firmware-analysis-toolkit icon indicating copy to clipboard operation
firmware-analysis-toolkit copied to clipboard

Published 20 hours ago verified publisher icon attify

Clear-text password in script

Open alessandroZelli opened this issue 6 years ago • 3 comments

Both fat.py and reset.py require us to set a clear text password in the source code. Is there a workaround for that?

alessandroZelli avatar Mar 01 '19 09:03 alessandroZelli

Ideally, this tool should be run in a Virtual Machine so that specifying the password is not an issue. If not you can use an older version which asks for the password every-time rather than automating it.

https://github.com/attify/firmware-analysis-toolkit/tree/dc64ccfeba8c549cd78c67c806472f956f221720

extremecoders-re avatar Mar 01 '19 09:03 extremecoders-re

Ok, will do that. I'll try to come up with a secure way to run it on a main OS as soon as I have some time.

Is the required password a "sudoer" password or the proper root password? In the former case it should be possible to run the firmware analysis toolkit with a dedicated account.

alessandroZelli avatar Mar 01 '19 10:03 alessandroZelli

The sudoers password.

However the reason for recommending a VM is not just this. During emulation the script will set up a TAP interface for the emulated firmware image. So it does happen sometime that due to some error or otherwise this interface is not removed after emulation is done. In that case you'll be left to manually cleanup and the networking of your main OS may be affected. Hence its better to use a VM.

extremecoders-re avatar Mar 02 '19 05:03 extremecoders-re