From owner-freebsd-security@FreeBSD.ORG Sun Mar 23 06:30:27 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87023106566B for ; Sun, 23 Mar 2008 06:30:27 +0000 (UTC) (envelope-from minimarmot@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.244]) by mx1.freebsd.org (Postfix) with ESMTP id 38D398FC1C for ; Sun, 23 Mar 2008 06:30:26 +0000 (UTC) (envelope-from minimarmot@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so772402anc.13 for ; Sat, 22 Mar 2008 23:30:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=EggrnMjHkDJ8DUnPgVaRYK2LgREBiG4aCSy3JxhIKDA=; b=q6qN20eQwUgG/8FoaLVy9q0AO8+ufygukdaMcE+3t5+bM5bX6/kmDwuUoP8qF+1UuCcNYbjZHAIQ+kXIxKlo0SWQ7Cxj4HSmHwjxaCKd9ksfaDG5kWBUQGkkM2W/4kBofx2oOj7JBKx6DnqwJf562/mn3T3MHrG8HINZNA/yOsE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=g6z36UbbV2iTaN7lSYNqpQ9i6+a0Wz2QpmrvK8GlfHDsfxMmKJetEt86PDZJmdk0BOTjxqyAJMGXkY4aZef+mDIaEsRHMuxT4EXDON0RrSDxehvPyjc38gniuW2tryG+mZQqZHp6GffAqGEZLpIGnSQhNIzQAQl3oAfhvrYLBBg= Received: by 10.101.67.15 with SMTP id u15mr13350630ank.108.1206252221572; Sat, 22 Mar 2008 23:03:41 -0700 (PDT) Received: by 10.100.214.9 with HTTP; Sat, 22 Mar 2008 23:03:40 -0700 (PDT) Message-ID: <47d0403c0803222303t6274bd75la707f4232d44db8d@mail.gmail.com> Date: Sun, 23 Mar 2008 02:03:40 -0400 From: "Ben Kaduk" To: "Jeremie Le Hen" In-Reply-To: <20080322181209.GJ66530@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080322181209.GJ66530@obiwan.tataz.chchile.org> Cc: freebsd-security@freebsd.org Subject: Re: Firewire vulnerability applicable on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2008 06:30:27 -0000 Hi Jeremie, On 3/22/08, Jeremie Le Hen wrote: > Hi there, > > I've stumbled on this article. I wonder if this is applicable to > FreeBSD. Would it still be possible to exploit it without a firewire > driver? > > http://www.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypasses+Windows+Logon/article10972.htm > ``That's not a bug, it's a feature''. That is, the firewire spec requires that it has full read/write access to all physical memory, in the same way that the PCI bus has full read/write access to physical memory. Thus, with direct access to a firewire port, a malicious person can grub around kernel memory and frob whatever they want (yet another reason why physical security is important). It seems that the windows vulnerability was due to storing credentials information in a consistent place from system to system; that is certainly the case for a GENERIC kernel, but if you have a custom kernel there is no longer a _trivial_ ``exploit'' -- an attacker must do some work to find where things are (and be able to hot-patch machine language, but I know several people that could do that, even one that's basing his thesis project on it). Basically, once an attacker has physical access to your machine, you've lost; this is just one possible route that such an attacker could take. We can use this feature as a true feature, as well, though -- it allows dcons to be used instead of a serial port for kernel debugging when you've totally confused your kernel. -Ben Kaduk From owner-freebsd-security@FreeBSD.ORG Sun Mar 23 15:17:42 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3BD3A106566B for ; Sun, 23 Mar 2008 15:17:42 +0000 (UTC) (envelope-from chris@hitnet.RWTH-Aachen.DE) Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by mx1.freebsd.org (Postfix) with ESMTP id D73888FC33 for ; Sun, 23 Mar 2008 15:17:41 +0000 (UTC) (envelope-from chris@hitnet.RWTH-Aachen.DE) Received: from ironport-out-2.rz.rwth-aachen.de ([134.130.3.59]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) with ESMTP id <0JY600AJWUFFT8C0@mta-1.ms.rz.RWTH-Aachen.de> for freebsd-security@freebsd.org; Sun, 23 Mar 2008 15:47:39 +0100 (CET) Received: from smarthost-1.ms.rz.rwth-aachen.de (HELO smarthost.rwth-aachen.de) ([134.130.7.89]) by ironport-in-2.rz.rwth-aachen.de with ESMTP; Sun, 23 Mar 2008 15:47:39 +0100 Received: from bigboss.hitnet.rwth-aachen.de (bigspace.hitnet.RWTH-Aachen.DE [137.226.181.2]) by smarthost.rwth-aachen.de (8.13.8+Sun/8.13.8/1) with ESMTP id m2NEldSX009442; Sun, 23 Mar 2008 15:47:39 +0100 (CET) Received: from haakonia.hitnet.rwth-aachen.de ([137.226.181.92]) by bigboss.hitnet.rwth-aachen.de with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1JdRU3-0007AE-Ax; Sun, 23 Mar 2008 15:47:39 +0100 Received: by haakonia.hitnet.rwth-aachen.de (Postfix, from userid 1001) id 0A5A53F41B; Sun, 23 Mar 2008 15:47:38 +0100 (CET) Date: Sun, 23 Mar 2008 15:47:38 +0100 From: Christian Brueffer In-reply-to: <20080322181209.GJ66530@obiwan.tataz.chchile.org> To: Jeremie Le Hen Message-id: <20080323144738.GA1391@haakonia.hitnet.RWTH-Aachen.DE> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary=LQksG6bCIzRHxTLp Content-disposition: inline X-IronPort-AV: E=Sophos;i="4.25,542,1199660400"; d="scan'208";a="36433652" X-Operating-System: FreeBSD 6.3-STABLE X-PGP-Key: http://people.FreeBSD.org/~brueffer/brueffer.key.asc X-PGP-Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D References: <20080322181209.GJ66530@obiwan.tataz.chchile.org> User-Agent: Mutt/1.5.11 X-Mailman-Approved-At: Sun, 23 Mar 2008 15:33:13 +0000 Cc: freebsd-security@FreeBSD.org Subject: Re: Firewire vulnerability applicable on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2008 15:17:42 -0000 --LQksG6bCIzRHxTLp Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 22, 2008 at 07:12:09PM +0100, Jeremie Le Hen wrote: > Hi there, >=20 > I've stumbled on this article. I wonder if this is applicable to > FreeBSD. Would it still be possible to exploit it without a firewire > driver? >=20 > http://www.