Firewire vulnerability applicable on FreeBSD?

Hi there,

I've stumbled on this article.  I wonder if this is
applicable to
FreeBSD.  Would it still be possible to exploit it without a
firewire
driver?

http://ww
w.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypas
ses+Windows+Logon/article10972.htm

« The tool is a simple, 200-line script written in the
Python
programming language exploits features built into Firewire
that allow
direct access to a computer's memory.  By targeting specific
places that
Windows consistently stores its vital authentication
functions,
Boileau's tool is able to overwrite Windows' secured code
with patches
that skip Windows' password check entirely. »

Regards,
-- 
Jeremie Le Hen
< jlehen at clesys dot fr >
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

Hi Jeremie,

On 3/22/08, Jeremie Le Hen <jeremiele-hen.org> wrote:
> Hi there,
>
>  I've stumbled on this article.  I wonder if this is
applicable to
>  FreeBSD.  Would it still be possible to exploit it
without a firewire
>  driver?
>
>  http://ww
w.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypas
ses+Windows+Logon/article10972.htm
>

``That's not a bug, it's a feature''.

That is, the firewire spec requires that it has full
read/write access to all
physical memory, in the same way that the PCI bus has full
read/write
access to physical memory.

Thus, with direct access to a firewire port, a malicious
person can
grub around kernel memory and frob whatever they want (yet
another reason why physical security is important).

It seems that the windows vulnerability was due to storing
credentials
information in a consistent place from system to system;
that is
certainly the case for a GENERIC kernel, but if you have a
custom
kernel there is no longer a _trivial_ ``exploit'' -- an
attacker must
do some work to find where things are (and be able to
hot-patch
machine language, but I know several people that could do
that,
even one that's basing his thesis project on it).

Basically, once an attacker has physical access to your
machine,
you've lost; this is just one possible route that such an
attacker
could take.

We can use this feature as a true feature, as well, though
-- it
allows dcons to be used instead of a serial port for kernel
debugging when you've totally confused your kernel.

-Ben Kaduk
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

On Sat, Mar 22, 2008 at 07:12:09PM +0100, Jeremie Le Hen
wrote:
> Hi there,
> 
> I've stumbled on this article.  I wonder if this is
applicable to
> FreeBSD.  Would it still be possible to exploit it
without a firewire
> driver?
> 
> http://ww
w.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypas
ses+Windows+Logon/article10972.htm
> 
> « The tool is a simple, 200-line script written in the
Python
> programming language exploits features built into
Firewire that allow
> direct access to a computer's memory.  By targeting
specific places that
> Windows consistently stores its vital authentication
functions,
> Boileau's tool is able to overwrite Windows' secured
code with patches
> that skip Windows' password check entirely. »
> 

It is, and FreeBSD was used in a proof of concept for
reading passwords
via FireWire some years ago (see http://md.hudora.d
e/presentations/ for
sample Python code).  In CURRENT and RELENG_7, there's a
tunable to
disable physical access, see fwohci(4), it should probably
be ported back
to RELENG_6.

- Christian

-- 
Christian Brueffer	chrisunixpages.org	bruefferFreeBSD.org
GPG Key:	 
http://people.freebsd.org/~brueffer/brueffer.key.asc
GPG Fingerprint: A5C8 2099 19FF AACA F41B  B29B 6C76 178C
A0ED 982D

On Sun, 23 Mar 2008 02:03:40 -0400
"Ben Kaduk" <minimarmotgmail.com> wrote:

> Hi Jeremie,
> 
> On 3/22/08, Jeremie Le Hen <jeremiele-hen.org> wrote:
> > Hi there,
> >
> >  I've stumbled on this article.  I wonder if this
is applicable to
> >  FreeBSD.  Would it still be possible to exploit
it without a firewire
> >  driver?
> >
> >  http://ww
w.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypas
ses+Windows+Logon/article10972.htm
> >
> 
> ``That's not a bug, it's a feature''.
> 
> That is, the firewire spec requires that it has full
read/write access to all
> physical memory, in the same way that the PCI bus has
full read/write
> access to physical memory.
> 
> Thus, with direct access to a firewire port, a
malicious person can
> grub around kernel memory and frob whatever they want
(yet
> another reason why physical security is important).
> 
[...]
> 
> Basically, once an attacker has physical access to your
machine,
> you've lost; this is just one possible route that such
an attacker
> could take.

Indeed. When Adam B. presented this  RuxCon 06 (Sydney, AU), he
said, IIRC,
that he had communicated with MS, but they had (probably
rightly) told him it
wasn't really a security hole, as once you had physical
access all bets were
off.
The easiest way around this is to simply NOT build firewire
into your kernel,
but load it as you need it. It won't prevent all attacks but
it will reduce
your exposure (assuming, of course, that you never leave
your computer alone,
running or without boot / disk password  and bolted into
place....  ).

It was quite impressive though, to see the guy take over
some dude's windog
laptop (from the audience) in 30 seconds. He's always good
fun to watch :P

B
_________________________
{Beto|Norberto|Numard} Meijome

"I was born not knowing and have had only a little time
to change that here and
there." Richard Feynman

I speak for myself, not my employer. Contents may be hot.
Slippery when wet.
Reading disclaimers makes you go blind. Writing them is
worse. You have been
Warned.
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"