Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aging Security Vulnerability Still Allows PC Takeover

Posted by Zonk on from the there-are-issues-here-and-perhaps-they-should-be-investigated dept.

Jackson writes "Adam Boileau, a security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password. By connecting a Linux machine to a Firewire port on the target machine, the tool can then modify Windows' password protection code and render it ineffective. Boileau said he did not release the tool publicly in 2006 because 'Microsoft was a little cagey about exactly whether Firewire memory access was a real security issue or not and we didn't want to cause any real trouble'. But now that a couple of years have passed and the issue has not resolved, Boileau decided to release the tool on his website."

43 of 282 comments (clear)

  1. Again by monkeydluffy09 · · Score: 5, Informative

    There is also another Security researcher who find an efficient way to gain privilege though the hibernation file. Slashdot news: http://slashdot.org/firehose.pl?op=view&id=551924

  2. The hard part is... by lpangelrob · · Score: 3, Insightful

    ...finding a PC with a firewire port.

    (The only ones at my workplace are the two I put firewire cards in. Don't ask, it's complicated.)

    --
    -Rob

    Biblical fiscal responsibility

    1. Re:The hard part is... by MPAB · · Score: 5, Insightful

      Many laptops have Firewire ports, and most modern desktop mainboards do also thanks to te growing popularity of digital video cameras.

    2. Re:The hard part is... by Penguin+Follower · · Score: 3, Informative

      Sorry, I haven't seen a FireWire port on a PC (lappy or desktop) in about five years.

      It could be due to the environment you work in, but there's at least 6 laptops in this office that I can think of that have firewire on them. One is a Toshiba, and the others are a mix of Dell and Lenovos. If I think harder about it, I'm pretty sure the laptops that were sent out to our regional managers (all over the U.S.) had firewire as well. It is worth mentioning that all of these laptops are less than 2 years old, as we went through a refresh not that long ago.

    3. Re:The hard part is... by clickclickdrone · · Score: 5, Funny

      >have the time to jack into one of my boxes
      You must have one sexy PC!

      --
      I want a list of atrocities done in your name - Recoil
    4. Re:The hard part is... by gnick · · Score: 3, Insightful

      the physical security at my home is pretty good That's the gotcha here. Anyone with physical access to a machine owns that box. The only difference with this technique is that it sounds like it's quicker and possibly more subtle than my typical method of rebooting onto a live Linux CD and "repairing" the Windows accounts.
      --
      He's getting rather old, but he's a good mouse.
    5. Re:The hard part is... by Beardo+the+Bearded · · Score: 3, Insightful

      Physical access = security is meaningless.

      If they could access the firewire port via an internet connection, THEN I'd consider this a leak.

      You could also tweak the system by opening the case and removing the hard drive, or just attaching a thumb drive and copying all the data.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  3. host memory! by Spazmania · · Score: 5, Insightful

    So why exactly is it a desirable feature for a firewire node to be able to access another node's memory unsolicited?

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    1. Re:host memory! by iangoldby · · Score: 3, Interesting

      Because it is not USB.

      Actually, what do I know? But I do believe that Firewire doesn't have the concept of host and slave nodes. All nodes on a Firewire network are equivalent AFAIK.

      If it were necessary to explictly allow direct memory access on a node whenever it was requested, you would not be able to plug a Firewire cable into a control-less box (for example) and do things with it, without first accessing the control-less box through a non-Firewire method to enable Firewire DMA.

      Anyway, that's my ignorance on the subject. And as Adam Boileau says, it is a Feature, not a Bug. It is intended behaviour, so there must be a good reason (even if it is not the above).

    2. Re:host memory! by TheRaven64 · · Score: 3, Insightful

      It's a design flaw. The peer-to-peer nature shouldn't come into it. What ought to happen is that one peer requests DMA rights to a memory location in another peer, and the driver then returns yes or no before the controller decides whether to permit the DMA request. In simple devices, like hard drives, the driver would always return true (allow). In multitasking systems the driver would only return yes for pointers to pages it owns.

