Print 53 comment(s) - last by lexluthermiest.. on Mar 14 at 3:11 PM

New Zealand hacker releases source code to utility that reads password directly from memory

Exploiting a little known feature built into Firewire port specifications, Adam Boileau released the source code to a utility authored in 2006 that allows anyone to bypass the Windows Authentication dialog box on any PC with a Firewire port.

The tool is a simple, 200-line script written in the Python programming language exploits features built into Firewire that allow direct access to a computer’s memory.  By targeting specific places that Windows consistently stores its vital authentication functions, Boileau’s tool is able to overwrite Windows’ secured code with patches that skip Windows’ password check entirely.

Boileau says he decided to release the script now, two years after it was initially unveiled, because Microsoft had not acted to patch the vulnerability. Boileau considers his tool a “party-trick demo script thats been lying around my [home folder] for two years gathering dust,” and considers it “a pity to write code and have no one use it.”

“Besides,” says Boileau, “according to Microsoft's definition, it never was a Security Vulnerability anyway – screensavers and login prompts are … about the Feeling of Security.”

Boileau also notes that he’s seen others successfully modify the script to hack Windows Vista’s password-check code, as well as use a laptop’s PCMCIA port to plug in a Firewire card and attack the laptop after Windows auto-installed the card’s drivers.

It’s important to note that Firewire’s provisions for direct memory access, called DMA, are useful in other contexts, like in the use of software debuggers. Nowadays, a sizable percentage of the world’s software checks for the presence of programs monitoring memory directly – which is what a debugger does – and will frequently act differently or refuse to start up if it detects their presence.

Firewire ports are therefore usable as high-speed debugging devices, allowing developers and hackers alike to passively monitor anywhere in a computer’s memory and make changes where needed, whether its reprogramming a password check or seeding buggy software with correct data. It might also allow forensic investigators to grab an encrypted hard drive’s decryption key directly from memory, while the computer is running.

Also important is that the same technique has been known to work on other operating systems, including Mac OS X and Linux – and in fact some people have used modified iPods to run Firewire DMA attacks on the fly.

Common security thought dictates that a computer is essentially lost if it is in your opponent’s possession, and that security on a physical machine will be subverted with time: for computers equipped with Firewire, the thought couldn’t be more true.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Domain
By zshift on 3/8/2008 10:37:26 AM , Rating: 2
I'm pretty sure that this trick wouldn't work for domains because of the fact that the domain password isn't stored on the client, so the script would be uselessly searching for a password that doesn't exist (on the current system). you'd have to run the script on the machine hosting passwords for the domain.

RE: Domain
By isorfir on 3/8/2008 3:53:01 PM , Rating: 1
I don't think that's true, since I can log into the domain accounts on my office laptops while not connected to the domain, so it has to be stored on the client.

RE: Domain
By Yawgm0th on 3/8/2008 7:28:39 PM , Rating: 1
If you have a local account created on that computer, even if for use in a domain, the username and password will be stored in the local SAM.

Unless you log into a domain using roaming profiles and do not have the domain account created locally on the PC and you have not logged onto that PC since the last time the RAM was cleared (in this case, you most likely would have had to turn the PSU off or disconnect power), the user account should be vulnerable to this attack.

RE: Domain
By mcmilljb on 3/8/2008 9:23:25 PM , Rating: 2
Wrong. Domain accounts are stored on the Domain Controller not locally. You won't be able to get the information unless the script knows where to find the password stored temporary for that session. You can disable caching of the Domain account credentials which will prevent any one that has logged into to the domain to log in again unless the person has network connectivity. SAM is not used locally for Domain accounts. When you're using a Domain, the password is hashed for being sent to the DC so I assume you would need to be able to undo the hash to even read the password. Plus the DC sends access tickets, which allow it permission to resources.

"There's no chance that the iPhone is going to get any significant market share. No chance." -- Microsoft CEO Steve Ballmer

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki