Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aging Security Vulnerability Still Allows PC Takeover

Posted by Zonk on from the there-are-issues-here-and-perhaps-they-should-be-investigated dept.

Jackson writes "Adam Boileau, a security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password. By connecting a Linux machine to a Firewire port on the target machine, the tool can then modify Windows' password protection code and render it ineffective. Boileau said he did not release the tool publicly in 2006 because 'Microsoft was a little cagey about exactly whether Firewire memory access was a real security issue or not and we didn't want to cause any real trouble'. But now that a couple of years have passed and the issue has not resolved, Boileau decided to release the tool on his website."

34 of 282 comments (clear)

  1. The hard part is... by lpangelrob · · Score: 3, Insightful

    ...finding a PC with a firewire port.

    (The only ones at my workplace are the two I put firewire cards in. Don't ask, it's complicated.)

    --
    -Rob

    Biblical fiscal responsibility

    1. Re:The hard part is... by Anonymous Coward · · Score: 2, Insightful

      Try looking at a modern laptop. They're far more common there than on desktops.

      Hmmm... what a coincidence, laptops are also exposed to strangers carrying computers of their own, too. I wonder if this might have implications regarding the severity of this particular weakness...

    2. Re:The hard part is... by MPAB · · Score: 5, Insightful

      Many laptops have Firewire ports, and most modern desktop mainboards do also thanks to te growing popularity of digital video cameras.

    3. Re:The hard part is... by gnick · · Score: 3, Insightful

      the physical security at my home is pretty good That's the gotcha here. Anyone with physical access to a machine owns that box. The only difference with this technique is that it sounds like it's quicker and possibly more subtle than my typical method of rebooting onto a live Linux CD and "repairing" the Windows accounts.
      --
      He's getting rather old, but he's a good mouse.
    4. Re:The hard part is... by Anonymous Coward · · Score: 1, Insightful

      You should attend some training on burglar and fire alarm systems. The mistake you have made is to think there is no way to bypass the system. No system what so ever is full proof. Most home thefts are committed by someone that has been inside the home and has knowledge, at least to some degree, of the system. They also usually know what they want before any entry attempt is made. So, unless you have instantaneous police response, they will get what they want. No need to even try to cut your phone line or disable the cellular backup. And, unless you have window screens and every inch covered in combination motion/heat detectors, they could manage to do it without even tripping the alarm with a fair amount of ease.
      Alarm systems only detect, and then they only detect those stupid enough to be detected.

      Posting anonymously to protect my career. :)

    5. Re:The hard part is... by Beardo+the+Bearded · · Score: 3, Insightful

      Physical access = security is meaningless.

      If they could access the firewire port via an internet connection, THEN I'd consider this a leak.

      You could also tweak the system by opening the case and removing the hard drive, or just attaching a thumb drive and copying all the data.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  2. host memory! by Spazmania · · Score: 5, Insightful

    So why exactly is it a desirable feature for a firewire node to be able to access another node's memory unsolicited?

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    1. Re:host memory! by TheRaven64 · · Score: 3, Insightful

      It's a design flaw. The peer-to-peer nature shouldn't come into it. What ought to happen is that one peer requests DMA rights to a memory location in another peer, and the driver then returns yes or no before the controller decides whether to permit the DMA request. In simple devices, like hard drives, the driver would always return true (allow). In multitasking systems the driver would only return yes for pointers to pages it owns.

      --
      I am TheRaven on Soylent News
  3. Re:Breathtaking Arrogance or Stupidity? by 91degrees · · Score: 4, Insightful

    This does require physical access to a machine. If you want to access the machine, you can reboot using a USB stick and access the hard disk that way, or even just open the machine and take the drive, then modify the contents to your heart's content before putting it back

  4. 2 Year bug report.. by LingNoi · · Score: 1, Insightful

    This isn't the first guy to get frustrated with Microsoft's lack of commitment in the security vulnerability area and just release his nasty onto the world.. It probably won't be the last either.

  5. Physical access by nickv111 · · Score: 3, Insightful

    Not to say that Microsoft shouldn't have patched this, for it is certainly a design flaw to allow computers hooked up to a machine to access its memory, but if you're plugging something into the Firewire port of a computer, then you're sitting at that computer, aren't you? It's true of all hardware that if you have physical access, then you can do whatever you want with it anyway.

    -Nick

    1. Re:Physical access by Chops · · Score: 2, Insightful

      It's true of all hardware that if you have physical access, then you can do whatever you want with it anyway.

      That's certainly not true. To use one of a huge multitude of examples, students at my school had physical access to the machines in the computer lab, but it would definitely be a problem if they installed a keylogger to sniff other students' passwords.
    2. Re:Physical access by gad_zuki! · · Score: 2, Insightful

      Yeah, if Im sitting at it I can boot from USB, wipe the administrator password, reboot and log in. No need for a fireware card, cable, etc. I can do the same with OSX but I have to use the install disc instead of the USB keychain in my pocket.

