Slashdot Mirror
Remote Malware Injection Via Flaw In Network Card
kfz-versicherung writes "During the CanSecWest international conference in Vancouver, members of ANSSI described how an attacker could be able to exploit a flaw to run arbitrary code inside some network controllers (full presentation; PDF). The attack uses routable packets delivered to the victim's NIC. Consequently, multiple attacks can be conducted including man-in-the-middle attacks on network connections, access to cryptographic keys on the host platform, or malware injection on the victim's computer host platform."
It has come to my attention that the entire Linux community is a hotbed of so called 'alternative sexuality', which includes anything from hedonistic orgies to homosexuality to paedophilia.
What better way of demonstrating this than by looking at the hidden messages contained within the names of some of Linux's most outspoken advocates:
I'm sure that Eric S. Raymond, composer of the satanic homosexual propaganda diatribe The Cathedral and the Bizarre, is probably an anagram of something queer, but we don't need to look that far as we know he's always shoving a gun up some poor little boy's rectum. Update: Eric S. Raymond is actually an anagram for secondary rim and cord in my arse. It just goes to show you that he is indeed queer.
Update the Second: It is also documented that Evil Sicko Gaymond is responsible for a nauseating piece of code called Fetchmail, which is obviously sinister sodomite slang for 'Felch Male' -- a disgusting practise. For those not in the know, 'felching' is the act performed by two perverts wherein one sucks their own post-coital ejaculate out of the other's rectum. In fact, it appears that the dirty Linux faggots set out to undermine the good Republican institution of e-mail, turning it into 'e-male.'
As far as Richard 'Master' Stallman goes, that filthy fudge-packer was actually quoted on leftist commie propaganda site Salon.com as saying the following: 'I've been resistant to the pressure to conform in any circumstance,' he says. 'It's about being able to question conventional wisdom,' he asserts. 'I believe in love, but not monogamy,' he says plainly.
And this isn't a made up troll bullshit either! He actually stated this tripe, which makes it obvious that he is trying to politely say that he's a flaming homo slut!
Speaking about 'flaming,' who better to point out as a filthy chutney ferret than Slashdot's very own self-confessed pederast Jon Katz. Although an obvious deviant anagram cannot be found from his name, he has already confessed, nay boasted of the homosexual perversion of corrupting the innocence of young children. To quote from the article linked:
'I've got a rare kidney disease,' I told her. 'I have to go to the bathroom a lot. You can come with me if you want, but it takes a while. Is that okay with you? Do you want a note from my doctor?'
Is this why you were touching your penis in the cinema, Jon? And letting the other boys touch it too?
We should also point out that Jon Katz refers to himself as 'Slashdot's resident Gasbag.' Is there any more doubt? For those fortunate few who aren't aware of the list of homosexual terminology found inside the Linux 'Sauce Code,' a 'Gasbag' is a pervert who gains sexual gratification from having a thin straw inserted into his urethra (or to use the common parlance, 'piss-pipe'), then his homosexual lover blows firmly down the straw to inflate his scrotum. This is, of course, when he's not busy violating the dignity and co
Better ditch those useless Killer NIC now before they get exploited..... *snarf*
Network controller sounds like a job to me.
If you dig into TFA, you'll find this:
"However, the attack presented only applies to a specific network card model (Broadcom NetXtreme) whenever a remote administration functionality (called ASF for Alert Standard Format 2.0) is turned on (it is off by default) and configured. According to vendors, this functionality is far from being widely used. As a consequence, this vulnerability is really likely to have a very limited impact in practice."
A lot of IPMI and ASF code is an open door into at least some portion of the overall system. As NICs become more and more "intelligent," there's going to be more opportunities to exploit the NIC architecture and any subtle flaws because of the communication path into the system itself. Couple that with a rush to get stuff out the door faster and cheaper...and more of these issues will crop up.
"It is a miracle that curiosity survives formal education." -Albert Einstein
It seems that the presentation focuses heavily on the NetXtreme framework, which is specific to Broadcom. Doesn't Intel, the other major NIC vendor/manufacturer, use their own proprietary security and administrative protocols on their devices?
I wonder how secure Realtek's stuff is; their drivers/software leave me to think that their hardware code is ripe for discovery...
NO CARRIER
With some of these exploits that are being "discovered, I just have to wonder how many of them are known by the NSA and I have to wonder how they're being used.
As devices become more and more complex, device functions that were once embedded within a chip are now being implemented by embedded computer systems which are tiny processors, ROM and RAM. And these devices interface with our computers through Direct Memory Access in some form or another and they get access to our computer's memory. If you think it is getting harder to find a virus in a running Windows installation, try finding one in your network cards or other devices.
