×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Remote Malware Injection Via Flaw In Network Card

timothy posted about 4 years ago | from the just-where-you-least-expect-it dept.

Security 49

kfz-versicherung writes "During the CanSecWest international conference in Vancouver, members of ANSSI described how an attacker could be able to exploit a flaw to run arbitrary code inside some network controllers (full presentation; PDF). The attack uses routable packets delivered to the victim's NIC. Consequently, multiple attacks can be conducted including man-in-the-middle attacks on network connections, access to cryptographic keys on the host platform, or malware injection on the victim's computer host platform."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

49 comments

Inject goatse up your ass (-1, Troll)

Anonymous Coward | about 4 years ago | (#31642970)

It has come to my attention that the entire Linux community is a hotbed of so called 'alternative sexuality', which includes anything from hedonistic orgies to homosexuality to paedophilia.

What better way of demonstrating this than by looking at the hidden messages contained within the names of some of Linux's most outspoken advocates:

  • Linus Torvalds [microsoft.com] is an anagram of slit anus or VD 'L,' clearly referring to himself by the first initial.
  • Richard M. Stallman [archive.org], spokespervert for the Gaysex's Not Unusual 'movement' is an anagram of mans cram thrill ad.
  • Alan Cox [microsoft.com] is barely an anagram of anal cox which is just so filthy and unchristian it unnerves me.

I'm sure that Eric S. Raymond, composer of the satanic homosexual [goatse.fr] propaganda diatribe The Cathedral and the Bizarre, is probably an anagram of something queer, but we don't need to look that far as we know he's always shoving a gun up some poor little boy's rectum. Update: Eric S. Raymond is actually an anagram for secondary rim and cord in my arse. It just goes to show you that he is indeed queer.

Update the Second: It is also documented that Evil Sicko Gaymond is responsible for a nauseating piece of code called Fetchmail [microsoft.com], which is obviously sinister sodomite slang for 'Felch Male' -- a disgusting practise. For those not in the know, 'felching' is the act performed by two perverts wherein one sucks their own post-coital ejaculate out of the other's rectum. In fact, it appears that the dirty Linux faggots set out to undermine the good Republican institution of e-mail, turning it into 'e-male.'

As far as Richard 'Master' Stallman goes, that filthy fudge-packer was actually quoted [salon.com] on leftist commie propaganda site Salon.com as saying the following: 'I've been resistant to the pressure to conform in any circumstance,' he says. 'It's about being able to question conventional wisdom,' he asserts. 'I believe in love, but not monogamy,' he says plainly.

And this isn't a made up troll bullshit either! He actually stated this tripe, which makes it obvious that he is trying to politely say that he's a flaming homo [comp-u-geek.net] slut [rotten.com]!

Speaking about 'flaming,' who better to point out as a filthy chutney ferret than Slashdot's very own self-confessed pederast Jon Katz. Although an obvious deviant anagram cannot be found from his name, he has already confessed, nay boasted of the homosexual [goatse.fr] perversion of corrupting the innocence of young children [slashdot.org]. To quote from the article linked:

'I've got a rare kidney disease,' I told her. 'I have to go to the bathroom a lot. You can come with me if you want, but it takes a while. Is that okay with you? Do you want a note from my doctor?'

Is this why you were touching your penis [rotten.com] in the cinema, Jon? And letting the other boys touch it too?

We should also point out that Jon Katz refers to himself as 'Slashdot's resident Gasbag.' Is there any more doubt? For those fortunate few who aren't aware of the list of homosexual [goatse.fr] terminology found inside the Linux 'Sauce Code,' a 'Gasbag' is a pervert who gains sexual gratification from having a thin straw inserted into his urethra (or to use the common parlance, 'piss-pipe'), then his homosexual [goatse.fr] lover blows firmly down the straw to inflate his scrotum. This is, of course, when he's not busy violating the dignity and copyright of posters to Slashdot by gathering together their postings and publishing them en masse to further his twisted and manipulative journalistic agenda.

Sick, disgusting antichristian perverts, the lot of them.

In addition, many of the Linux distributions (a 'distribution' is the most common way to spread the faggots' wares) are run by faggot groups. The Slackware [redhat.com] distro is named after the 'Slack-wear' fags wear to allow easy access to the anus for sexual purposes. Furthermore, Slackware is a close anagram of claw arse, a reference to the homosexual [goatse.fr] practise of anal fisting. The Mandrake [slackware.com] product is run by a group of French faggot satanists, and is named after the faggot nickname for the vibrator. It was also chosen because it is an anagram for dark amen and ram naked, which is what they do.

Another 'distro,' (abbrieviated as such because it sounds a bit like 'Disco,' which is where homosexuals [goatse.fr] preyed on young boys in the 1970s), is Debian, [mandrake.com] an anagram of in a bed, which could be considered innocent enough (after all, a bed is both where we sleep and pray), until we realise what other names Debian uses to describe their foul wares. 'Woody' is obvious enough, being a term for the erect male penis [rotten.com], glistening with pre-cum. But far sicker is the phrase 'Frozen Potato' that they use. This filthy term, again found in the secret homosexual [goatse.fr] 'Sauce Code,' refers to the solo homosexual [goatse.fr] practice of defecating into a clear polythene bag, shaping the turd into a crude approximation of the male phallus, then leaving it in the freezer overnight until it becomes solid. The practitioner then proceeds to push the frozen 'potato' up his own rectum, squeezing it in and out until his tight young balls erupt in a screaming orgasm.

And Red Hat [debian.org] is secret homo [comp-u-geek.net] slang for the tip of a penis [rotten.com] that is soaked in blood from a freshly violated underage ringpiece.

The fags have even invented special tools to aid their faggotry! For example, the 'supermount' tool was devised to allow deeper penetration, which is good for fags because it gives more pressure on the prostate gland. 'Automount' is used, on the other hand, because Linux users are all fat and gay, and need to mount each other [comp-u-geek.net] automatically.

The depths of their depravity can be seen in their use of 'mount points.' These are, plainly speaking, the different points of penetration. The main one is obviously/anus, but there are others. Militant fags even say 'there is no/opt mount point' because for these dirty perverts faggotry is not optional but a way of life.

More evidence is in the fact that Linux users say how much they love `man`, even going so far as to say that all new Linux users (who are in fact just innocent heterosexuals indoctrinated by the gay propaganda) should try out `man`. In no other system do users boast of their frequent recourse to a man.

Other areas of the system also show Linux's inherent gayness. For example, people are often told of the 'FAQ,' but how many innocent heterosexual Windows [amiga.com] users know what this actually means. The answer is shocking: Faggot Anal Quest: the voyage of discovery for newly converted fags!

Even the title 'Slashdot [geekizoid.com]' originally referred to a homosexual [goatse.fr] practice. Slashdot [kuro5hin.org] of course refers to the popular gay practice of blood-letting. The Slashbots, of course are those super-zealous homosexuals [goatse.fr] who take this perversion to its extreme by ripping open their anuses, as seen on the site most popular with Slashdot users, the depraved work of Satan, http://www.eff.org/ [eff.org].

The editors of Slashdot [slashduh.org] also have homosexual [goatse.fr] names: 'Hemos' is obvious in itself, being one vowel away from 'Homos.' But even more sickening is 'Commander Taco' which sounds a bit like 'Commode in Taco,' filthy gay slang for a pair of spreadeagled buttocks that are caked with excrement [pboy.com]. (The best form of lubrication, they insist.) Sometimes, these 'Taco Commodes' have special 'Salsa Sauce' (blood from a ruptured rectum) and 'Cheese' (rancid flakes of penis [rotten.com] discharge) toppings. And to make it even worse, Slashdot [notslashdot.org] runs on Apache!

The Apache [microsoft.com] server, whose use among fags is as prevalent as AIDS, is named after homosexual [goatse.fr] activity -- as everyone knows, popular faggot band, the Village People, featured an Apache Indian, and it is for him that this gay program is named.

And that's not forgetting the use of patches in the Linux fag world -- patches are used to make the anus accessible for repeated anal sex even after its rupture by a session of fisting.

To summarise: Linux is gay. 'Slash -- Dot' is the graphical description of the space between a young boy's scrotum and anus. And BeOS [apple.com] is for hermaphrodites and disabled 'stumpers.'

FEEDBACK

What worries me is how much you know about what gay people do. I'm scared I actually read this whole thing. I think this post is a good example of the negative effects of Internet usage on people. This person obviously has no social life anymore and had to result to writing something as stupid as this. And actually take the time to do it too. Although... I think it was satire.. blah.. it's early. -- Anonymous Coward, Slashdot

Well, the only reason I know all about this is because I had the misfortune to read the Linux 'Sauce code' once. Although publicised as the computer code needed to get Linux up and running on a computer (and haven't you always been worried about the phrase 'Monolithic Kernel'?), this foul document is actually a detailed and graphic description of every conceivable degrading perversion known to the human race, as well as a few of the major animal species. It has shocked and disturbed me, to the point of needing to shock and disturb the common man to warn them of the impending homo [comp-u-geek.net]-calypse which threatens to engulf our planet.

You must work for the government. Trying to post the most obscene stuff in hopes that slashdot won't be able to continue or something, due to legal woes. If i ever see your ugly face, i'm going to stick my fireplace poker up your ass, after it's nice and hot, to weld shut that nasty gaping hole of yours. -- Anonymous Coward, Slashdot

Doesn't it give you a hard-on to imagine your thick strong poker ramming it's way up my most sacred of sphincters? You're beyond help, my friend, as the only thing you can imagine is the foul penetrative violation of another man. Are you sure you're not Eric Raymond? The government, being populated by limp-wristed liberals, could never stem the sickening tide of homosexual [goatse.fr] child molesting Linux advocacy. Hell, they've given NAMBLA free reign for years!

you really should post this logged in. i wish i could remember jebus's password, cuz i'd give it to you. -- mighty jebus [slashdot.org], Slashdot

Thank you for your kind words of support. However, this document shall only ever be posted anonymously. This is because the 'Open Sauce' movement is a sham, proposing homoerotic cults of hero worshipping in the name of freedom. I speak for the common man. For any man who prefers the warm, enveloping velvet folds of a woman's vagina [bodysnatchers.co.uk] to the tight puckered ringpiece of a child. These men, being common, decent folk, don't have a say in the political hypocrisy that is Slashdot culture. I am the unknown liberator [hitler.org].

ROLF LAMO i hate linux FAGGOTS -- Anonymous Coward, Slashdot

We shouldn't hate them, we should pity them for the misguided fools they are... Fanatical Linux zeal-outs need to be herded into camps for re-education and subsequent rehabilitation into normal heterosexual society. This re-education shall be achieved by forcing them to watch repeats of Baywatch until the very mention of Pamela Anderson [rotten.com] causes them to fill their pants with healthy heterosexual jism [zillabunny.com].

Actually, that's not at all how scrotal inflation works. I understand it involves injecting sterile saline solution into the scrotum. I've never tried this, but you can read how to do it safely in case you're interested. (Before you moderate this down, ask yourself honestly -- who are the real crazies -- people who do scrotal inflation, or people who pay $1000+ for a game console?) -- double_h [slashdot.org], Slashdot

Well, it just goes to show that even the holy Linux 'sauce code' is riddled with bugs that need fixing. (The irony of Jon Katz not even being able to inflate his scrotum correctly has not been lost on me.) The Linux pervert elite already acknowledge this, with their queer slogan: 'Given enough arms, all rectums are shallow.' And anyway, the PS2 [xbox.com] sucks major cock and isn't worth the money. Intellivision forever!

dude did u used to post on msnbc's nt bulletin board now that u are doing anti-gay posts u also need to start in with anti-black stuff too c u in church -- Anonymous Coward, Slashdot

For one thing, whilst Linux is a cavalcade of queer propaganda masquerading as the future of computing, NT [linux.com] is used by people who think nothing better of encasing their genitals in quick setting plaster then going to see a really dirty porno film, enjoying the restriction enforced onto them. Remember, a wasted arousal is a sin in the eyes of the Catholic church [atheism.org]. Clearly, the only god-fearing Christian operating system in existence is CP/M -- The Christian Program Monitor. All computer users should immediately ask their local pastor to install this fine OS onto their systems. It is the only route to salvation.

Secondly, this message is for every man. Computers know no colour. Not only that, but one of the finest websites in the world is maintained by a Black Man [stileproject.com] . Now fuck off you racist donkey felcher.

And don't forget that slashdot was written in Perl, which is just too close to 'Pearl Necklace' for comfort.... oh wait; that's something all you heterosexuals do.... I can't help but wonder how much faster the trolls could do First-Posts on this site if it were redone in PHP... I could hand-type dynamic HTML pages faster than Perl can do them. -- phee [slashdot.org], Slashdot

Although there is nothing unholy about the fine heterosexual act of ejaculating between a woman's breasts, squirting one's load up towards her neck and chin area, it should be noted that Perl [python.org] (standing for Pansies Entering Rectums Locally) is also close to 'Pearl Monocle,' 'Pearl Nosering,' and the ubiquitous 'Pearl Enema.'

One scary thing about Perl [sun.com] is that it contains hidden homosexual [goatse.fr] messages. Take the following code: LWP::Simple -- It looks innocuous enough, doesn't it? But look at the line closely: There are two colons next to each other! As Larry 'Balls to the' Wall would openly admit in the Perl Documentation, Perl was designed from the ground up to indoctrinate it's programmers into performing unnatural sexual acts -- having two colons so closely together is clearly a reference to the perverse sickening act of 'colon kissing,' whereby two homosexual [goatse.fr] queers spread their buttocks wide, pressing their filthy torn sphincters together. They then share small round objects like marbles or golfballs by passing them from one rectum to another using muscle contraction alone. This is also referred to in programming 'circles' as 'Parameter Passing.'

And PHP [perl.org] stands for Perverted Homosexual Penetration. Didn't you know?

Thank you for your valuable input on this. I am sure you will be never forgotten. BTW: Did I mention that this could be useful in terraforming Mars? Mars rulaa. -- Eimernase [slashdot.org], Slashdot

Well, I don't know about terraforming Mars, but I do know that homosexual [goatse.fr] Linux Advocates have been probing Uranus for years.

That's inspiring. Keep up the good work, AC. May God in his wisdom grant you the strength to bring the plain honest truth to this community, and make it pure again. Yours, Cerberus. -- Anonymous Coward, Slashdot

*sniff* That brings a tear to my eye. Thank you once more for your kind support. I have taken faith in the knowledge that I am doing the Good Lord [atheism.org]'s work, but it is encouraging to know that I am helping out the common man here.

However, I should be cautious about revealing your name 'Cerberus' on such a filthy den of depravity as Slashdot. It is a well known fact that the 'Kerberos' documentation from Microsoft is a detailed manual describing, in intimate, exacting detail, how to sexually penetrate a variety of unwilling canine animals; be they domesticated, wild, or mythical. Slashdot posters have taken great pleasure in illegally spreading this documentation far and wide, treating it as an 'extension' to the Linux 'Sauce Code,' for the sake of 'interoperability.' (The slang term they use for nonconsensual intercourse -- their favourite kind.)

In fact, sick twisted Linux deviants are known to have LAN parties, (Love of Anal Naughtiness, needless to say.), wherein they entice a stray dog, known as the 'Samba Mount,' into their homes. Up to four of these filth-sodden blasphemers against nature take turns to plunge their erect, throbbing, uncircumcised members, conkers-deep, into the rectum, mouth, and other fleshy orifices of the poor animal. Eventually, the 'Samba Mount' collapses due to 'overload,' and needs to be 'rebooted.' (i.e., kicked out into the street, and left to fend for itself.) Many Linux users boast about their 'uptime' in such situations.

Inspiring stuff! If only all trolls were this quality! -- Anonymous Coward, Slashdot

If only indeed. You can help our brave cause by moderating this message up as often as possible. I recommend '+1, Underrated,' as that will protect your precious Karma in Metamoderation [slashdot.org]. Only then can we break through the glass ceiling of Homosexual Slashdot Culture. Is it any wonder that the new version of Slashcode has been christened 'Bender'???

If we can get just one of these postings up to at least '+1,' then it will be archived forever! Others will learn of our struggle, and join with us in our battle for freedom!

It's pathetic you've spent so much time writing this. -- Anonymous Coward, Slashdot

I am compelled to document the foulness and carnal depravity [catholic.net] that is Linux, in order that we may prepare ourselves for the great holy war that is to follow. It is my solemn duty to peel back the foreskin of ignorance and apply the wire brush of enlightenment.

As with any great open-source project, you need someone asking this question, so I'll do it. When the hell is version 2.0 going to be ready?!?! -- Anonymous Coward, Slashdot

I could make an arrogant, childish comment along the lines of 'Every time someone asks for 2.0, I won't release it for another 24 hours,' but the truth of the matter is that I'm quite nervous of releasing a 'number two,' as I can guarantee some filthy shit-slurping Linux pervert would want to suck it straight out of my anus before I've even had chance to wipe.

I desperately want to suck your monolithic kernel, you sexy hunk, you. -- Anonymous Coward, Slashdot

I sincerely hope you're Natalie Portman [archive.org].

Dude, nothing on slashdot larger than 3 paragraphs is worth reading. Try to distill the message, whatever it was, and maybe I'll read it. As it is, I have to much open source software to write to waste even 10 seconds of precious time. 10 seconds is all its gonna take M$ to whoop Linux's ass. Vigilence is the price of Free (as in libre -- from the fine, frou frou French language) Software. Hack on fellow geeks, and remember: Friday is Bouillabaisse day except for heathens who do not believe that Jesus died for their sins. Those godless, oil drench, bearded sexist clowns can pull grits from their pantaloons (another fine, fine French word) and eat that. Anyway, try to keep your message focused and concise. For concision is the soul of derision. Way. -- Anonymous Coward, Slashdot

What the fuck?

I've read your gay conspiracy post version 1.3.0 and I must say I'm impressed. In particular, I appreciate how you have managed to squeeze in a healthy dose of the latent homosexuality you gay-bashing homos [comp-u-geek.net] tend to be full of. Thank you again. -- Anonymous Coward, Slashdot

Well bugger me!

ooooh honey. how insecure are you!!! wann a little massage from deare bruci. love you -- Anonymous Coward, Slashdot

Fuck right off!

IMPORTANT: This message needs to be heard (Not HURD [linux.org], which is an acronym for 'Huge Unclean Rectal Dilator') across the whole community, so it has been released into the Public Domain [icopyright.com]. You know, that licence that we all had before those homoerotic crypto-fascists came out with the GPL [apple.com] (Gay Penetration License) that is no more than an excuse to see who's got the biggest feces-encrusted [rotten.com] cock. I would have put this up on Freshmeat [adultmember.com], but that name is known to be a euphemism for the tight rump of a young boy.

Come to think of it, the whole concept of 'Source Control' unnerves me, because it sounds a bit like 'Sauce Control,' which is a description of the homosexual [goatse.fr] practice of holding the base of the cock shaft tightly upon the point of ejaculation, thus causing a build up of semenal fluid that is only released upon entry into an incision made into the base of the receiver's scrotum. And 'Open Sauce' is the act of ejaculating into another mans face or perhaps a biscuit to be shared later. Obviously, 'Closed Sauce' is the only Christian thing to do, as evidenced by the fact that it is what Cathedrals are all about.

Contributors: (although not to the eternal game of 'soggy biscuit' that open 'sauce' development has become) Anonymous Coward, Anonymous Coward, phee, Anonymous Coward, mighty jebus, Anonymous Coward, Anonymous Coward, double_h, Anonymous Coward, Eimernase, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward. Further contributions are welcome.

Current changes: This version sent to FreeWIPO [slashdot.org] by 'Bring BackATV' as plain text. Reformatted everything, added all links back in (that we could match from the previous version), many new ones (Slashbot bait links). Even more spelling fixed. Who wrote this thing, CmdrTaco himself?

Previous changes: Yet more changes added. Spelling fixed. Feedback added. Explanation of 'distro' system. 'Mount Point' syntax described. More filth regarding `man` and Slashdot. Yet more fucking spelling fixed. 'Fetchmail' uncovered further. More Slashbot baiting. Apache exposed. Distribution licence at foot of document.

ANUX -- A full Linux distribution... Up your ass!

Re:Inject goatse up your ass (-1, Offtopic)

Anonymous Coward | about 4 years ago | (#31643070)

Dude. That is way too fucking long. If you want people to actually read something (or even glance at it), it can't be a fucking dissertation. Give me the CliffsNotes edition and maybe then you will successfully troll me.

Better ditch those Killer NICs now.... (0)

Anonymous Coward | about 4 years ago | (#31642978)

Better ditch those useless Killer NIC now before they get exploited..... *snarf*

Brainwashing cyborgs? (0)

Anonymous Coward | about 4 years ago | (#31642984)

Network controller sounds like a job to me.

