Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Aging Security Vulnerability Still Allows PC Takeover

Zonk posted more than 6 years ago | from the there-are-issues-here-and-perhaps-they-should-be-investigated dept.

Microsoft 282

Jackson writes "Adam Boileau, a security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password. By connecting a Linux machine to a Firewire port on the target machine, the tool can then modify Windows' password protection code and render it ineffective. Boileau said he did not release the tool publicly in 2006 because 'Microsoft was a little cagey about exactly whether Firewire memory access was a real security issue or not and we didn't want to cause any real trouble'. But now that a couple of years have passed and the issue has not resolved, Boileau decided to release the tool on his website."

Sorry! There are no comments related to the filter you selected.

Again (5, Informative)

monkeydluffy09 (1248486) | more than 6 years ago | (#22634708)

There is also another Security researcher who find an efficient way to gain privilege though the hibernation file. Slashdot news: http://slashdot.org/firehose.pl?op=view&id=551924 [slashdot.org]

Yes, yes, another anti-windows story (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#22634802)

So if these guys are so smart, why aren't they rich ?

Re:Yes, yes, another anti-windows story (0)

Anonymous Coward | more than 6 years ago | (#22634996)

How do you know they're not?

Re:Yes, yes, another anti-windows story (3, Funny)

Oktober Sunset (838224) | more than 6 years ago | (#22635476)

maybe they aren't smart, maybe they are dumb, that means even a dumb ass can crack windows security.

The hard part is... (3, Insightful)

lpangelrob (714473) | more than 6 years ago | (#22634712)

...finding a PC with a firewire port.

(The only ones at my workplace are the two I put firewire cards in. Don't ask, it's complicated.)

Re:The hard part is... (4, Insightful)

Anonymous Coward | more than 6 years ago | (#22634756)

Try looking at a modern laptop. They're far more common there than on desktops.

Hmmm... what a coincidence, laptops are also exposed to strangers carrying computers of their own, too. I wonder if this might have implications regarding the severity of this particular weakness...

Re:The hard part is... (5, Insightful)

MPAB (1074440) | more than 6 years ago | (#22634758)

Many laptops have Firewire ports, and most modern desktop mainboards do also thanks to te growing popularity of digital video cameras.

Re:The hard part is... (1)

Goffee71 (628501) | more than 6 years ago | (#22634794)

Sorry, I haven't seen a FireWire port on a PC (lappy or desktop) in about five years.

Re:The hard part is... (3, Informative)

Penguin Follower (576525) | more than 6 years ago | (#22634932)

Sorry, I haven't seen a FireWire port on a PC (lappy or desktop) in about five years.

It could be due to the environment you work in, but there's at least 6 laptops in this office that I can think of that have firewire on them. One is a Toshiba, and the others are a mix of Dell and Lenovos. If I think harder about it, I'm pretty sure the laptops that were sent out to our regional managers (all over the U.S.) had firewire as well. It is worth mentioning that all of these laptops are less than 2 years old, as we went through a refresh not that long ago.

The Dell laptop I use for work (1)

porkchop_d_clown (39923) | more than 6 years ago | (#22635056)

certainly has one. They're quite common.

Re:The hard part is... (1)

barzok (26681) | more than 6 years ago | (#22635184)

My wife's 4 year old eMachines laptop has an FW800 port on it, as does my year-old Lenovo R60.

Re:The hard part is... (2, Informative)

_Shad0w_ (127912) | more than 6 years ago | (#22635494)

My laptop has one, my workstation at home has one and all the PCs at work have them. They're all Windows PCs. Firewire isn't rare; it's possibly just rare for people to use it. Partly, I expect, because USB2 is faster (at least on paper).

Re:The hard part is... (1)

dreamchaser (49529) | more than 6 years ago | (#22634866)

Two of my desktops and all of my laptops have Firewire ports. However, the physical security at my home is pretty good. I highly doubt someone is going to be able to break in and have the time to jack into one of my boxes before the police arrive.

Re:The hard part is... (2, Funny)

TripMaster Monkey (862126) | more than 6 years ago | (#22634906)

That sounds like a challenge...