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypasses+= Windows+Logon/article10972.htm >=20 > =AB The tool is a simple, 200-line script written in the Python > programming language exploits features built into Firewire that allow > direct access to a computer's memory. By targeting specific places that > Windows consistently stores its vital authentication functions, > Boileau's tool is able to overwrite Windows' secured code with patches > that skip Windows' password check entirely. =BB >=20 It is, and FreeBSD was used in a proof of concept for reading passwords via FireWire some years ago (see http://md.hudora.de/presentations/ for sample Python code). In CURRENT and RELENG_7, there's a tunable to disable physical access, see fwohci(4), it should probably be ported back to RELENG_6. - Christian --=20 Christian Brueffer chris@unixpages.org brueffer@FreeBSD.org GPG Key: http://people.freebsd.org/~brueffer/brueffer.key.asc GPG Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D --LQksG6bCIzRHxTLp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFH5m2KbHYXjKDtmC0RAiVXAKC6gSA6o2zsGIvnZ4Ig5cWa1JYMVACgxXbc UQD7Y+S5wX7XXSI/qJK2bUo= =ZR3m -----END PGP SIGNATURE----- --LQksG6bCIzRHxTLp-- From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 03:50:23 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87F63106566B for ; Wed, 26 Mar 2008 03:50:23 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: from sigma.octantis.com.au (ns2.octantis.com.au [207.44.189.124]) by mx1.freebsd.org (Postfix) with ESMTP id 485358FC13 for ; Wed, 26 Mar 2008 03:50:23 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: (qmail 25580 invoked from network); 25 Mar 2008 22:23:42 -0500 Received: from 124-170-34-229.dyn.iinet.net.au (HELO localhost) (124.170.34.229) by sigma.octantis.com.au with (DHE-RSA-AES128-SHA encrypted) SMTP; 25 Mar 2008 22:23:42 -0500 Date: Wed, 26 Mar 2008 14:23:32 +1100 From: Norberto Meijome To: freebsd-security@freebsd.org Message-ID: <20080326142332.79f6cb20@meijome.net> In-Reply-To: <47d0403c0803222303t6274bd75la707f4232d44db8d@mail.gmail.com> References: <20080322181209.GJ66530@obiwan.tataz.chchile.org> <47d0403c0803222303t6274bd75la707f4232d44db8d@mail.gmail.com> X-Mailer: Claws Mail 3.3.1 (GTK+ 2.12.9; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Firewire vulnerability applicable on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2008 03:50:23 -0000 On Sun, 23 Mar 2008 02:03:40 -0400 "Ben Kaduk" wrote: > Hi Jeremie, > > On 3/22/08, Jeremie Le Hen wrote: > > Hi there, > > > > I've stumbled on this article. I wonder if this is applicable to > > FreeBSD. Would it still be possible to exploit it without a firewire > > driver? > > > > http://www.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypasses+Windows+Logon/article10972.htm > > > > ``That's not a bug, it's a feature''. > > That is, the firewire spec requires that it has full read/write access to all > physical memory, in the same way that the PCI bus has full read/write > access to physical memory. > > Thus, with direct access to a firewire port, a malicious person can > grub around kernel memory and frob whatever they want (yet > another reason why physical security is important). > [...] > > Basically, once an attacker has physical access to your machine, > you've lost; this is just one possible route that such an attacker > could take. Indeed. When Adam B. presented this @ RuxCon 06 (Sydney, AU), he said, IIRC, that he had communicated with MS, but they had (probably rightly) told him it wasn't really a security hole, as once you had physical access all bets were off. The easiest way around this is to simply NOT build firewire into your kernel, but load it as you need it. It won't prevent all attacks but it will reduce your exposure (assuming, of course, that you never leave your computer alone, running or without boot / disk password and bolted into place.... :D ). It was quite impressive though, to see the guy take over some dude's windog laptop (from the audience) in 30 seconds. He's always good fun to watch :P B _________________________ {Beto|Norberto|Numard} Meijome "I was born not knowing and have had only a little time to change that here and there." Richard Feynman I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned.