Re: Firewire vulnerability applicable on FreeBSD?



On Sun, 23 Mar 2008 02:03:40 -0400
"Ben Kaduk" <minimarmot@xxxxxxxxx> wrote:

Hi Jeremie,

On 3/22/08, Jeremie Le Hen <jeremie@xxxxxxxxxx> wrote:
Hi there,

I've stumbled on this article. I wonder if this is applicable to
FreeBSD. Would it still be possible to exploit it without a firewire
driver?

http://www.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypasses+Windows+Logon/article10972.htm


``That's not a bug, it's a feature''.

That is, the firewire spec requires that it has full read/write access to all
physical memory, in the same way that the PCI bus has full read/write
access to physical memory.

Thus, with direct access to a firewire port, a malicious person can
grub around kernel memory and frob whatever they want (yet
another reason why physical security is important).

[...]

Basically, once an attacker has physical access to your machine,
you've lost; this is just one possible route that such an attacker
could take.

Indeed. When Adam B. presented this @ RuxCon 06 (Sydney, AU), he said, IIRC,
that he had communicated with MS, but they had (probably rightly) told him it
wasn't really a security hole, as once you had physical access all bets were
off.
The easiest way around this is to simply NOT build firewire into your kernel,
but load it as you need it. It won't prevent all attacks but it will reduce
your exposure (assuming, of course, that you never leave your computer alone,
running or without boot / disk password and bolted into place.... :D ).

It was quite impressive though, to see the guy take over some dude's windog
laptop (from the audience) in 30 seconds. He's always good fun to watch :P

B
_________________________
{Beto|Norberto|Numard} Meijome

"I was born not knowing and have had only a little time to change that here and
there." Richard Feynman

I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: Excellent job on the firewire support!
    ... >> driver allows access to physical memory from any node on the bus ... The dconschat program uses this feature to access the dcons ... feature of the firewire ohci hardware. ... you have to have is fwohci loaded on the target machine. ...
    (freebsd-current)
  • Re: Firewire vulnerability applicable on FreeBSD?
    ... the firewire spec requires that it has full read/write access to all ... physical memory, in the same way that the PCI bus has full read/write ... certainly the case for a GENERIC kernel, but if you have a custom ... We can use this feature as a true feature, as well, though -- it ...
    (FreeBSD-Security)