      Yes this is all very "shocking." This is the slashdot equivalant of CNN playing that lock-pick video over and over again.

    3. Re:Physical access by Seraphim_72 · · Score: 2, Insightful

      I agree that if you have physical access to a machine you own it, but at the same time there is a world of difference between being able to do a drive by cracking and physically carting off the machine to brute force it at your leisure.

      Sera

      --
      Slashdot, where armchair scientists get shouted down and armchair theologians get modded up.
    4. Re:Physical access by Culture20 · · Score: 2, Insightful
      This hack can be done on a machine that has its case physically locked, its bios set to boot only to the HDD, and a good bios-setup password. It's the firewire equiv to a remote exploit over the 'net, because the OS you want to own is _running_ at the time.

      The only saving grace is that someone must be physically present to plug in a device. This is still an issue though; imagine how many machines might be pseudo-public terminals, locked down (w/o epoxy in the firewire ports), but are so easily own-able, allowing people to install keyloggers?

  6. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion

  7. Re:Breathtaking Arrogance or Stupidity? by goddidit · · Score: 5, Insightful

    But this works with crypted drives.

    --
    This .sig is exactly 120 characters long.
  8. Re:Breathtaking Arrogance or Stupidity? by LingNoi · · Score: 5, Insightful

    That's not exactly the same.. Take my library for example all machines are set to boot correctly and the cases are physically locked to their location. Also looks a lot less suspicious when you're not ripping the guts out of a machine that it's obvious you don't own in public..

  9. Re:Breathtaking Arrogance or Stupidity? by sm62704 · · Score: 4, Insightful

    For Microsoft to have failed to patch an issue such as this must be indicative of either breathtaking arrogance or utter stupidity... or perhaps both

    How about apathy? They'll wake up when and if they ever lose market share because of their shoddy product. I mean come on, if I can sell a Yugo at Escalade prices, why should I produce a quality product? That would be stupid. And if I could sell Yugos at Escalade prices I think my arrogance would be understandable and forgivable.

    They've been selling an insecure OS for as long as PCs have been networked, why should they secure it now?

    --
    mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
  10. Re:Breathtaking Arrogance or Stupidity? by Albanach · · Score: 4, Insightful

    This though appears to have the advantage of not requiring a reboot, so rendering BIOS passwords ineffective.

    It's all very well to say if someone has physical access all security is compromised. That doesn't mean you need to make it as easy and quick as possible. Now if you lock your computer and pop to the bathroom, a visitor could be in and out of your PC before you get back.

  11. "If someone does plug into your port unexpectedly" by Chops · · Score: 3, Insightful
    My favorite part of the article:

    Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire.

    "If you have a Firewire port, disable it when you aren't using it," Ducklin said.

    "That way, if someone does plug into your port unexpectedly, your side of the Firewire link is dead, so they can't interact with your PC, legitimately or otherwise."

    "You see, this serious security problem was designed in from the start, so therefore... it's not a problem! Ta-da!"
  12. Re:Interesting, but by betterunixthanunix · · Score: 2, Insightful
    The command is run on a second system that is connected via firewire.

    Here's the thing though: this requires physical access. That makes it a low-salience attack, because gaining that kind of access is only an iota easier than pointing a gun at someone's head and demanding their password.

    --
    Palm trees and 8
  13. Physical Security by Chysn · · Score: 4, Insightful

    Once your machine's physical security is compromised, just about anything can happen. If someone is in your data center or office unattended and hooking up equipment to your PC, you're sort of in a world of hurt anyway.

    --
    --I'm so big, my sig has its own sig.
    -- See?
  14. Re:Breathtaking Arrogance or Stupidity? by Anonymous Coward · · Score: 5, Insightful

    Doesn't that also mean that Linux is also vulnerable to Apples firewire design faults?

  15. Re:Breathtaking Arrogance or Stupidity? by xtieburn · · Score: 3, Insightful

    Or perhaps slashdot on another uneducated baseless diatribe directed towards that little known company MS.

    Did you read the article or did you just check the headline and decide to try get cheap mod points? Ill point out why you dont deserve them.

    'Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire.'

    Now maybe this was just excuses but the fact it came from a third party with no particular connection to MS should have made you pause for thought. Even if you dont know much about firewire it would take you moments to do a quick search and actually realise this is a 'feature' of the actual specification itself. As in _every_ O/S had the same problem. Linux, OSX even BSD were using this exploit even before MS were cracked. There are still reports of new OSX and Linux systems being hacked by firewire right in to 2008. (Though admitedly ive not heard much from BSD, probably because there admins tend to actually have a clue.)

    This is a universal flaw in security stemming from naivety with regard to externally connected hardware. You want secure firewire, disable it when you are not using it yourself. That goes for any system, any O/S, any person. End of story.