Re:The hard part is... (1)

dreamchaser (49529) | more than 6 years ago | (#22635028)

Come and get it :) My security system is very non standard and has redundant features of my own design as well as a commercial system. Hint: cutting my phone line will not help you, it will just hasten your arrest ;)

Re:The hard part is... (0)

Anonymous Coward | more than 6 years ago | (#22635116)

Macaulay Culkin, is that you?

Re:The hard part is... (1, Funny)

bleh-of-the-huns (17740) | more than 6 years ago | (#22635246)

My security system is even better... its a vicious dalmation that attacks anyone who comes into the house..

And while yes its a great security feature.. it gets annoying when he attacks the same neighbour over and over and over again.. who comes and goes in my house 2 or 3 times a week....

Re:The hard part is... (5, Funny)

clickclickdrone (964164) | more than 6 years ago | (#22634966)

>have the time to jack into one of my boxes
You must have one sexy PC!

Re:The hard part is... (1)

dreamchaser (49529) | more than 6 years ago | (#22635172)

I would mod you funny if I hadn't posted in this discussion already. Thanks for the laugh, I needed it!

Re:The hard part is... (3, Insightful)

gnick (1211984) | more than 6 years ago | (#22635450)

the physical security at my home is pretty good
That's the gotcha here. Anyone with physical access to a machine owns that box. The only difference with this technique is that it sounds like it's quicker and possibly more subtle than my typical method of rebooting onto a live Linux CD and "repairing" the Windows accounts.

Re:The hard part is... (1)

Lumpy (12016) | more than 6 years ago | (#22634898)

not really, most better laptops come with them now. even the low end Dell laptops we bought for customers gifts last november had them.

After checking the office Pc's around me 50% have a firewire port on them. Dell and Lenovo mix is what we have here.

Granted we might be wierd here in our buying habits, but we never spec for having firewire on them.

Re:The hard part is... (1)

jimbolauski (882977) | more than 6 years ago | (#22634942)

My external HD is connected through firewire because the real world speeds are faster the USB.

Re:The hard part is... (1)

stg (43177) | more than 6 years ago | (#22634960)

Really? Both of my latest desktops (and one is 4 years old!) and my notebook have firewire ports.

Perhaps that is because I always buy the best (reasonably-priced) Asus motherboard available...

Re:The hard part is... (1)

Quarters (18322) | more than 6 years ago | (#22634968)

How much more complicated than "shut down computer, open case, install card, close case, reboot computer, install drivers" was it?

Re:The hard part is... (1)

somersault (912633) | more than 6 years ago | (#22635074)

I was thinking the same kind of thing, but then realised that he meant something like "don't ask why I needed to install firewire into these machines". At least I hope he meant that.

Re:The hard part is... (2, Informative)

elrous0 (869638) | more than 6 years ago | (#22635012)

As someone who edits digital video, I wouldn't buy a machine without one. Mini-DV is still the best consumer/prosumer video format for SD video and Firewire is absolutely the best way to interface a Mini-DV camera with a computer. Not sure about HD video, but Firewire would probably be useful for that too (since most agree that it's faster than USB 2.0).

Re:The hard part is... (1)

binaryspiral (784263) | more than 6 years ago | (#22635266)

Every thinkpad I've used for the last three years has had a firewire port.

As I don't use it on a daily basis - it's disabled for such reasons. Fewer active ports - fewer points of entry.

Re:The hard part is... (1)

bleh-of-the-huns (17740) | more than 6 years ago | (#22635316)

In my days as a technician.. way back in the dot bomb days, I would have to say that alot, I figure about 75% of the systems I looked at had FW headers on the motherboard, but only a few of them were actually connected (most of them were Sony based), so while you may not have the connector, you probably do have the headers.

Re:The hard part is... (0)

Anonymous Coward | more than 6 years ago | (#22635388)

Oh ho! Yes! Is funny because Firewire is Apple's brand name for IEEE 1394, and can not be on PC!