      --
      I am TheRaven on Soylent News
    3. Re:host memory! by Jah-Wren+Ryel · · Score: 4, Interesting

      So why exactly is it a desirable feature for a firewire node to be able to access another node's memory unsolicited? Well, for one thing, it should make cracking any of these "untrusted computing" DRM schemes pretty trivial.
      --
      When information is power, privacy is freedom.
  4. Re:Breathtaking Arrogance or Stupidity? by 91degrees · · Score: 4, Insightful

    This does require physical access to a machine. If you want to access the machine, you can reboot using a USB stick and access the hard disk that way, or even just open the machine and take the drive, then modify the contents to your heart's content before putting it back

  5. Physical access by nickv111 · · Score: 3, Insightful

    Not to say that Microsoft shouldn't have patched this, for it is certainly a design flaw to allow computers hooked up to a machine to access its memory, but if you're plugging something into the Firewire port of a computer, then you're sitting at that computer, aren't you? It's true of all hardware that if you have physical access, then you can do whatever you want with it anyway.

    -Nick

    1. Re:Physical access by SharpFang · · Score: 4, Interesting

      Depends on the length of the (fire)wire. ;)

      In case of most of hardware with mid-to-high physical security you need some 15 minutes of totally unsupervised access, it involves removing the case (to reset the BIOS password), rebooting the system (sometimes by power cycling) and generally implies very dirty and easy to detect hack - you do gain the access but you're not stealthy at it.

      You plug the inconspicuous cable in the side/back of the PC, stash the laptop under the desk, and walk away whistling quietly. Then you sit down, access your laptop from another one through wi-fi then proceed to download contents of the compromised box, over the firewire cable.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  6. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion

  7. Done previously by TripMaster+Monkey · · Score: 5, Informative

    Maximillian Dornseif demonstrated this same Firewire vulnerability against Linux and OS X machines in 2005. Adam Boileau just gets more press because he performed the hack against Windows PCs.

    --
    ____

    ~ |rip/\/\aster /\/\onkey

  8. Re:Breathtaking Arrogance or Stupidity? by goddidit · · Score: 5, Insightful

    But this works with crypted drives.

    --
    This .sig is exactly 120 characters long.
  9. Re:Breathtaking Arrogance or Stupidity? by LingNoi · · Score: 5, Insightful

    That's not exactly the same.. Take my library for example all machines are set to boot correctly and the cases are physically locked to their location. Also looks a lot less suspicious when you're not ripping the guts out of a machine that it's obvious you don't own in public..

  10. Re:Breathtaking Arrogance or Stupidity? by sm62704 · · Score: 4, Insightful

    For Microsoft to have failed to patch an issue such as this must be indicative of either breathtaking arrogance or utter stupidity... or perhaps both

    How about apathy? They'll wake up when and if they ever lose market share because of their shoddy product. I mean come on, if I can sell a Yugo at Escalade prices, why should I produce a quality product? That would be stupid. And if I could sell Yugos at Escalade prices I think my arrogance would be understandable and forgivable.

    They've been selling an insecure OS for as long as PCs have been networked, why should they secure it now?

    --
    mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
  11. Re:Breathtaking Arrogance or Stupidity? by Albanach · · Score: 4, Insightful

    This though appears to have the advantage of not requiring a reboot, so rendering BIOS passwords ineffective.

    It's all very well to say if someone has physical access all security is compromised. That doesn't mean you need to make it as easy and quick as possible. Now if you lock your computer and pop to the bathroom, a visitor could be in and out of your PC before you get back.

  12. Also affects OS X and linux by mooglez · · Score: 5, Informative

    This same vulnerability also affects OS X as reported here: http://blog.juhonkoti.net/2008/02/29/automated-os-x-macintosh-password-retrieval-via-firewire

    As well, as Linux, as reported in an earlier 2005 report about this firewire feature: http://www.matasano.com/log/695/windows-remote-memory-access-though-firewire/

  13. Re:Breathtaking Arrogance or Stupidity? by deblau · · Score: 4, Funny
    You are either for false dichotomies or against them.