For a little piece of mind (5, Informative)

trifish (826353) | about 4 years ago | (#31643016)

If you dig into TFA, you'll find this:

"However, the attack presented only applies to a specific network card model (Broadcom NetXtreme) whenever a remote administration functionality (called ASF for Alert Standard Format 2.0) is turned on (it is off by default) and configured. According to vendors, this functionality is far from being widely used. As a consequence, this vulnerability is really likely to have a very limited impact in practice."

Re:For a little piece of mind (3, Interesting)

MichaelSmith (789609) | about 4 years ago | (#31643030)

Okay but will the UDP packets which cause the problem be well formed enough to be routed into your network from outside? In most cases if you have access to the local network all systems are vulnerable anyway.

Re:For a little piece of mind (1)

MobyDisk (75490) | about 4 years ago | (#31644850)

In most cases if you have access to the local network all systems are vulnerable anyway.

True: "if you have physical access then all systems are vulnerable" -- definitely. Just remove the hard drive, plug-in a keyboard sniffer, etc.
Maybe true: "if you can login to the box then all systems are vulnerable" -- yeah, most OSs probably have some local root exploit.
Stretch: "if you have access to the local network all systems are vulnerable" -- most desktop boxes don't even have any server ports open. Hacking them from the LAN is unlikely.

Re:For a little piece of mind (1)

Ernesto Alvarez (750678) | about 4 years ago | (#31645650)

Okay but will the UDP packets which cause the problem be well formed enough to be routed into your network from outside?

Yes, they will.
The packets in question cause problems because they cause a buffer overflow in a parameter sent in the data.

The NIC accepts normal UDP packets for port 664 and then analyses the packets to see whether they use a certain protocol. If that's correct, the NIC responds to the packet itself and the OS never sees it.

The tampered packets trigger a buffer overflow by using a username (in ASF 2.0) that is longer than its maximum allowed length.

So, basically, they are perfectly normal UDP packets.

Re:For a little piece of mind (3, Funny)

WrongSizeGlass (838941) | about 4 years ago | (#31643286)

3. Is there a proof of concept?

Yes. A proof of concept attack has been demoed during the CanSecWest conference. It showed how an attacker can remotely shutdown or wake up his victim’s machine, and fully compromise a COTS operating system machine (Linux for the demo, but all operating systems are vulnerable).

Hey, at least it's Linux compatible!

Re:For a little piece of mind (5, Informative)

jd2112 (1535857) | about 4 years ago | (#31643952)

However, the attack presented only applies to a specific network card model (Broadcom NetXtreme)

Which happens to be the most popular network interface chipset used by Dell, HP, and many other manufacturers...

Not a big surprise (4, Insightful)

faloi (738831) | about 4 years ago | (#31643032)

A lot of IPMI and ASF code is an open door into at least some portion of the overall system. As NICs become more and more "intelligent," there's going to be more opportunities to exploit the NIC architecture and any subtle flaws because of the communication path into the system itself. Couple that with a rush to get stuff out the door faster and cheaper...and more of these issues will crop up.

Re:Not a big surprise (1)

shippo (166521) | about 4 years ago | (#31643736)

Intelligent LAN cards are nothing new. Back when 80386 processors were being used in servers, several manufacturers produced NICs with their own processor. The LAN protocol stack would be run partially on the NIC itself to reduce the load on main server. We had a Xenix server at work that used such a NIC.

As a matter-of-fact I've still got a similar designed serial card in my cupboard of spares. This used an 80186 to control 6 serial lines, leaving the main processor free to get on with other things.

Limited to Broadcom only? (2, Interesting)

MrCrassic (994046) | about 4 years ago | (#31643120)

It seems that the presentation focuses heavily on the NetXtreme framework, which is specific to Broadcom. Doesn't Intel, the other major NIC vendor/manufacturer, use their own proprietary security and administrative protocols on their devices?

I wonder how secure Realtek's stuff is; their drivers/software leave me to think that their hardware code is ripe for discovery...

Re:Limited to Broadcom only? (3, Informative)

nxtw (866177) | about 4 years ago | (#31643524)

I wonder how secure Realtek's stuff is; their drivers/software leave me to think that their hardware code is ripe for discovery...

Realtek hardware generally does not have the advanced hardware features found in the fancier Intel e1000(e) and Broadcom tg3.

Re:Limited to Broadcom only? (1)

mcrbids (148650) | about 4 years ago | (#31645324)

Realtek's stuff is pretty much little more than reference implementation. They represent the "value end" of the marketplace, which works fine for cheaper Linux-based computers since drivers are ubiquitous for low-end (ahem: value priced) hardware.

Re:Limited to Broadcom only? (1)

faloi (738831) | about 4 years ago | (#31643704)

Intel uses IPMI, which tends to not have quite as many management hooks into higher level functions as ASF. There are still plenty of things that can go horribly, horribly wrong with a bad IPMI implementation...but they're more likely to be exploitable because of something on the system side than something on the NIC side.

+++ATH0 (1, Informative)

Anonymous Coward | about 4 years ago | (#31643132)

NO CARRIER

Re:+++ATH0 (5, Informative)

erroneus (253617) | about 4 years ago | (#31643272)

Love that comment! Too bad it was done anonymously, you deserve credit for the genius of its simplicity and clarity. "device vulnerabilities" have been around a long time. I used to make people on IRC lose their connections by sending specially crafted PING packets which would contain "+++ATH0" resulting in an immediate disconnection. I had one poor schmuck who patched and recompiled his Linux kernel like 6 or 7 times as he thought I was hacking his "computer" rather than exploiting his modem. His logs showed an ICMP coming from me followed by an interruption of his network link. He could have done one of two things: disable ping responses or changed a setting in his modem. It was hilariously funny watching the guy struggle though. Finally, I told him what I was doing..."Denwaugh"? Are you out there? Muhahaha! That comment brings back some memories...

