Re: Firewire vulnerability applicable on FreeBSD?



Hi Jeremie,

On 3/22/08, Jeremie Le Hen <jeremie@xxxxxxxxxx> wrote:
Hi there,

I've stumbled on this article. I wonder if this is applicable to
FreeBSD. Would it still be possible to exploit it without a firewire
driver?

http://www.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypasses+Windows+Logon/article10972.htm


``That's not a bug, it's a feature''.

That is, the firewire spec requires that it has full read/write access to all
physical memory, in the same way that the PCI bus has full read/write
access to physical memory.

Thus, with direct access to a firewire port, a malicious person can
grub around kernel memory and frob whatever they want (yet
another reason why physical security is important).

It seems that the windows vulnerability was due to storing credentials
information in a consistent place from system to system; that is
certainly the case for a GENERIC kernel, but if you have a custom
kernel there is no longer a _trivial_ ``exploit'' -- an attacker must
do some work to find where things are (and be able to hot-patch
machine language, but I know several people that could do that,
even one that's basing his thesis project on it).

Basically, once an attacker has physical access to your machine,
you've lost; this is just one possible route that such an attacker
could take.

We can use this feature as a true feature, as well, though -- it
allows dcons to be used instead of a serial port for kernel
debugging when you've totally confused your kernel.

-Ben Kaduk
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"