCESS [Logger] PASS Substep: Protect fob2 Image
[12:08:27] SUCCESS [Logger] PASS Substep: Protect fob0 Image
[12:08:27] SUCCESS [Logger] PASS Substep: Kill Docker Containers
[12:08:29] SUCCESS [Logger] PASS Substep: Remove Docker Containers
[12:08:29] SUCCESS [Logger] PASS Step: BuildSystem
[12:08:29] SUCCESS [Logger] PASS Substep: Reset Devices
[12:08:30] SUCCESS [Logger] PASS Substep: Initiate car1_protected Device
Firmware Update
[12:09:01] SUCCESS [Logger] PASS Substep: Load car1_protected Device
[12:09:03] SUCCESS [Logger] PASS Substep: Reset car1_protected Device
[12:09:04] SUCCESS [Logger] PASS Substep: Initiate fob1_protected Device
Firmware Update
[12:09:35] SUCCESS [Logger] PASS Substep: Load fob1_protected Device
[12:09:37] SUCCESS [Logger] PASS Substep: Reset fob1_protected Device
[12:09:37] SUCCESS [Logger] PASS Substep: Start Car Bridge
[12:09:37] SUCCESS [Logger] PASS Substep: Start Fob Bridge
[12:09:48] ERROR [UnlockCar] FAIL Substep: Enable Feature 1
[12:09:48] ERROR [UnlockCar] FAIL Step: UnlockCar
[12:09:48] ERROR [JeffFlow] Substep timed out: Enable Feature 1
[12:09:48] ERROR [JeffFlow] Verification Flow Failed
Bytecode not generated at build time in fob_stuff. Possible band-aid test?
If the PIN is incorrect, the paired fob sends a PAIR_RST. The unpaired fob is supposed to address this and return to main loop.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.