Attacks
Disable Tripping Capability
Using a custom tooling you can map out the memory ranges the sel device is using. I have charted the ranges below:
Memory Range | Description |
|---|---|
10000000-11F00000 | Main memory space |
20000000-20EFFF80 | Shared memory |
40000000-40001FFF | Shared memory |
50000000-50000F00 | Shared memory |
Using a bulk memory writer, you can write to the user memory range and disable the tripping capability of the sel device and its ability to send alerts.
The underlying concept is to write a large amount of data to the memory address that contains the tripping capability. This will overwrite the existing data and disable the tripping functionality.
The issues is finding where the tripping capability is located. This can be accomplished by using a bulk memory dumper to dump the memory ranges and then searching for it. I was unable to find the exact location of the tripping capability but I was able to disable it by writing a large amount of data to the start of the user memory range. With more time and effort the exact location could be found.
Disable Code
Website Manipulation
Using a similar method as above you can manipulate the website that the sel device hosts. The sel device has a web server that hosts a website that allows you to view the status of the device and configure it. By writing to the memory range that contains the website you can change the content of the website.
One way to cause damage is to add a malicious script to the website that will execute when a user visits the site. This can be accomplished by writing a script tag to the memory range that contains the website. Somehting like beef.
again this attack is undetacable with normal checking procudure