Breathtaking Arrogance or Stupidity? (-1, Troll)

allcar (1111567) | more than 6 years ago | (#22634716)

For Microsoft to have failed to patch an issue such as this must be indicative of either breathtaking arrogance or utter stupidity... or perhaps both. Which is it?

Re:Breathtaking Arrogance or Stupidity? (4, Insightful)

91degrees (207121) | more than 6 years ago | (#22634764)

This does require physical access to a machine. If you want to access the machine, you can reboot using a USB stick and access the hard disk that way, or even just open the machine and take the drive, then modify the contents to your heart's content before putting it back

Re:Breathtaking Arrogance or Stupidity? (4, Insightful)

liquidpele (663430) | more than 6 years ago | (#22634788)

Maybe. I can't tell if this hack requires rebooting or not. I'll guess no.
If it doesn't require rebooting, then it's a step above everything else because you don't have to mess with bios boot passwords and hard disk passwords (which my work requires you use).

Re:Breathtaking Arrogance or Stupidity? (2, Informative)

TripMaster Monkey (862126) | more than 6 years ago | (#22634856)

With this hack [storm.net.nz] , you can spawn a command prompt with admin rights directly from the login screen. No reboot required.

Re:Breathtaking Arrogance or Stupidity? (0)

Anonymous Coward | more than 6 years ago | (#22635112)

Parent was answering GP's question, mods. How is this 'redundant'?

Re:Breathtaking Arrogance or Stupidity? (2, Informative)

Anonymous Coward | more than 6 years ago | (#22635432)

Because he linked to the main story. It's the same link in the summary. That's redundant.

Re:Breathtaking Arrogance or Stupidity? (5, Insightful)

goddidit (988396) | more than 6 years ago | (#22634804)

But this works with crypted drives.

Re:Breathtaking Arrogance or Stupidity? (1, Informative)

Xuranova (160813) | more than 6 years ago | (#22634816)

+1 for the above poster. As far as windows machines, arent there numerous floppy disk/cd tricks that allow you to change the windows password/make it blank IF YOU HAVE ACCESS TO THE DRIVE? How is this news other than its anti MS?

Re:Breathtaking Arrogance or Stupidity? (5, Insightful)

LingNoi (1066278) | more than 6 years ago | (#22634820)

That's not exactly the same.. Take my library for example all machines are set to boot correctly and the cases are physically locked to their location. Also looks a lot less suspicious when you're not ripping the guts out of a machine that it's obvious you don't own in public..

Re:Breathtaking Arrogance or Stupidity? (4, Insightful)

Albanach (527650) | more than 6 years ago | (#22634824)

This though appears to have the advantage of not requiring a reboot, so rendering BIOS passwords ineffective.

It's all very well to say if someone has physical access all security is compromised. That doesn't mean you need to make it as easy and quick as possible. Now if you lock your computer and pop to the bathroom, a visitor could be in and out of your PC before you get back.

Re:Breathtaking Arrogance or Stupidity? (1)

rubycodez (864176) | more than 6 years ago | (#22635332)

you've not heard of the Beethoven solution, keeping a chamber pot under your workstation?

Re:Breathtaking Arrogance or Stupidity? (1)

K. S. Kyosuke (729550) | more than 6 years ago | (#22634850)

Except that the owner of the machine might easily notice the reboot ("Where are my started applications?"), while with this, it's possible to, e.g., steal files from a running machine without anyone noticing, or at least in a much more inconspicuous way. At least, the possibility is there.

Re:Breathtaking Arrogance or Stupidity? (1)

Tridus (79566) | more than 6 years ago | (#22634776)

Maybe they decided potential compatibility problems a fix would cause (TFA says that memory access is a feature) weren't worth it?

Not saying its good reasoning, but we don't know how just how badly other things would break if they fixed this.

Re:Breathtaking Arrogance or Stupidity? (1)

Bert64 (520050) | more than 6 years ago | (#22635052)

Perhaps on 64bit systems, you could limit firewire to a 32bit virtual address space... And only map things into it that you actually need the firewire devices to access. I'm not sure if firewire even supports a 64bit address space anyway.