While the "article" (it's a frikken PDF) says that this has been tested by invading a network card through a normally disabled management interface, what about other means of infection?
What I am saying is this: Once malware gets into the computer, all other devices are increasingly at risk of being a target for being compromised to enable secondary infections even after the hard drive is wiped out... even after the hard drive is replaced. Get some malware stuck inside your system board's controllers and you are either trying to figure out how to reflash every chip on that board, or you're buying a new board.
ÖÖ×YÉZ-¥z3”àÃ'uF3ÅhB0ÊÓg=xïÓ>JåXZ=G –ëÇxúãÃr6GÎ*DÜ–íB’zÄ; ã£)¥Rihttô£/^|ñZ~ýú'333ONNNV*#Æyÿ®$|PÍã¼à¼Ç{ÉÔ'ó€ð^p^eýÓz(DÑ;_ec}z£á^~ýåóçÏÿõðáÿ¾}û/€€uË—/ÿfANX]Áe±sÁ9OêïïADe2F@ÖôéÏÎ7X.3X.±“'O]¼xñ×ù|¾|óæÍ?©ááá–––>+JûRò!w-S)¼Á[ÀdQ:A¼Â9p|PAÀ7ÂóïèûÅÅ&&&>N:Ý yób%Dp`cÑ”|ÀÆVB Iq ©ÔWbòGG;OLL|h+Jg€ááï£seØ\–ZBÑ_%4COCBò–iÆt%`e``j{5Aùò+hQ,r2â'$xQV×_Lïúo
Since none of our clients use ASF, I have manually disabled it on every build I've done. Contrary to the article, many have it enabled by default. Why did I bother? I am a minimalist. I figured having an unused feature enabled could only potentially introduce problems.
The important part about this is not that the attack is very specific (only Broadcom running ASF) but that attacks through a NIC are possible at all. This could be the beginning of more serious and widespread attacks as network components become exploitable through their increasing technology. There's a relationship between amount of code a device runs and the amount of bugs present in that code, and bugs can often be exploited for bad purposes.
From the article:
"However, the attack presented only applies to a specific network card model (Broadcom NetXtreme) whenever a remote administration functionality (called ASF for Alert Standard Format 2.0) is turned on (it is off by default) and configured. According to vendors, this functionality is far from being widely used. As a consequence, this vulnerability is really likely to have a very limited impact in practice."
One network card by one manufacturer has a vulnerability when an obscure feature is turned on. While the idea of an attack on the network itself is interesting, this isn't going to become a widespread problem.
This is how the loudness war is killing music.
-1 an hero
So much insecure code to be explored...
But kudos to the NIC-approach!
a bunch of my machines are constantly logging Broadcom ASF IP and SMBIOS Mailbox Monitor events? Shit.
I recently heard that the simulated network card in virtualization systems can be a point of attack. So, this may be a more general issue than a specific card.
IPMI remote management security is worrisome.
There are Linux utilities for IPMI. It's definitely worthwhile running "ipmiutil discover" on any LAN you control, to find out if anything out there speaks IPMI. It's also worthwhile monitoring your data center's networks for anything happening on UDP ports 663 and 664. If you're not using IPMI, make sure no one else is.
A big problem with IPMI is that the shipped hardware defaults really matter. If someone ships you a NIC card with IPMI enabled and the password known, you are 0wned at a very low level. IPMI boards offer various levels of authentication, some of which offer good cryptographic security. But one of the options is "no authentication".
A deeper problem is the possibility that NIC chips might have a default backdoor password built in. Many NIC chips now are designed in China.
Understand how much you can do via IPMI. You can turn the machine on and off remotely. You can force a reboot. You can change the boot settings. You can change the MAC address. You can override the front panel power and reset switches.(!) You can lock out the keyboard, blank the screen, set up a connection which the computer sees as a hard-wired keyboard, and boot from the LAN. The operating system isn't involved in any of this; it's taking place at a level below that of the main CPU.
Dell's guidance on IPMI is terrifying. See Figure 3, where IPMI over LAN is being enabled with username "root", no password. This sort of thing is common. The default password on Dell PowerEdge servers is "calvin", on Sun Fire servers its "changeme", in both cases the user is "root"."
If you try to do it right, turning on all the crypto and using unique random keys for each chassis, someone has to manually type in the encryption key in hex on each new server. Then you need a remote management program which securely holds all the keys. How many shops really do that?