From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 03:50:23 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87F63106566B for ; Wed, 26 Mar 2008 03:50:23 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: from sigma.octantis.com.au (ns2.octantis.com.au [207.44.189.124]) by mx1.freebsd.org (Postfix) with ESMTP id 485358FC13 for ; Wed, 26 Mar 2008 03:50:23 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: (qmail 25580 invoked from network); 25 Mar 2008 22:23:42 -0500 Received: from 124-170-34-229.dyn.iinet.net.au (HELO localhost) (124.170.34.229) by sigma.octantis.com.au with (DHE-RSA-AES128-SHA encrypted) SMTP; 25 Mar 2008 22:23:42 -0500 Date: Wed, 26 Mar 2008 14:23:32 +1100 From: Norberto Meijome To: freebsd-security@freebsd.org Message-ID: <20080326142332.79f6cb20@meijome.net> In-Reply-To: <47d0403c0803222303t6274bd75la707f4232d44db8d@mail.gmail.com> References: <20080322181209.GJ66530@obiwan.tataz.chchile.org> <47d0403c0803222303t6274bd75la707f4232d44db8d@mail.gmail.com> X-Mailer: Claws Mail 3.3.1 (GTK+ 2.12.9; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Firewire vulnerability applicable on FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2008 03:50:23 -0000 On Sun, 23 Mar 2008 02:03:40 -0400 "Ben Kaduk" wrote: > Hi Jeremie, > > On 3/22/08, Jeremie Le Hen wrote: > > Hi there, > > > > I've stumbled on this article. I wonder if this is applicable to > > FreeBSD. Would it still be possible to exploit it without a firewire > > driver? > > > > http://www.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypasses+Windows+Logon/article10972.htm > > > > ``That's not a bug, it's a feature''. > > That is, the firewire spec requires that it has full read/write access to all > physical memory, in the same way that the PCI bus has full read/write > access to physical memory. > > Thus, with direct access to a firewire port, a malicious person can > grub around kernel memory and frob whatever they want (yet > another reason why physical security is important). > [...] > > Basically, once an attacker has physical access to your machine, > you've lost; this is just one possible route that such an attacker > could take. Indeed. When Adam B. presented this @ RuxCon 06 (Sydney, AU), he said, IIRC, that he had communicated with MS, but they had (probably rightly) told him it wasn't really a security hole, as once you had physical access all bets were off. The easiest way around this is to simply NOT build firewire into your kernel, but load it as you need it. It won't prevent all attacks but it will reduce your exposure (assuming, of course, that you never leave your computer alone, running or without boot / disk password and bolted into place.... :D ). It was quite impressive though, to see the guy take over some dude's windog laptop (from the audience) in 30 seconds. He's always good fun to watch :P B _________________________ {Beto|Norberto|Numard} Meijome "I was born not knowing and have had only a little time to change that here and there." Richard Feynman I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned.