Hi there, I've stumbled on this article. I wonder if this is applicable to FreeBSD. Would it still be possible to exploit it without a firewire driver? http://www.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypasses+Windows+Logon/article10972.htm ? The tool is a simple, 200-line script written in the Python programming language exploits features built into Firewire that allow direct access to a computer's memory. By targeting specific places that Windows consistently stores its vital authentication functions, Boileau's tool is able to overwrite Windows' secured code with patches that skip Windows' password check entirely. ? Regards, -- Jeremie Le Hen < jlehen at clesys dot fr >
Hi Jeremie, On 3/22/08, Jeremie Le Hen <jeremie@le-hen.org> wrote:> Hi there, > > I've stumbled on this article. I wonder if this is applicable to > FreeBSD. Would it still be possible to exploit it without a firewire > driver? > > http://www.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypasses+Windows+Logon/article10972.htm >``That's not a bug, it's a feature''. That is, the firewire spec requires that it has full read/write access to all physical memory, in the same way that the PCI bus has full read/write access to physical memory. Thus, with direct access to a firewire port, a malicious person can grub around kernel memory and frob whatever they want (yet another reason why physical security is important). It seems that the windows vulnerability was due to storing credentials information in a consistent place from system to system; that is certainly the case for a GENERIC kernel, but if you have a custom kernel there is no longer a _trivial_ ``exploit'' -- an attacker must do some work to find where things are (and be able to hot-patch machine language, but I know several people that could do that, even one that's basing his thesis project on it). Basically, once an attacker has physical access to your machine, you've lost; this is just one possible route that such an attacker could take. We can use this feature as a true feature, as well, though -- it allows dcons to be used instead of a serial port for kernel debugging when you've totally confused your kernel. -Ben Kaduk
On Sat, Mar 22, 2008 at 07:12:09PM +0100, Jeremie Le Hen wrote:> Hi there, > > I've stumbled on this article. I wonder if this is applicable to > FreeBSD. Would it still be possible to exploit it without a firewire > driver? > > http://www.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypasses+Windows+Logon/article10972.htm > > ? The tool is a simple, 200-line script written in the Python > programming language exploits features built into Firewire that allow > direct access to a computer's memory. By targeting specific places that > Windows consistently stores its vital authentication functions, > Boileau's tool is able to overwrite Windows' secured code with patches > that skip Windows' password check entirely. ? >It is, and FreeBSD was used in a proof of concept for reading passwords via FireWire some years ago (see http://md.hudora.de/presentations/ for sample Python code). In CURRENT and RELENG_7, there's a tunable to disable physical access, see fwohci(4), it should probably be ported back to RELENG_6. - Christian -- Christian Brueffer chris@unixpages.org brueffer@FreeBSD.org GPG Key: http://people.freebsd.org/~brueffer/brueffer.key.asc GPG Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20080323/cf722238/attachment.pgp