    Which is it?

    --
    This post expresses my opinion, not that of my employer. And yes, IAAL.
  14. "If someone does plug into your port unexpectedly" by Chops · · Score: 3, Insightful
    My favorite part of the article:

    Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire.

    "If you have a Firewire port, disable it when you aren't using it," Ducklin said.

    "That way, if someone does plug into your port unexpectedly, your side of the Firewire link is dead, so they can't interact with your PC, legitimately or otherwise."

    "You see, this serious security problem was designed in from the start, so therefore... it's not a problem! Ta-da!"
  15. Re:Breathtaking Arrogance or Stupidity? by TheRaven64 · · Score: 4, Interesting

    It's not Microsoft's fault, it's a hardware problem. FireWire is a peer-to-peer protocol with commands for using the DMA controller. Any device plugged in via a FireWire port can issue DMA requests. It can dump the entire contents of (physical) memory and write data at arbitrary locations. A FireWire controller ought to only permit DMA to and from regions the driver allowed it to, but most don't. The only work around for this is to either disable FireWire or use something like the Device Exclusion Vector on modern AMD chips to block the device's access to memory.

    --
    I am TheRaven on Soylent News
  16. Comment removed by account_deleted · · Score: 3, Informative

    Comment removed based on user account deletion

  17. Physical Security by Chysn · · Score: 4, Insightful

    Once your machine's physical security is compromised, just about anything can happen. If someone is in your data center or office unattended and hooking up equipment to your PC, you're sort of in a world of hurt anyway.

    --
    --I'm so big, my sig has its own sig.
    -- See?
  18. In related news... by muffen · · Score: 4, Funny

    ... it turns out, his site is vulnerable to the slashdot effect :)

  19. Re:Breathtaking Arrogance or Stupidity? by Anonymous Coward · · Score: 5, Insightful

    Doesn't that also mean that Linux is also vulnerable to Apples firewire design faults?

  20. Re:Breathtaking Arrogance or Stupidity? by xtieburn · · Score: 3, Insightful

    Or perhaps slashdot on another uneducated baseless diatribe directed towards that little known company MS.

    Did you read the article or did you just check the headline and decide to try get cheap mod points? Ill point out why you dont deserve them.

    'Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire.'

    Now maybe this was just excuses but the fact it came from a third party with no particular connection to MS should have made you pause for thought. Even if you dont know much about firewire it would take you moments to do a quick search and actually realise this is a 'feature' of the actual specification itself. As in _every_ O/S had the same problem. Linux, OSX even BSD were using this exploit even before MS were cracked. There are still reports of new OSX and Linux systems being hacked by firewire right in to 2008. (Though admitedly ive not heard much from BSD, probably because there admins tend to actually have a clue.)

    This is a universal flaw in security stemming from naivety with regard to externally connected hardware. You want secure firewire, disable it when you are not using it yourself. That goes for any system, any O/S, any person. End of story.

  21. Probably for lower overhead by Sycraft-fu · · Score: 4, Interesting

    One of the things I always hear in the USB vs Firewire debates is how much lower overhead Firewire is. In informal testing, this certainly seems to be the case. Well, one of the reasons it might be is if it has DMA. You'll find that's how a lot of PCI hardware works. It can read and write directly to memory, it doesn't have to do things through the processor. Keeps system load much lower, it'd quickly peg the CPU if it had to deal with shuffling around all data on the system. However, it also can lead to problems, of course.

    Well, if Firewire has the same capability, it would explain why it is much lower overhead than USB, but it would also allow for things like this.

    In general, DMA is probably something that needs to be looked at being cleaned up/reworked. It is a non-trivial cause of system instability: Hardware goes nuts (or maybe driver orders hardware to so something stupid), craps on memory it shouldn't system goes down. However anything like that is going to take a back seat to performance, at least in regular PCs. As nice as it would be to have the CPU fully in charge of everything, people aren't going to put up with it if it means a 10x drop in performance.

