From owner-freebsd-security@FreeBSD.ORG Sun Mar 23 15:17:42 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3BD3A106566B for ; Sun, 23 Mar 2008 15:17:42 +0000 (UTC) (envelope-from chris@hitnet.RWTH-Aachen.DE) Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by mx1.freebsd.org (Postfix) with ESMTP id D73888FC33 for ; Sun, 23 Mar 2008 15:17:41 +0000 (UTC) (envelope-from chris@hitnet.RWTH-Aachen.DE) Received: from ironport-out-2.rz.rwth-aachen.de ([134.130.3.59]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) with ESMTP id <0JY600AJWUFFT8C0@mta-1.ms.rz.RWTH-Aachen.de> for freebsd-security@freebsd.org; Sun, 23 Mar 2008 15:47:39 +0100 (CET) Received: from smarthost-1.ms.rz.rwth-aachen.de (HELO smarthost.rwth-aachen.de) ([134.130.7.89]) by ironport-in-2.rz.rwth-aachen.de with ESMTP; Sun, 23 Mar 2008 15:47:39 +0100 Received: from bigboss.hitnet.rwth-aachen.de (bigspace.hitnet.RWTH-Aachen.DE [137.226.181.2]) by smarthost.rwth-aachen.de (8.13.8+Sun/8.13.8/1) with ESMTP id m2NEldSX009442; Sun, 23 Mar 2008 15:47:39 +0100 (CET) Received: from haakonia.hitnet.rwth-aachen.de ([137.226.181.92]) by bigboss.hitnet.rwth-aachen.de with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1JdRU3-0007AE-Ax; Sun, 23 Mar 2008 15:47:39 +0100 Received: by haakonia.hitnet.rwth-aachen.de (Postfix, from userid 1001) id 0A5A53F41B; Sun, 23 Mar 2008 15:47:38 +0100 (CET) Date: Sun, 23 Mar 2008 15:47:38 +0100 From: Christian Brueffer In-reply-to: <20080322181209.GJ66530@obiwan.tataz.chchile.org> To: Jeremie Le Hen Message-id: <20080323144738.GA1391@haakonia.hitnet.RWTH-Aachen.DE> MIME-version: 1.0 Content-type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary=LQksG6bCIzRHxTLp Content-disposition: inline X-IronPort-AV: E=Sophos;i="4.25,542,1199660400"; d="scan'208";a="36433652" X-Operating-System: FreeBSD 6.3-STABLE X-PGP-Key: http://people.FreeBSD.org/~brueffer/brueffer.key.asc X-PGP-Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D References: <20080322181209.GJ66530@obiwan.tataz.chchile.org> User-Agent: Mutt/1.5.11 X-Mailman-Approved-At: Sun, 23 Mar 2008 15:33:13 +0000 Cc: freebsd-security@FreeBSD.org Subject: Re: Firewire vulnerability applicable on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2008 15:17:42 -0000 --LQksG6bCIzRHxTLp Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 22, 2008 at 07:12:09PM +0100, Jeremie Le Hen wrote: > Hi there, >=20 > I've stumbled on this article. I wonder if this is applicable to > FreeBSD. Would it still be possible to exploit it without a firewire > driver? >=20 > http://www.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypasses+= Windows+Logon/article10972.htm >=20 > =AB The tool is a simple, 200-line script written in the Python > programming language exploits features built into Firewire that allow > direct access to a computer's memory. By targeting specific places that > Windows consistently stores its vital authentication functions, > Boileau's tool is able to overwrite Windows' secured code with patches > that skip Windows' password check entirely. =BB >=20 It is, and FreeBSD was used in a proof of concept for reading passwords via FireWire some years ago (see http://md.hudora.de/presentations/ for sample Python code). In CURRENT and RELENG_7, there's a tunable to disable physical access, see fwohci(4), it should probably be ported back to RELENG_6. - Christian --=20 Christian Brueffer chris@unixpages.org brueffer@FreeBSD.org GPG Key: http://people.freebsd.org/~brueffer/brueffer.key.asc GPG Fingerprint: A5C8 2099 19FF AACA F41B B29B 6C76 178C A0ED 982D --LQksG6bCIzRHxTLp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFH5m2KbHYXjKDtmC0RAiVXAKC6gSA6o2zsGIvnZ4Ig5cWa1JYMVACgxXbc UQD7Y+S5wX7XXSI/qJK2bUo= =ZR3m -----END PGP SIGNATURE----- --LQksG6bCIzRHxTLp--