Aging Security Vulnerability Still Allows PC Takeover

Jackson writes "Adam Boileau, a security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password. By connecting a Linux machine to a Firewire port on the target machine, the tool can then modify Windows' password protection code and render it ineffective. Boileau said he did not release the tool publicly in 2006 because 'Microsoft was a little cagey about exactly whether Firewire memory access was a real security issue or not and we didn't want to cause any real trouble'. But now that a couple of years have passed and the issue has not resolved, Boileau decided to release the tool on his website."

The hard part is...

[lpangelrob]

...finding a PC with a firewire port.

(The only ones at my workplace are the two I put firewire cards in. Don't ask, it's complicated.)

host memory!

[Spazmania]

So why exactly is it a desirable feature for a firewire node to be able to access another node's memory unsolicited?

Re:The hard part is...

[Anonymous Coward]

Try looking at a modern laptop. They're far more common there than on desktops.

Hmmm... what a coincidence, laptops are also exposed to strangers carrying computers of their own, too. I wonder if this might have implications regarding the severity of this particular weakness...

Re:The hard part is...

[MPAB]

Many laptops have Firewire ports, and most modern desktop mainboards do also thanks to te growing popularity of digital video cameras.

Re:Breathtaking Arrogance or Stupidity?

[91degrees]

This does require physical access to a machine. If you want to access the machine, you can reboot using a USB stick and access the hard disk that way, or even just open the machine and take the drive, then modify the contents to your heart's content before putting it back

2 Year bug report..

[LingNoi]

This isn't the first guy to get frustrated with Microsoft's lack of commitment in the security vulnerability area and just release his nasty onto the world.. It probably won't be the last either.

Physical access

[nickv111]

Not to say that Microsoft shouldn't have patched this, for it is certainly a design flaw to allow computers hooked up to a machine to access its memory, but if you're plugging something into the Firewire port of a computer, then you're sitting at that computer, aren't you? It's true of all hardware that if you have physical access, then you can do whatever you want with it anyway.

-Nick

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Breathtaking Arrogance or Stupidity?

[goddidit]

But this works with crypted drives.

Re:Breathtaking Arrogance or Stupidity?

[LingNoi]

That's not exactly the same.. Take my library for example all machines are set to boot correctly and the cases are physically locked to their location. Also looks a lot less suspicious when you're not ripping the guts out of a machine that it's obvious you don't own in public..

Re:Breathtaking Arrogance or Stupidity?

[sm62704]

For Microsoft to have failed to patch an issue such as this must be indicative of either breathtaking arrogance or utter stupidity... or perhaps both

How about apathy? They'll wake up when and if they ever lose market share because of their shoddy product. I mean come on, if I can sell a Yugo at Escalade prices, why should I produce a quality product? That would be stupid. And if I could sell Yugos at Escalade prices I think my arrogance would be understandable and forgivable.

They've been selling an insecure OS for as long as PCs have been networked, why should they secure it now?

Re:Breathtaking Arrogance or Stupidity?

[Albanach]

This though appears to have the advantage of not requiring a reboot, so rendering BIOS passwords ineffective.

It's all very well to say if someone has physical access all security is compromised. That doesn't mean you need to make it as easy and quick as possible. Now if you lock your computer and pop to the bathroom, a visitor could be in and out of your PC before you get back.

"If someone does plug into your port unexpectedly"

[Chops]

My favorite part of the article:

Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire.

"If you have a Firewire port, disable it when you aren't using it," Ducklin said.

"That way, if someone does plug into your port unexpectedly, your side of the Firewire link is dead, so they can't interact with your PC, legitimately or otherwise."

"You see, this serious security problem was designed in from the start, so therefore... it's not a problem! Ta-da!"

Re:Interesting, but

[betterunixthanunix]

The command is run on a second system that is connected via firewire.

Here's the thing though: this requires physical access. That makes it a low-salience attack, because gaining that kind of access is only an iota easier than pointing a gun at someone's head and demanding their password.

Re:Physical access

[Chops]

It's true of all hardware that if you have physical access, then you can do whatever you want with it anyway.

That's certainly not true. To use one of a huge multitude of examples, students at my school had physical access to the machines in the computer lab, but it would definitely be a problem if they installed a keylogger to sniff other students' passwords.

Physical Security

[Chysn]

Once your machine's physical security is compromised, just about anything can happen. If someone is in your data center or office unattended and hooking up equipment to your PC, you're sort of in a world of hurt anyway.

Re:host memory!

