Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aging Security Vulnerability Still Allows PC Takeover

Posted by Zonk on from the there-are-issues-here-and-perhaps-they-should-be-investigated dept.

Jackson writes "Adam Boileau, a security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password. By connecting a Linux machine to a Firewire port on the target machine, the tool can then modify Windows' password protection code and render it ineffective. Boileau said he did not release the tool publicly in 2006 because 'Microsoft was a little cagey about exactly whether Firewire memory access was a real security issue or not and we didn't want to cause any real trouble'. But now that a couple of years have passed and the issue has not resolved, Boileau decided to release the tool on his website."

21 of 282 comments (clear)

  1. The hard part is... by lpangelrob · · Score: 3, Insightful

    ...finding a PC with a firewire port.

    (The only ones at my workplace are the two I put firewire cards in. Don't ask, it's complicated.)

    --
    -Rob

    Biblical fiscal responsibility

    1. Re:The hard part is... by MPAB · · Score: 5, Insightful

      Many laptops have Firewire ports, and most modern desktop mainboards do also thanks to te growing popularity of digital video cameras.

    2. Re:The hard part is... by gnick · · Score: 3, Insightful

      the physical security at my home is pretty good That's the gotcha here. Anyone with physical access to a machine owns that box. The only difference with this technique is that it sounds like it's quicker and possibly more subtle than my typical method of rebooting onto a live Linux CD and "repairing" the Windows accounts.
      --
      He's getting rather old, but he's a good mouse.
    3. Re:The hard part is... by Beardo+the+Bearded · · Score: 3, Insightful

      Physical access = security is meaningless.

      If they could access the firewire port via an internet connection, THEN I'd consider this a leak.

      You could also tweak the system by opening the case and removing the hard drive, or just attaching a thumb drive and copying all the data.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  2. host memory! by Spazmania · · Score: 5, Insightful

    So why exactly is it a desirable feature for a firewire node to be able to access another node's memory unsolicited?

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    1. Re:host memory! by TheRaven64 · · Score: 3, Insightful

      It's a design flaw. The peer-to-peer nature shouldn't come into it. What ought to happen is that one peer requests DMA rights to a memory location in another peer, and the driver then returns yes or no before the controller decides whether to permit the DMA request. In simple devices, like hard drives, the driver would always return true (allow). In multitasking systems the driver would only return yes for pointers to pages it owns.

      --
      I am TheRaven on Soylent News
  3. Re:Breathtaking Arrogance or Stupidity? by 91degrees · · Score: 4, Insightful

    This does require physical access to a machine. If you want to access the machine, you can reboot using a USB stick and access the hard disk that way, or even just open the machine and take the drive, then modify the contents to your heart's content before putting it back

  4. Physical access by nickv111 · · Score: 3, Insightful

    Not to say that Microsoft shouldn't have patched this, for it is certainly a design flaw to allow computers hooked up to a machine to access its memory, but if you're plugging something into the Firewire port of a computer, then you're sitting at that computer, aren't you? It's true of all hardware that if you have physical access, then you can do whatever you want with it anyway.

    -Nick

  5. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion

  6. Re:Breathtaking Arrogance or Stupidity? by goddidit · · Score: 5, Insightful

    But this works with crypted drives.

    --
    This .sig is exactly 120 characters long.
  7. Re:Breathtaking Arrogance or Stupidity? by LingNoi · · Score: 5, Insightful

    That's not exactly the same.. Take my library for example all machines are set to boot correctly and the cases are physically locked to their location. Also looks a lot less suspicious when you're not ripping the guts out of a machine that it's obvious you don't own in public..

  8. Re:Breathtaking Arrogance or Stupidity? by sm62704 · · Score: 4, Insightful

    For Microsoft to have failed to patch an issue such as this must be indicative of either breathtaking arrogance or utter stupidity... or perhaps both

    How about apathy? They'll wake up when and if they ever lose market share because of their shoddy product. I mean come on, if I can sell a Yugo at Escalade prices, why should I produce a quality product? That would be stupid. And if I could sell Yugos at Escalade prices I think my arrogance would be understandable and forgivable.

    They've been selling an insecure OS for as long as PCs have been networked, why should they secure it now?

    --
    mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
  9. Re:Breathtaking Arrogance or Stupidity? by Albanach · · Score: 4, Insightful

    This though appears to have the advantage of not requiring a reboot, so rendering BIOS passwords ineffective.

