top | item 10770473

(no title)

emillon | 10 years ago

That is my opinion too, but I would go even further and say that this change could have been made on the compiled binary.

This kind of statement must take 10-15 bytes max to patch and the build boxes are typically less safe than source control systems.

discuss

revelation|10 years ago

If you look at the disassembly in the link, the backdoor was inserted smack in the middle of the authentication function, which caused jump labels further down to change.

This is all trivial for a compiler to adjust, but it's not what someone manually tampering with the binary would do.

Deregibus|10 years ago

In addition, AFAIK this affects both the ARM and x86 firmware, so a patched binary would imply two separate modifications. Though that would still leave open the possibility that the toolchain was exploited before compilation occurred.

emillon|10 years ago

This is correct, I missed this!

xorcist|10 years ago

Why would you choose that particular password if you patched the binary? That particular string would stick out in a binary, it certainly looks more like source code.

emillon|10 years ago

That's assuming that this particular string was already present somewhere in the binary. Since it is only present as a reference, you would not see the string in a binary patch.

Deregibus|10 years ago

It would have been something that already existed in the string table for the binary, so you would have just been referencing an address and not inserting a string inline.