The real point here is that devices are more than bits of hardware -- they are little computers themselves with their own vulnerabilities. Our trust of devices is a problem that is rarely considered.

Re:+++ATH0 (2, Informative)

Vellmont (569020) | about 4 years ago | (#31643794)


He could have done one of two things: disable ping responses or changed a setting in his modem.

Disabling ping is merely a poor workaround. You can exploit it in at least one other way, CTCP also has a ping response. If the victim is running an SMTP server that you can connect to you can get the SMTP server to repeat +++ATH0 via several different tricks. I'm sure there's other services that behave in a similar manner. The only REAL fix is to disable the sequence in the modem.

Re:+++ATH0 (2, Interesting)

mmontour (2208) | about 4 years ago | (#31645188)

The only REAL fix is to disable the sequence in the modem.

Or to buy a modem from a manufacturer that implemented it properly. The escape sequence is not just "+++" - there has to be an interval before and after those characters in which no other bytes are sent to the modem. This can only happen if you're typing directly from a terminal, since there are always extra headers present if you're sending TCP/IP traffic.

If your modem was vulnerable to this then the manufacturer was either incompetent or intentionally screwing it up to avoid paying patent royalties.

Re:+++ATH0 (1)

erroneus (253617) | about 4 years ago | (#31646536)

Unfortunately, that method was patented (did th patent run out yet?) and famously, modems based on the Rockwell chipset was vulnerable to this problem. I think USRobotics had the patent, I dun't know any more. But I know it was because of a patent on the pause following +++

ATH0

Re:+++ATH0 (1)

adolf (21054) | about 4 years ago | (#31648916)

That method was patented by Hayes. Some modem manufacturers licensed the patent, while others did not. My Rockwell-chipset Supra modems handled +++ properly back in the day, but most of the no-name modems made after the September that never ended [catb.org] lacked this detail.

If I recall, there was also a way to do this using IRC directly, by issuing a command which would cause the remote client to respond (in part) with +++ATH0.

My personal favorite was just pinging folks to death. Their connection would simply degrade, as if (from their perspective) it were line noise. Once their buffers got sufficiently full, the ISP would generally (not always) drop them as latency went through the roof.

It was kind of hit and miss, since it relied on certain (broken-ish) behavior from both the ISP and the user's IP stack. And, you had to have better (less-broken) connectivity on your own end than they did, or you'd just trash your own connection instead. I had no problems knocking Windows and Linux boxes offline using my (then) superior OS/2 machine. :)

Oh. And then, after they log back in, you'd just finger their terminal server to find out their new IP address, before they'd even have a chance to do anything. Rinse, repeat. Lots of laughs, though probably not for them...

NSA (0)

Anonymous Coward | about 4 years ago | (#31643136)

With some of these exploits that are being "discovered, I just have to wonder how many of them are known by the NSA and I have to wonder how they're being used.

Re:NSA (1)

AHuxley (892839) | about 4 years ago | (#31643600)

Even low end state taskforces can buy in p2p tracking software to find your 'unique' MAC.
Every communications device/layer out of the USA should be seen as NSA friendly by default.

Re:NSA (1)

blincoln (592401) | about 4 years ago | (#31644100)

Even low end state taskforces can buy in p2p tracking software to find your 'unique' MAC.

Given that the MAC address isn't transmitted outside whatever subnet the device is on, how can "tracking software" (P2P or otherwise) determine your MAC address unless it is either on the same subnet or uses software that's somehow been installed on the target PC?

This points out a simple problem (5, Insightful)

erroneus (253617) | about 4 years ago | (#31643140)

As devices become more and more complex, device functions that were once embedded within a chip are now being implemented by embedded computer systems which are tiny processors, ROM and RAM. And these devices interface with our computers through Direct Memory Access in some form or another and they get access to our computer's memory. If you think it is getting harder to find a virus in a running Windows installation, try finding one in your network cards or other devices.

While the "article" (it's a frikken PDF) says that this has been tested by invading a network card through a normally disabled management interface, what about other means of infection?

What I am saying is this: Once malware gets into the computer, all other devices are increasingly at risk of being a target for being compromised to enable secondary infections even after the hard drive is wiped out... even after the hard drive is replaced. Get some malware stuck inside your system board's controllers and you are either trying to figure out how to reflash every chip on that board, or you're buying a new board.

Re:This points out a simple problem (1)

Bigjeff5 (1143585) | about 4 years ago | (#31643310)

While everything you say is true, there is some measure of security in the fact that at the device level, you are working with the equivalent of multiple operating systems.

A virus writer infecting both your primary OS and a device on your system must have intimate knowledge of both the primary OS and the device's firmware. The first is not hard, 95% of people use the same brand with only a handful of widely used platforms. The second though, varies wildly, and it would be extremely unlikely that a virus for one brand/model device would work on another brand, and even differing models within the same brand.

That doesn't make it impossible, just extremely unlikely. If a particular brand of a common device were ever to absolutely dominate the market I could see it becoming a major concern. Another possibility is if multiple devices become standardized under a unified "device OS" upon which the firmware runs, instead of running directly on top of the hardware. Until then, it's extremely unlikely that you would ever come in contact with such a virus.

Re:This points out a simple problem (1)

erroneus (253617) | about 4 years ago | (#31643334)

Oh let's see if I can outline this:

1. common malware happens
2. common malware gets system level access
3. common malware does an inventory of your system's hardware
4. common malware downloads prepared exploits for any common devices in its library hosted on any of the command/control servers or any servers C&C tells it
5. common malware then injects prepared exploit packages into device controller firmware

You are thinking about individual focused attacks where a person is driving each step of the game. That only happens during testing. Once unleashed, the process is fully automated and happens within seconds.

Re:This points out a simple problem (1)

silanea (1241518) | about 4 years ago | (#31646176)

If a particular brand of a common device were ever to absolutely dominate the market I could see it becoming a major concern.

My guess is that about 70% of all laptops and netbooks produced in the last two to three years run one out of maybe five or six different Intel NICs. On desktops targeting the four most widely used Realtek chips should give at least 30% coverage. On servers it boils down to a handful of widely used professional chips.

I do see it being an issue already. Not one of end-of-the-world-like seriousness, but for certain critical applications I would take it into consideration, CYA wise.

Re:This points out a simple problem (1)

hairyfeet (841228) | about 4 years ago | (#31647858)

Do you have ANY idea how many crappy low end Dells and HPs come with that particular chipset? Think about it this way, what if the malware writers came out with one for Realtek sound chips? While those Broadcom chips aren't quite as hugely popular as the Realtek chips they are getting pretty damned close. I know in just about every laptop that crosses my desk I see Broadcom wireless, and nearly everyone based on the chips in TFA.

With the hardware, especially in the low end, offloading more and more from the CPU I think it is just a matter of time before something like a Code Red hits for hardware. I'm personally shocked that someone hasn't already cooked something up for GPUs. Think about how powerful even the onboard ATI and Nvidia chips are now, with more and more GP/GPU code added every day. Just imagine if someone cooks up say...a "free pron media player" that hooks into the GPU of say Nvidia cards and does screen caps if you visit certain websites?

I have a feeling the only reason why we haven't seen this yet is there is still plenty of low hanging fruit. As Windows 7 replaces XP and it becomes harder to exploit the OS directly or through the browser I have a feeling going after the most popular hardware will be the next place the malware writers turn, and it is gonna be nasty.

Re:This points out a simple problem (0)

Anonymous Coward | about 4 years ago | (#31643616)

What I am saying is this: Once malware gets into the computer, all other devices are increasingly at risk of being a target for being compromised to enable secondary infections even after the hard drive is wiped out... even after the hard drive is replaced. Get some malware stuck inside your system board's controllers and you are either trying to figure out how to reflash every chip on that board, or you're buying a new board.

And Cloud computing comes to the rescue again! Look at the little server huggers, all "oh no, but my computer is full of chips that can be hacked" .. phht.

ÖÖ×YÉZ-¥z3 (-1, Troll)

fysdt (1597143) | about 4 years ago | (#31643144)

ÖÖ×YÉZ-¥z3”àÃ'uF3ÅhB0ÊÓg=xïÓ>JåXZ=G –ëÇxúãÃr6GÎ*DÜ–íB’zÄ; ã£)¥Rihttô£/^|ñZ~ýú'333ONNNV*#Æyÿ®$|PÍã¼à¼Ç{ÉÔ'ó€ð^p^eýÓz(DÑ;_ec}z£á^~ýåóçÏÿõðáÿ¾}û/€€uË—/ÿfANX]Áe±sÁ9OêïïADe2F@ÖôéÏÎ7X.3X.±“'O]¼xñ×ù|¾|óæÍ?©ááá–––>+JûRò!w-S)¼Á[ÀdQ:A¼Â9p|PAÀ7ÂóïèûÅÅ&&&>N:Ý yób%Dp`cÑ”|ÀÆVB Iq ©ÔWbòGG;OLL|h+Jg€ááï£seØ\–ZBÑ_%4COCBò–iÆt%`e``j{5Aùò+hQ,r2â'$xQV×_Lïúo

Re:ÖÖ×YÉZ-¥z3 (2, Funny)

WrongSizeGlass (838941) | about 4 years ago | (#31643252)

Dude, I think you forgot to change your decoder ring from "I'm high" to "Slashdot". Please check the setting s and try posting again.

Re:ÖÖ×YÉZ-¥z3 (1)

fysdt (1597143) | about 4 years ago | (#31643290)

Dude, I definitely should have posted that anonymously :)

Re:ÖÖ×YÉZ-¥z3 (1)

miggyb (1537903) | about 4 years ago | (#31644910)

It looks like you're using a mac... Is this an accurate guess? and am I a complete geek from being able to tell that?

ASF hero (4, Informative)

juventasone (517959) | about 4 years ago | (#31643184)

Since none of our clients use ASF, I have manually disabled it on every build I've done. Contrary to the article, many have it enabled by default. Why did I bother? I am a minimalist. I figured having an unused feature enabled could only potentially introduce problems.

