How to gain access to computers and virtual machines - Hacker Halted
How to gain access to computers and virtual machines - Hacker Halted
How to gain access to computers and virtual machines - Hacker Halted
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>How</strong> <strong>to</strong> <strong>gain</strong> <strong>access</strong> <strong>to</strong> <strong>computers</strong><br />
<strong>and</strong> <strong>virtual</strong> <strong>machines</strong><br />
(through the physical memory)<br />
Csaba Barta - Hungary
DEMO
IEEE1394 - His<strong>to</strong>ry<br />
• 1986 – Apple starts <strong>to</strong> design the st<strong>and</strong>ard<br />
• 1995 – St<strong>and</strong>ard is ready<br />
• 2000 – 1394a (FireWire S400)<br />
• 2002 – 1394b (FireWire S800)<br />
• 2006 – 1394c (FireWire S1600)
IEEE1394 – design goals<br />
• Main goal<br />
– Connect multimedia devices<br />
– Really high speed data transfer<br />
• <strong>How</strong> is it achieved?<br />
– DMA – Direct Memory Access<br />
– Security consequences?
DMA – The vulnerability<br />
• DMA – Direct Memory Access<br />
– Connected devices can directly <strong>access</strong> each<br />
other’s memory => faster data transfer<br />
– CPU is not involved<br />
READ / WRITE <strong>access</strong><br />
without control
Requirements<br />
• The target OS will give us DMA only when we<br />
can pretend <strong>to</strong> be a s<strong>to</strong>rage device<br />
• This requires tricks<br />
– Add SBP-2 unit direc<strong>to</strong>ry <strong>to</strong> the bus<br />
• Well documented<br />
– The method is different on each platform<br />
• FireWire stack differences
His<strong>to</strong>ry of the vulnerability<br />
• 2004 PacSec<br />
– Maximillian Dornseif<br />
– Own by an iPod<br />
• 2005 CanSecWest<br />
– Maximillian Dornseif <strong>and</strong> others<br />
– All your memory belong <strong>to</strong> us<br />
• 2006 Ruxcon<br />
– Adam Boileau<br />
– Hit by a bus<br />
– Winlockpwn (release – 2008)<br />
Not<br />
0day!
Protection - Linux<br />
• Old stack<br />
– FireWire driver parameter<br />
• Phys_dma = 0<br />
• New stack (aka. “Juju”)<br />
– No driver parameters<br />
– Dirver blacklist (modprobe.d)<br />
• firewire_core<br />
• firewire_ohci<br />
• firewire_sbp2
Protection – Windows<br />
• XP <strong>and</strong> older versions<br />
– 3 rd party software needed<br />
• Not always the best solution<br />
• Vista <strong>and</strong> newer versions<br />
– GPO device installation control<br />
• http://support.microsoft.com/kb/2516445<br />
• d48179be-ec20-11d1-b6b8-00c04fa372a7
Back <strong>to</strong> DEMO
http://en.wikipedia.org/wiki/Lockheed_Martin_F-22_Rap<strong>to</strong>r
Thank you for the attention!<br />
Contact info:<br />
Csaba Barta<br />
csaba.barta@gmail.com