    It's all very well to say if someone has physical access all security is compromised. That doesn't mean you need to make it as easy and quick as possible. Now if you lock your computer and pop to the bathroom, a visitor could be in and out of your PC before you get back.

  10. "If someone does plug into your port unexpectedly" by Chops · · Score: 3, Insightful
    My favorite part of the article:

    Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire.

    "If you have a Firewire port, disable it when you aren't using it," Ducklin said.

    "That way, if someone does plug into your port unexpectedly, your side of the Firewire link is dead, so they can't interact with your PC, legitimately or otherwise."

    "You see, this serious security problem was designed in from the start, so therefore... it's not a problem! Ta-da!"
  11. Physical Security by Chysn · · Score: 4, Insightful

    Once your machine's physical security is compromised, just about anything can happen. If someone is in your data center or office unattended and hooking up equipment to your PC, you're sort of in a world of hurt anyway.

    --
    --I'm so big, my sig has its own sig.
    -- See?
  12. Re:Breathtaking Arrogance or Stupidity? by Anonymous Coward · · Score: 5, Insightful

    Doesn't that also mean that Linux is also vulnerable to Apples firewire design faults?

  13. Re:Breathtaking Arrogance or Stupidity? by xtieburn · · Score: 3, Insightful

    Or perhaps slashdot on another uneducated baseless diatribe directed towards that little known company MS.

    Did you read the article or did you just check the headline and decide to try get cheap mod points? Ill point out why you dont deserve them.

    'Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire.'

    Now maybe this was just excuses but the fact it came from a third party with no particular connection to MS should have made you pause for thought. Even if you dont know much about firewire it would take you moments to do a quick search and actually realise this is a 'feature' of the actual specification itself. As in _every_ O/S had the same problem. Linux, OSX even BSD were using this exploit even before MS were cracked. There are still reports of new OSX and Linux systems being hacked by firewire right in to 2008. (Though admitedly ive not heard much from BSD, probably because there admins tend to actually have a clue.)

    This is a universal flaw in security stemming from naivety with regard to externally connected hardware. You want secure firewire, disable it when you are not using it yourself. That goes for any system, any O/S, any person. End of story.

  14. Comment removed by account_deleted · · Score: 3, Insightful

    Comment removed based on user account deletion

  15. Why doesn't MS disable the port on lock? by pruss · · Score: 3, Insightful

    Some commenters note that this is a feature of Firewire. But would there be any problem with MS just disabling the port whenever the system is password locked, unless there is something already plugged into the port when the system was locked (after all, there might be a Firewire HD plugged in, and a process writing to it). Probably the best way to handle the latter case would be to watch for an unplug event when the system is locked, and then disable the port as soon as the device is unplugged. This is very simple, and I don't see any downside to it.

  16. Re:Breathtaking Arrogance or Stupidity? by TheRaven64 · · Score: 4, Insightful

    It is true that the DMA must write to RAM where the DRIVER tells it to Not true. DMA stands for Direct Memory Access. The device has direct access to memory. In this case, it is the FireWire controller and, by extension (due to the design of these controllers) FireWire devices.

    If you have an IOMMU (e.g. on a decent Sun workstation), you can set up page tables for each device so that they DMA into a virtual address space. Your driver can then define regions which the device can access transparently. On newer AMD chips, you have a Device Exclusion Vector (DEV). The DEV is a sort of IOMMU-lite. It performs access control, but not translation. This means that the host OS (or driver) can mark each page of physical memory as read / write accessible on a per-device basis. On these machines, a well-designed OS or driver could prevent these attacks.

    On other systems, it is not possible to prevent this attack. It's also a known problem on FreeBSD and OS X. OpenBSD does not implement FireWire support for the explicit reason that it is impossible to do securely on most systems.

    It is the responsibility of the Driver to not write data where the device tells it to, and do proper bounds checking. You are possibly confusing DMA with Programmed I/O (PIO). On a PIO device, the driver writes data to device-mapped memory or an I/O port, the driver then reads it from here and writes it to wherever it is meant to go. On a DMA device, the driver (or, in the case of FireWire, a remote peer) just tells the device where to write the data and it does so without CPU intervention.
    --
    I am TheRaven on Soylent News
  17. Doesn't matter by RzUpAnmsCwrds · · Score: 4, Insightful

    This "vulnerability" is basically irrelevant for notebooks. Most notebooks have hot-swappable CardBus or ExpressCard slots, both of which have DMA support and can be used to dump the system's memory. Or you could do the "memory freeze" trick.

    The correct solution would be to map the FireWire address space into virtual memory, but this has to be done at the hardware level.