Re:ASF hero (2, Insightful)

Anonymous Coward | about 4 years ago | (#31643346)

There needs to be a mod: -1 Gloating

an hero (1, Funny)

Anonymous Coward | about 4 years ago | (#31643432)

-1 an hero

Re:ASF hero (0)

Anonymous Coward | about 4 years ago | (#31643684)

Yeah, what's the matter with juventasone? He should be ranting, raving, and cursing at himself for having foresight rather than saying he did something right. He followed the principles of least privilege and disabling of unneeded services? What a fool. He needs to modded into oblivion for such stupidity.

Re:ASF hero (0)

Anonymous Coward | about 4 years ago | (#31644022)

He was probably just doing his job, which I've learned by now is nothing to brag about.

only unpatched Broadcom NetXtreme w/ circumstances (3, Informative)

electrogeist (1345919) | about 4 years ago | (#31643246)

The summery left that out.

4. How can I find out if my machine is vulnerable?

Any computer using Broadcom NetXtreme chips with ASF activated and configured is vulnerable. Users of such computers should apply the official patches (see 6). Other vendor cards and other cards models are not impacted by this vulnerability. Machines using Broadcom NetXtreme chips when ASF has never been configured (Requires to launch the Broadcom ASF configuration tool) are not vulnerable but patching is highly recommended.

5. How can I protect my computers from such an attack?

If your computer is vulnerable to this attack you can either (in order of preference):

  • 1. apply the vendor patch (see 6) ;
  • 2. deactivate ASF. This should be done using the Broadcom ASF Configuration tool and not by turning off ASF in the BIOS of the machine;
  • 3. configure all your network packet-filters to filter UDP ports used by ASF (623 and 664).

Please note that some operating systems actually deactivate ASF at boot time. Some operating systems or hypervisors might also take advantage of hardware technologies such as Intel Vt-d and AMD I/OMMUs that would limit the impact of the attack.

Mo bugs mo problems (2, Interesting)

OopsIDied (1764436) | about 4 years ago | (#31643336)

The important part about this is not that the attack is very specific (only Broadcom running ASF) but that attacks through a NIC are possible at all. This could be the beginning of more serious and widespread attacks as network components become exploitable through their increasing technology. There's a relationship between amount of code a device runs and the amount of bugs present in that code, and bugs can often be exploited for bad purposes.

Re:Mo bugs mo problems (1)

Khyber (864651) | about 4 years ago | (#31644700)

Actually, this isn't that important. We've known about hardware vulnerabilities for decades. They're more difficult to exploit, typically, but they've been known about for at least 30 years, now. We used to just exploit the processor embedded microcode. Nothing new here, just moving to a different processor on a different PCB (unless it's built on the motherboard)

Non-story (1)

sammydee (930754) | about 4 years ago | (#31643394)

From the article:

"However, the attack presented only applies to a specific network card model (Broadcom NetXtreme) whenever a remote administration functionality (called ASF for Alert Standard Format 2.0) is turned on (it is off by default) and configured. According to vendors, this functionality is far from being widely used. As a consequence, this vulnerability is really likely to have a very limited impact in practice."

One network card by one manufacturer has a vulnerability when an obscure feature is turned on. While the idea of an attack on the network itself is interesting, this isn't going to become a widespread problem.

Why not just start with a typical dsl-router? (0)

Anonymous Coward | about 4 years ago | (#31643984)

So much insecure code to be explored...

But kudos to the NIC-approach!

Is this why... (0)

Anonymous Coward | about 4 years ago | (#31644234)

a bunch of my machines are constantly logging Broadcom ASF IP and SMBIOS Mailbox Monitor events? Shit.

This may be more general than a specific card (2, Interesting)

grandpa-geek (981017) | about 4 years ago | (#31644352)

I recently heard that the simulated network card in virtualization systems can be a point of attack. So, this may be a more general issue than a specific card.

Remote management security not good. (2, Informative)

Animats (122034) | about 4 years ago | (#31645556)

IPMI remote management security is worrisome.

There are Linux utilities for IPMI. [sourceforge.net] It's definitely worthwhile running "ipmiutil discover" on any LAN you control, to find out if anything out there speaks IPMI. It's also worthwhile monitoring your data center's networks for anything happening on UDP ports 663 and 664. If you're not using IPMI, make sure no one else is.

A big problem with IPMI is that the shipped hardware defaults really matter. If someone ships you a NIC card with IPMI enabled and the password known, you are 0wned at a very low level. IPMI boards offer various levels of authentication, some of which offer good cryptographic security. But one of the options is "no authentication".

A deeper problem is the possibility that NIC chips might have a default backdoor password built in. Many NIC chips now are designed in China.

Understand how much you can do via IPMI. You can turn the machine on and off remotely. You can force a reboot. You can change the boot settings. You can change the MAC address. You can override the front panel power and reset switches.(!) You can lock out the keyboard, blank the screen, set up a connection which the computer sees as a hard-wired keyboard, and boot from the LAN. The operating system isn't involved in any of this; it's taking place at a level below that of the main CPU.

Dell's guidance on IPMI [dell.com] is terrifying. See Figure 3, where IPMI over LAN is being enabled with username "root", no password. This sort of thing is common. The default password on Dell PowerEdge servers is "calvin", on Sun Fire servers its "changeme", in both cases the user is "root"." [cuddletech.com]

If you try to do it right, turning on all the crypto and using unique random keys for each chassis, someone has to manually type in the encryption key in hex on each new server. Then you need a remote management program which securely holds all the keys. How many shops really do that?

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...