    1. Re:Probably for lower overhead by Creepy · · Score: 4, Informative

      No - DMA may help in some cases, as you describe, but you can tell a Firewire drive to copy to another Firewire drive when neither has any physical memory and it will still copy much faster than USB. The lack of a centralized controller (and device registration, scheduling, etc) actually helps keep overhead down. Note that USB can't do that - Firewire is peer-to-peer, meaning each device is aware of other devices in the chain. USB is a master-slave star network and needs a host controller (e.g. a PC).

      Firewire was built a hot swappable, high speed replacement for SCSI, and is really more analogous to SATA than USB, but people compare them because they're both used as external buses for peripherals. USB was designed explicitly as a low speed, low power, low cost small peripheral handler (e.g. mice and keyboards) to replace a variety of miscellaneous specialized plugs such as game ports, parallel port, serial port, etc, and thus cost was most important and speed least. Firewire put speed first and cost last. As far as Firewire goes, I think a battle may be coming, with SATA's external plug eSATA, as I expect it to make some gains in the peripheral market, especially in storage. eSATA actually has an advantage over Firewire, because the actual device used for storage is often IDE and therefore Firewire has some conversion to do (ATA is the protocol, IDE the device - often they're used interchangeably).

      The problem here is gullibility. Think of it like social engineering - someone calls and asks "We are verifying your bank account pin, can you give it to us?" and you saying sure - it's 1234! That's a lot like what this program is doing. In this case, the device at one end is saying can I have access to your memory? And the device on the other end is saying sure, despite the fact that that giving write access to memory is a lot like giving away your bank account pin (which is why it's really an OS issue, not a firewire issue). Some OS's like Linux only give read access, which means you can see what is in the account, but not take anything out, but Linux (and Windows) allow this to be set by the foreign controller, which is a bug.

      DMA access should be limited to non-system memory, if allowed. Unfortunately, that isn't very controllable by current computer designs. I believe the solution proposed and implemented (I've heard about this for Windows 8, I believe) is encrypted floating addresses, so even if you have direct access to memory you don't know where to write it.

  22. Re:Yes, yes, another anti-windows story by Oktober+Sunset · · Score: 3, Funny

    maybe they aren't smart, maybe they are dumb, that means even a dumb ass can crack windows security.

    --
    What if Tetris was invented by Nazis?
  23. Comment removed by account_deleted · · Score: 3, Insightful

    Comment removed based on user account deletion

  24. Why doesn't MS disable the port on lock? by pruss · · Score: 3, Insightful

    Some commenters note that this is a feature of Firewire. But would there be any problem with MS just disabling the port whenever the system is password locked, unless there is something already plugged into the port when the system was locked (after all, there might be a Firewire HD plugged in, and a process writing to it). Probably the best way to handle the latter case would be to watch for an unplug event when the system is locked, and then disable the port as soon as the device is unplugged. This is very simple, and I don't see any downside to it.

  25. *listens closely* by Stanistani · · Score: 4, Funny

    "So I tied an onion to my belt. Which was the style at the time. Now, to take the ferry cost a nickel, and in those days, nickels had pictures of bumblebees on 'em."

    --
    You can't talk about Wikipedia's flaws on Wikipedia
  26. Re:Yes, yes, another anti-windows story by sumdumass · · Score: 3, Funny

    hey now. Not all of us need this crack to bypass windows security.

  27. Re:firewire has been around for longer than you th by bumby · · Score: 4, Informative

    <technical bitching>
    That's IEEE 1394 sir. IEEE is an institute.
    </technical bitching>

    --
    Hey! That's my sig you're smoking there!
  28. Re:2 Year bug report.. by Nevo · · Score: 3, Informative

    This is not a Microsoft vulnerability. FireWire devices can access RAM in the host machine, whether the host machine is running Windows, Linux, or MacOS. Any operating system running on a machine withe a FireWire port can be taken over in this manner.

