lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080307213843.GA94988@owl.midgard.homeip.net>
Date: Fri, 7 Mar 2008 22:38:43 +0100
From: Erik Trulsson <ertr1013@...dent.uu.se>
To: Larry Seltzer <Larry@...ryseltzer.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
	Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: Firewire Attack on Windows Vista

On Fri, Mar 07, 2008 at 02:44:12PM -0500, Larry Seltzer wrote:
> Let's say the computer is off. You can turn it on, but that gets you to
> a login screen. What can the Firewire device do?

Just about anything it wants to.  It uses DMA (Direct Memory Access) which
can be initiated by any device on the Firewire bus.  This means a device
connected to the Firewire bus can read and/or modify any part of RAM of
any other device connected to that bus.  
It can (at least in principle) modify the OS, and insert any number of
viruses or other malware - or of course modify the login program so it lets
anybody in.  It is also very useful as a debug aid for developers, since one
can inspect memory contents even if the OS has crashed completely.


The only protection against this (other than to completely disable Firewire)
is to program the Firewire controller in the computer to either not accept
any DMA commands at all, or program it so it can only perform DMA to certain
known, safe, memory areas.

To what extent one can restrict the operations allowed for any given
controller can probably vary between different chips, and if one restricts it
too much, then some legitimate devices might stop working.






I wonder what other expansion ports can allow such control over the host
computer.
What about SCSI (which Firewire is partly based on in some aspects)? Or
eSATA?  Or PCMCIA/PCCard?


USB is probably safe. I think all operations must be initiated by the
host computer when using USB.  (USB is a much simpler and more "stupid"
interface than Firewire.  This is one reason why Firewire devices usually
give perform better than equivalent USB devices, despite running at a
lower nominal bitrate  (400 Mbit/s for Firewire compared to 480 Mbit/s for
USB.)






-- 
<Insert your favourite quote here.>
Erik Trulsson
ertr1013@...dent.uu.se

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