[TheRaven64]

It's a design flaw. The peer-to-peer nature shouldn't come into it. What ought to happen is that one peer requests DMA rights to a memory location in another peer, and the driver then returns yes or no before the controller decides whether to permit the DMA request. In simple devices, like hard drives, the driver would always return true (allow). In multitasking systems the driver would only return yes for pointers to pages it owns.

Re:Breathtaking Arrogance or Stupidity?

[Anonymous Coward]

Doesn't that also mean that Linux is also vulnerable to Apples firewire design faults?

Re:Physical access

[gad_zuki!]

Yeah, if Im sitting at it I can boot from USB, wipe the administrator password, reboot and log in. No need for a fireware card, cable, etc. I can do the same with OSX but I have to use the install disc instead of the USB keychain in my pocket.

Yes this is all very "shocking." This is the slashdot equivalant of CNN playing that lock-pick video over and over again.

Re:Breathtaking Arrogance or Stupidity?

[xtieburn]

Or perhaps slashdot on another uneducated baseless diatribe directed towards that little known company MS.

Did you read the article or did you just check the headline and decide to try get cheap mod points? Ill point out why you dont deserve them.

'Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire.'

Now maybe this was just excuses but the fact it came from a third party with no particular connection to MS should have made you pause for thought. Even if you dont know much about firewire it would take you moments to do a quick search and actually realise this is a 'feature' of the actual specification itself. As in _every_ O/S had the same problem. Linux, OSX even BSD were using this exploit even before MS were cracked. There are still reports of new OSX and Linux systems being hacked by firewire right in to 2008. (Though admitedly ive not heard much from BSD, probably because there admins tend to actually have a clue.)

This is a universal flaw in security stemming from naivety with regard to externally connected hardware. You want secure firewire, disable it when you are not using it yourself. That goes for any system, any O/S, any person. End of story.

Re:The hard part is...

[gnick]

the physical security at my home is pretty good

That's the gotcha here. Anyone with physical access to a machine owns that box. The only difference with this technique is that it sounds like it's quicker and possibly more subtle than my typical method of rebooting onto a live Linux CD and "repairing" the Windows accounts.

Wow?

[Anonymous Coward]

What a stupid, ignorant post.

Its a FireWire vulnerability, NOT a Windows vulnerability. On most hardware, there is nothing Windows can even do to prevent this attack. If your cheapo FireWire card allows other devices to directly issue DMA requests, then you're fucked and Microsoft can't do anything about it.

The solution is not to use FireWire, or to use a card which restricts access to memory regions approved by the device driver, or to somehow disable the FireWire card when you're not using it.

And as other posters have repeatedly mentioned, if the attacker has physical access to your box then you are in for a world of hurt anyway. This FireWire "feature" is the clearest example of that I have ever seen.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Why doesn't MS disable the port on lock?

[pruss]

Some commenters note that this is a feature of Firewire. But would there be any problem with MS just disabling the port whenever the system is password locked, unless there is something already plugged into the port when the system was locked (after all, there might be a Firewire HD plugged in, and a process writing to it). Probably the best way to handle the latter case would be to watch for an unplug event when the system is locked, and then disable the port as soon as the device is unplugged. This is very simple, and I don't see any downside to it.

I could do this...

[DigitalisAkujin]

Or I could use a bootdisk with a password hash file modifier...

Re:Who cares?

[SanityInAnarchy]

Once again, on Slashdot, I say, 'who cares?' This is a Windows vulnerability and I thought Slashdot was an open source outlet for news and for some stories that people so-called 'care about', not Windows vulnerabilities.

You're wrong on two counts.

One, this is an outlet for "news for nerds". As unfathomable as it might seem to you, there are nerds who are into Windows. Some even by choice.

Two, this is not a Windows vulnerability. It is a FireWire vulnerability -- actually, a FireWire design flaw. It is possible that the OS could be careful enough to prevent this kind of thing, but none of the current OSes are:

We want open source OS's (Linux, FreeBSD, Syllable, etc) to be the most-used, don't we?

I honestly can't say about Syllable or FreeBSD, but I know that neither Linux nor OSX have fixed this issue. There is an unstable fix for Linux, but it breaks some hardware.

The recommended fix, in all cases, is to disable your FireWire port when you're not using it.

Well, posting stories like this just to point and laugh at Microsoft makes the open source community look very pretentious, like looking at a 'Windows admin' and laughing at them because they do not know basic UNIX commands.

So does complaining about a story merely because it discusses a Windows vulnerability. Maybe not everyone saw this as an excuse to point and laugh at Microsoft? Maybe only you did?