  29. Re:Breathtaking Arrogance or Stupidity? by TheLink · · Score: 4, Informative

    Should be. It's a "feature" of Firewire.

    Some Mac people figured it out early (at least by 2001)
    http://rentzsch.com/macosx/securingFirewire

    The FreeBSD people were already using it way back in 2002, quote:
    "As you know, IEEE1394 is a bus and OHCI supports physical access to the host memory. This means that you can access the remote host over firewire without software support at the remote host. In other words, you can investigate remote host's physical memory whether its OS is alive or crashed or hangs up"

    In other words it doesn't matter what OS it is or whether there is even an OS.

    Oh yeah there's also "Linux Kernel debugging over Firewire" but that's recent - 2006.

    --
  30. Linux has the same security hole by Animats · · Score: 4, Informative

    Linux has this same bug. It's in "ohci1394.c". I reported this to the Linux kernel mailing list years ago, and the reaction of the kernel developers was to make it a "feature" for "remote debugging" that's enabled by default.

    Technically, here's how it works. First, see the OHCI specification, section 5.15, "Physical Upper Bound register". This determines the highest memory address into which an external device can store directly by sending a packet. If set to zero, this feature is disabled. That feature is intended for slave devices, like peripherals. On computers with an operating system, it should be zero. It's not.

    In the Linux kernel, that security hole was installed in "ohci1394.c" with the comment:
    /* Turn on phys dma reception.
    *
    * TODO: Enable some sort of filtering management.
    */

    In early kernels, it was unconditionally enabled. In 2.6, it's enabled by default, but can be turned off.

    Also, This patch indicates that this security hole may have been designed into some FireWire controllers, so that the "upper bound register" didn't really do anything, but read back zero.

  31. Re:Breathtaking Arrogance or Stupidity? by TheRaven64 · · Score: 4, Insightful

    It is true that the DMA must write to RAM where the DRIVER tells it to Not true. DMA stands for Direct Memory Access. The device has direct access to memory. In this case, it is the FireWire controller and, by extension (due to the design of these controllers) FireWire devices.

    If you have an IOMMU (e.g. on a decent Sun workstation), you can set up page tables for each device so that they DMA into a virtual address space. Your driver can then define regions which the device can access transparently. On newer AMD chips, you have a Device Exclusion Vector (DEV). The DEV is a sort of IOMMU-lite. It performs access control, but not translation. This means that the host OS (or driver) can mark each page of physical memory as read / write accessible on a per-device basis. On these machines, a well-designed OS or driver could prevent these attacks.

    On other systems, it is not possible to prevent this attack. It's also a known problem on FreeBSD and OS X. OpenBSD does not implement FireWire support for the explicit reason that it is impossible to do securely on most systems.

    It is the responsibility of the Driver to not write data where the device tells it to, and do proper bounds checking. You are possibly confusing DMA with Programmed I/O (PIO). On a PIO device, the driver writes data to device-mapped memory or an I/O port, the driver then reads it from here and writes it to wherever it is meant to go. On a DMA device, the driver (or, in the case of FireWire, a remote peer) just tells the device where to write the data and it does so without CPU intervention.
    --
    I am TheRaven on Soylent News
  32. Doesn't matter by RzUpAnmsCwrds · · Score: 4, Insightful

    This "vulnerability" is basically irrelevant for notebooks. Most notebooks have hot-swappable CardBus or ExpressCard slots, both of which have DMA support and can be used to dump the system's memory. Or you could do the "memory freeze" trick.

    The correct solution would be to map the FireWire address space into virtual memory, but this has to be done at the hardware level.

  33. Firewire Target Disk Mode by Vandil+X · · Score: 3, Informative

    Ever since Macs have had Firewire ports, you can boot a Mac holding down the T key and its hard disk become accessible via Firewire cable on another Mac. Mac OS X setup even prompts you to do this if you're migrating settings & data from one Mac to another.

    --
    Up, Up, Down, Down, Left, Right, Left, Right, B, A, START