  16. Comment removed by account_deleted · · Score: 3, Insightful

    Comment removed based on user account deletion

  17. Why doesn't MS disable the port on lock? by pruss · · Score: 3, Insightful

    Some commenters note that this is a feature of Firewire. But would there be any problem with MS just disabling the port whenever the system is password locked, unless there is something already plugged into the port when the system was locked (after all, there might be a Firewire HD plugged in, and a process writing to it). Probably the best way to handle the latter case would be to watch for an unplug event when the system is locked, and then disable the port as soon as the device is unplugged. This is very simple, and I don't see any downside to it.

  18. I could do this... by DigitalisAkujin · · Score: 2, Insightful

    Or I could use a bootdisk with a password hash file modifier...

  19. Re:Who cares? by SanityInAnarchy · · Score: 2, Insightful

    Once again, on Slashdot, I say, 'who cares?' This is a Windows vulnerability and I thought Slashdot was an open source outlet for news and for some stories that people so-called 'care about', not Windows vulnerabilities.

    You're wrong on two counts.

    One, this is an outlet for "news for nerds". As unfathomable as it might seem to you, there are nerds who are into Windows. Some even by choice.

    Two, this is not a Windows vulnerability. It is a FireWire vulnerability -- actually, a FireWire design flaw. It is possible that the OS could be careful enough to prevent this kind of thing, but none of the current OSes are:

    We want open source OS's (Linux, FreeBSD, Syllable, etc) to be the most-used, don't we?

    I honestly can't say about Syllable or FreeBSD, but I know that neither Linux nor OSX have fixed this issue. There is an unstable fix for Linux, but it breaks some hardware.

    The recommended fix, in all cases, is to disable your FireWire port when you're not using it.

    Well, posting stories like this just to point and laugh at Microsoft makes the open source community look very pretentious, like looking at a 'Windows admin' and laughing at them because they do not know basic UNIX commands.

    So does complaining about a story merely because it discusses a Windows vulnerability. Maybe not everyone saw this as an excuse to point and laugh at Microsoft? Maybe only you did?

    --
    Don't thank God, thank a doctor!
  20. Re:Breathtaking Arrogance or Stupidity? by anandsr · · Score: 2, Insightful

    It is true that the DMA must write to RAM where the DRIVER tells it to. It is the responsibility of the Driver to not write data where the device tells it to, and do proper bounds checking.

  21. Physical Control = Game Over by jafiwam · · Score: 2, Insightful

    So what?

    There's dozens of other ways to compromise a PC (Windows or not) if you can sit down in front of it. Even if you don't have to reboot with this, or can sniff enough stuff to log in remotely later across the internet...

    This is why the server room and racks are locked, it's really really hard to combat against someone who as physical access and a bit of time/knowledge to use to evil ends.

    Sure, it's creative but come on...

  22. Re:Breathtaking Arrogance or Stupidity? by bitslinger_42 · · Score: 2, Insightful

    Sure, but if the system is live and has the EFS mounted, the key must be held in memory, otherwise the OS couldn't decrypt the EFS partition. With the key in memory, and Firewire having Direct Memory Access, the bad guy has the EFS (or PGP, or TrueCrypt, or whatever) key. That, plus passwords, web pages being viewed, engineering documents being edited, etc.

  23. Re:Breathtaking Arrogance or Stupidity? by TheRaven64 · · Score: 4, Insightful

    It is true that the DMA must write to RAM where the DRIVER tells it to Not true. DMA stands for Direct Memory Access. The device has direct access to memory. In this case, it is the FireWire controller and, by extension (due to the design of these controllers) FireWire devices.

    If you have an IOMMU (e.g. on a decent Sun workstation), you can set up page tables for each device so that they DMA into a virtual address space. Your driver can then define regions which the device can access transparently. On newer AMD chips, you have a Device Exclusion Vector (DEV). The DEV is a sort of IOMMU-lite. It performs access control, but not translation. This means that the host OS (or driver) can mark each page of physical memory as read / write accessible on a per-device basis. On these machines, a well-designed OS or driver could prevent these attacks.

    On other systems, it is not possible to prevent this attack. It's also a known problem on FreeBSD and OS X. OpenBSD does not implement FireWire support for the explicit reason that it is impossible to do securely on most systems.

    It is the responsibility of the Driver to not write data where the device tells it to, and do proper bounds checking. You are possibly confusing DMA with Programmed I/O (PIO). On a PIO device, the driver writes data to device-mapped memory or an I/O port, the driver then reads it from here and writes it to wherever it is meant to go. On a DMA device, the driver (or, in the case of FireWire, a remote peer) just tells the device where to write the data and it does so without CPU intervention.
    --
    I am TheRaven on Soylent News
  24. Doesn't matter by RzUpAnmsCwrds · · Score: 4, Insightful

    This "vulnerability" is basically irrelevant for notebooks. Most notebooks have hot-swappable CardBus or ExpressCard slots, both of which have DMA support and can be used to dump the system's memory. Or you could do the "memory freeze" trick.

    The correct solution would be to map the FireWire address space into virtual memory, but this has to be done at the hardware level.