Date: Sun, 23 Mar 2008 02:03:40 -0400 From: "Ben Kaduk" <minimarmot@gmail.com> To: "Jeremie Le Hen" <jeremie@le-hen.org> Cc: freebsd-security@freebsd.org Subject: Re: Firewire vulnerability applicable on FreeBSD? Message-ID: <47d0403c0803222303t6274bd75la707f4232d44db8d@mail.gmail.com> In-Reply-To: <20080322181209.GJ66530@obiwan.tataz.chchile.org> References: <20080322181209.GJ66530@obiwan.tataz.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Jeremie, On 3/22/08, Jeremie Le Hen <jeremie@le-hen.org> wrote: > Hi there, > > I've stumbled on this article. I wonder if this is applicable to > FreeBSD. Would it still be possible to exploit it without a firewire > driver? > > http://www.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypasses+Windows+Logon/article10972.htm > ``That's not a bug, it's a feature''. That is, the firewire spec requires that it has full read/write access to all physical memory, in the same way that the PCI bus has full read/write access to physical memory. Thus, with direct access to a firewire port, a malicious person can grub around kernel memory and frob whatever they want (yet another reason why physical security is important). It seems that the windows vulnerability was due to storing credentials information in a consistent place from system to system; that is certainly the case for a GENERIC kernel, but if you have a custom kernel there is no longer a _trivial_ ``exploit'' -- an attacker must do some work to find where things are (and be able to hot-patch machine language, but I know several people that could do that, even one that's basing his thesis project on it). Basically, once an attacker has physical access to your machine, you've lost; this is just one possible route that such an attacker could take. We can use this feature as a true feature, as well, though -- it allows dcons to be used instead of a serial port for kernel debugging when you've totally confused your kernel. -Ben Kaduk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47d0403c0803222303t6274bd75la707f4232d44db8d>