From owner-freebsd-security@FreeBSD.ORG Sun Mar 23 06:30:27 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87023106566B for ; Sun, 23 Mar 2008 06:30:27 +0000 (UTC) (envelope-from minimarmot@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.244]) by mx1.freebsd.org (Postfix) with ESMTP id 38D398FC1C for ; Sun, 23 Mar 2008 06:30:26 +0000 (UTC) (envelope-from minimarmot@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so772402anc.13 for ; Sat, 22 Mar 2008 23:30:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=EggrnMjHkDJ8DUnPgVaRYK2LgREBiG4aCSy3JxhIKDA=; b=q6qN20eQwUgG/8FoaLVy9q0AO8+ufygukdaMcE+3t5+bM5bX6/kmDwuUoP8qF+1UuCcNYbjZHAIQ+kXIxKlo0SWQ7Cxj4HSmHwjxaCKd9ksfaDG5kWBUQGkkM2W/4kBofx2oOj7JBKx6DnqwJf562/mn3T3MHrG8HINZNA/yOsE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=g6z36UbbV2iTaN7lSYNqpQ9i6+a0Wz2QpmrvK8GlfHDsfxMmKJetEt86PDZJmdk0BOTjxqyAJMGXkY4aZef+mDIaEsRHMuxT4EXDON0RrSDxehvPyjc38gniuW2tryG+mZQqZHp6GffAqGEZLpIGnSQhNIzQAQl3oAfhvrYLBBg= Received: by 10.101.67.15 with SMTP id u15mr13350630ank.108.1206252221572; Sat, 22 Mar 2008 23:03:41 -0700 (PDT) Received: by 10.100.214.9 with HTTP; Sat, 22 Mar 2008 23:03:40 -0700 (PDT) Message-ID: <47d0403c0803222303t6274bd75la707f4232d44db8d@mail.gmail.com> Date: Sun, 23 Mar 2008 02:03:40 -0400 From: "Ben Kaduk" To: "Jeremie Le Hen" In-Reply-To: <20080322181209.GJ66530@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080322181209.GJ66530@obiwan.tataz.chchile.org> Cc: freebsd-security@freebsd.org Subject: Re: Firewire vulnerability applicable on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2008 06:30:27 -0000 Hi Jeremie, On 3/22/08, Jeremie Le Hen wrote: > Hi there, > > I've stumbled on this article. I wonder if this is applicable to > FreeBSD. Would it still be possible to exploit it without a firewire > driver? > > http://www.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypasses+Windows+Logon/article10972.htm > ``That's not a bug, it's a feature''. That is, the firewire spec requires that it has full read/write access to all physical memory, in the same way that the PCI bus has full read/write access to physical memory. Thus, with direct access to a firewire port, a malicious person can grub around kernel memory and frob whatever they want (yet another reason why physical security is important). It seems that the windows vulnerability was due to storing credentials information in a consistent place from system to system; that is certainly the case for a GENERIC kernel, but if you have a custom kernel there is no longer a _trivial_ ``exploit'' -- an attacker must do some work to find where things are (and be able to hot-patch machine language, but I know several people that could do that, even one that's basing his thesis project on it). Basically, once an attacker has physical access to your machine, you've lost; this is just one possible route that such an attacker could take. We can use this feature as a true feature, as well, though -- it allows dcons to be used instead of a serial port for kernel debugging when you've totally confused your kernel. -Ben Kaduk