Re:Physical access

[Seraphim_72]

I agree that if you have physical access to a machine you own it, but at the same time there is a world of difference between being able to do a drive by cracking and physically carting off the machine to brute force it at your leisure.

Sera

Re:Breathtaking Arrogance or Stupidity?

[anandsr]

It is true that the DMA must write to RAM where the DRIVER tells it to. It is the responsibility of the Driver to not write data where the device tells it to, and do proper bounds checking.

Physical Control = Game Over

[jafiwam]

So what?

There's dozens of other ways to compromise a PC (Windows or not) if you can sit down in front of it. Even if you don't have to reboot with this, or can sniff enough stuff to log in remotely later across the internet...

This is why the server room and racks are locked, it's really really hard to combat against someone who as physical access and a bit of time/knowledge to use to evil ends.

Sure, it's creative but come on...

Re:host memory!

[Anonymous Coward]

Guess why apple is moving from Firewire to USB

Re:The hard part is...

[Anonymous Coward]

You should attend some training on burglar and fire alarm systems. The mistake you have made is to think there is no way to bypass the system. No system what so ever is full proof. Most home thefts are committed by someone that has been inside the home and has knowledge, at least to some degree, of the system. They also usually know what they want before any entry attempt is made. So, unless you have instantaneous police response, they will get what they want. No need to even try to cut your phone line or disable the cellular backup. And, unless you have window screens and every inch covered in combination motion/heat detectors, they could manage to do it without even tripping the alarm with a fair amount of ease.
Alarm systems only detect, and then they only detect those stupid enough to be detected.

Posting anonymously to protect my career. :)

Re:Breathtaking Arrogance or Stupidity?

[bitslinger_42]

Sure, but if the system is live and has the EFS mounted, the key must be held in memory, otherwise the OS couldn't decrypt the EFS partition. With the key in memory, and Firewire having Direct Memory Access, the bad guy has the EFS (or PGP, or TrueCrypt, or whatever) key. That, plus passwords, web pages being viewed, engineering documents being edited, etc.

Re:The hard part is...

[Beardo the Bearded]

Physical access = security is meaningless.

If they could access the firewire port via an internet connection, THEN I'd consider this a leak.

You could also tweak the system by opening the case and removing the hard drive, or just attaching a thumb drive and copying all the data.

Re:Breathtaking Arrogance or Stupidity?

[TheRaven64]

It is true that the DMA must write to RAM where the DRIVER tells it to

Not true. DMA stands for Direct Memory Access. The device has direct access to memory. In this case, it is the FireWire controller and, by extension (due to the design of these controllers) FireWire devices.

If you have an IOMMU (e.g. on a decent Sun workstation), you can set up page tables for each device so that they DMA into a virtual address space. Your driver can then define regions which the device can access transparently. On newer AMD chips, you have a Device Exclusion Vector (DEV). The DEV is a sort of IOMMU-lite. It performs access control, but not translation. This means that the host OS (or driver) can mark each page of physical memory as read / write accessible on a per-device basis. On these machines, a well-designed OS or driver could prevent these attacks.

On other systems, it is not possible to prevent this attack. It's also a known problem on FreeBSD and OS X. OpenBSD does not implement FireWire support for the explicit reason that it is impossible to do securely on most systems.

It is the responsibility of the Driver to not write data where the device tells it to, and do proper bounds checking.

You are possibly confusing DMA with Programmed I/O (PIO). On a PIO device, the driver writes data to device-mapped memory or an I/O port, the driver then reads it from here and writes it to wherever it is meant to go. On a DMA device, the driver (or, in the case of FireWire, a remote peer) just tells the device where to write the data and it does so without CPU intervention.

Re:Physical access

[Culture20]

This hack can be done on a machine that has its case physically locked, its bios set to boot only to the HDD, and a good bios-setup password. It's the firewire equiv to a remote exploit over the 'net, because the OS you want to own is _running_ at the time.

The only saving grace is that someone must be physically present to plug in a device. This is still an issue though; imagine how many machines might be pseudo-public terminals, locked down (w/o epoxy in the firewire ports), but are so easily own-able, allowing people to install keyloggers?

Doesn't matter

[RzUpAnmsCwrds]

This "vulnerability" is basically irrelevant for notebooks. Most notebooks have hot-swappable CardBus or ExpressCard slots, both of which have DMA support and can be used to dump the system's memory. Or you could do the "memory freeze" trick.

The correct solution would be to map the FireWire address space into virtual memory, but this has to be done at the hardware level.