www.storm.net.nz
[ / ] [ Metlstorm ] [ Projects ] [ ice.storm.net.nz ] [ \m/ ]

Projects
[ Security: SSH 'Jack Hai2IVR MAFL-Load Firewire, DMA & Windows Asterisk Remote Root Metl-o-UnNetCrypt ] [ Wireless: Metl Kismet GPS Plotter - Google Earth Edition Metl War Tri Pod Metl Kismet Client Metlstorms Kismet GPS Plott0r Metl Helix Wireless Grapher Metl Network Recon Visualizer ] [ Home: Rotoseat Noise Weblstorm Viewtron CharGrill ] [ Abandonware: Obscured By Clouds ]

Firewire, DMA & Windows
Updated Mar 7th, 2008: Holy crap, three quarters of a million hits later. oO. Some people have reported trouble getting things to work - one thing to check is that once you've romtooled yourself as an ipod, that your hotplug doesn't load the kernel sbp driver. Move the sbp2.ko module out of the way so it cant load it, and reload your ohci1394 modules to reset stuff if you're having trouble.

I'm also pleased to note people successfully attacking Vista using a slightly modified msv1_0.dll technique, as well as the guy who did it by plugging a Cardbus Firewire card into a laptop that didn't have firewire, waiting for it to auto install it (while at the locked screen!) then winlockpwning it. That's awesome. :)

Updated Mar 5th, 2008: Oh hai, slashdot, et al. On the offchance you manage to read this; apologies for the appalling speed - my colo box cost about four-hundy-bux, which doesnt buy you a lot of 1u goodness. That, and I'm on the end of a very long pipe to .nz, where the internets are not even yet a series of tubes, more like a bunch of hobbits with scrabble letters.

So like, this isn't news. This is just a party-trick demo script thats been lying around my homedir for two years gathering dust. I'm not releasing this because Microsoft didn't respond (they did; its not a bug, it's a feature, we all know this) it's just seemed topical with the RAM-freezing thing, and it's a pity to write code and have no one use it.

Anyway, uh, Hi, thanks for burning down my box. If anything, the take home message here is that physical access wins - we know this, the cable TV industry knows it, console vendors know it, Nothing new here. If it wasn't your firewire, it'd be your Cardbus or your laptop's dock port, y'know?.

Updated Mar 3rd, 2008: It's two years later, and I think anyone who was going to get the message about Firewire has already got it, and anyone who was going to be upset about it has got over it. Besides, according to Microsoft's definition, it never was a Security Vulnerability anyway - screensavers and login prompts are - as Bruce says - about the Feeling of Security. Anyway, today's release day for Winlockpwn, the tool I demoed at Ruxcon for bypassing windows auth, or popping an admin shell at the login window.

It's also kinda topical, with recent discussion of physical access attacks via memory cooling and subsequent memory imaging. Pat Gray of Risky Business fame interviewed me for my uneducated opinion, and he wheedled the code outta me. :) So, hi Risky Business listeners, please find Winlockpwn code below!

Firewire port == owned.

I read about Max Dornseif's work on doing memory forensics (and bad things) using the physical-memory-DMA feature of Firewire earlier this year. Being curious, I implemented my own stack of tools to try it out against my Linux laptop (before I knew that Max's OSX python-firewire bindings had been ported to Linux!). It worked just like Max said, and of course, because physical-memory-DMA-busmastering is the Fire in Firewire.

However, despite working fine against Linux, Macs and BSD boxen, it didn't work against Windows. My colleague Tmasky set to it, and soon enough had found the miracle ingredient.

Skip forward a few months, and it's now a big deal for reasons I'm not wholly sure about. I presented "Hit By A Bus: Physical Access Attacks With Firewire" at Ruxcon 2006, and hopefully if you came along, you were entertained.

At Ruxcon I released my firewire libraries (high level python bindings for libraw1394), the tool for fooling windows into giving you DMA (romtool), and a forensic memory imager (1394memimage). I demoed some of the malicious uses (like unlocking a locked Win XPSP2 workstation, and spawning an admin shell), but I'm not going to release that code (uh, unless you've got a compelling reason, I suppose). The talk and the tools are available just below.

Some pre-FAQs:
  • Yes, you can read and write main memory over firewire on windows.
  • Yes, this means you can completely own any box who's firewire port you can plug into in seconds.
  • Yes, it requires physical access. People with physical access win in lots of ways. Sure, this is fast and easy, but it's just one of many.
  • Yes, it's a FEATURE, not a bug. It's the Fire in Firewire. Yes, I know this, Microsoft know this. The OHCI-1394 spec knows this. People with firewire ports generally dont.

Now that a few people are using it, some wrinkles are coming out. I've had reports of failure against systems running TI PCI Lynx host controllers, which is probably to be expected. I'll try and rustle one up and figure out what the difference between OHCI and PCI-Lynx is. If you've got a counter example, or other systems that don't work, drop me an email with the output of a 'lspci -vv' and 'businfo'.

20th Oct 2k6: An interesting development is an issue raised by GM Garner; during comparison of memory images taken via 1394memimage and a local dd from \\.\PhysicalMemory. He observed differences between the two in areas of memory that have no business changing; in this case, a static kernel structure in unpageable kernel memory. This is a pretty important issue, and one that we'll need to get to the bottom of... 		Last Update: 2008-03-07 17:00:56
State: Usable
Distribution: Public
Tags: Security
Images:
While I'm gabbing away, winlockpwn is patching out the authentication on the volunteer's laptop, and rigging up the shell-spawning code. Saturday night at the Ruxcon Google Party, soothing my parched throat with the sweet sweet amber nectar. Oh, and for some reason, it appears both Pipes and I are doing Pirate Eyebrow. This is the real man to blame, Mr. Tmasky. He threw the pass, I just ran with it. He's the cheshire-cat-lookin-motherfucker in the middle. I'm mid rant about stealing my own bios password, I think. Haxxing firewire on the middle screen, and about to unlock the volunteer's windows box on the right. Getting some hack on. I've just shown the firewire 'businfo' tool output when run against the windows box. I'm about to bypass it's authentication and spawn an Administrator shell.
Releases:
ab_firewire_rux2k6-final.pdf (2220kB) Ver: 1.0

Hit By A Bus: Physical Access Attacks with Firewire (as performed at Ruxcon 2k6)

winlockpwn (6kB) Ver: 1.0

Bypasses windows authentication via firewire, as demoed at Ruxcon 2006, and released on Risky Business, 2008.

ohci_11.pdf (2312kB) Ver: 1.0

OHCI-1394 Specification

bioskbsnarf (954B) Ver: 1.0

The tool I used to steal my own BIOS password; python code that parses and prints the bios-real-mode-keyboard-interrupt-buffer . Use with /dev/mem or a memory image acquired via firewire.

pythonraw1394-1.0.tar.gz (447kB) Ver: 1.0

Python bindings for libraw1394, romtool for CSR-trickery, and the 1394memimage forensics tool, as released at Ruxcon 2k6