Re:Breathtaking Arrogance or Stupidity? (1)

uss (1151577) | more than 6 years ago | (#22634778)

You are either for Bill Gates or against Bill Gates.

Which is it?

Re:Breathtaking Arrogance or Stupidity? (4, Funny)

deblau (68023) | more than 6 years ago | (#22634928)

You are either for false dichotomies or against them.

Which is it?

Re:Breathtaking Arrogance or Stupidity? (4, Insightful)

sm62704 (957197) | more than 6 years ago | (#22634822)

For Microsoft to have failed to patch an issue such as this must be indicative of either breathtaking arrogance or utter stupidity... or perhaps both

How about apathy? They'll wake up when and if they ever lose market share because of their shoddy product. I mean come on, if I can sell a Yugo at Escalade prices, why should I produce a quality product? That would be stupid. And if I could sell Yugos at Escalade prices I think my arrogance would be understandable and forgivable.

They've been selling an insecure OS for as long as PCs have been networked, why should they secure it now?

Re:Breathtaking Arrogance or Stupidity? (0, Troll)

mumblestheclown (569987) | more than 6 years ago | (#22634826)

What, expecting to be modded up for such "wisdom"?

Re:Breathtaking Arrogance or Stupidity? (4, Interesting)

TheRaven64 (641858) | more than 6 years ago | (#22635062)

It's not Microsoft's fault, it's a hardware problem. FireWire is a peer-to-peer protocol with commands for using the DMA controller. Any device plugged in via a FireWire port can issue DMA requests. It can dump the entire contents of (physical) memory and write data at arbitrary locations. A FireWire controller ought to only permit DMA to and from regions the driver allowed it to, but most don't. The only work around for this is to either disable FireWire or use something like the Device Exclusion Vector on modern AMD chips to block the device's access to memory.

Re:Breathtaking Arrogance or Stupidity? (5, Insightful)

Anonymous Coward | more than 6 years ago | (#22635282)

Doesn't that also mean that Linux is also vulnerable to Apples firewire design faults?

Re:Breathtaking Arrogance or Stupidity? (3, Insightful)

xtieburn (906792) | more than 6 years ago | (#22635342)

Or perhaps slashdot on another uneducated baseless diatribe directed towards that little known company MS.

Did you read the article or did you just check the headline and decide to try get cheap mod points? Ill point out why you dont deserve them.

'Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire.'

Now maybe this was just excuses but the fact it came from a third party with no particular connection to MS should have made you pause for thought. Even if you dont know much about firewire it would take you moments to do a quick search and actually realise this is a 'feature' of the actual specification itself. As in _every_ O/S had the same problem. Linux, OSX even BSD were using this exploit even before MS were cracked. There are still reports of new OSX and Linux systems being hacked by firewire right in to 2008. (Though admitedly ive not heard much from BSD, probably because there admins tend to actually have a clue.)

This is a universal flaw in security stemming from naivety with regard to externally connected hardware. You want secure firewire, disable it when you are not using it yourself. That goes for any system, any O/S, any person. End of story.

Re:Breathtaking Arrogance or Stupidity? (1)

LO0G (606364) | more than 6 years ago | (#22635400)

As I understand the vulnerability, MSFT can't fix this - the problem is that the 1394 hardware specification allows a device plugged into a 1394 port to read or write to arbitrary locations in memory. The OS isn't involved.

As such, this is a hardware vulnerability - every OS in the world is affected.

host memory! (5, Insightful)

Spazmania (174582) | more than 6 years ago | (#22634726)

So why exactly is it a desirable feature for a firewire node to be able to access another node's memory unsolicited?

Re:host memory! (1)

DamageLabs (980310) | more than 6 years ago | (#22634774)

Software development and debugging.
Now for unsolicited... Ask Microsoft.

faster (1)

CaptainNerdCave (982411) | more than 6 years ago | (#22634796)

i would assume that it requires less "overhead" and allows for swifter transfer

Re:host memory! (1)

mblumber (267394) | more than 6 years ago | (#22634806)

Don't you remember the old saying, "one man's feature is another man's security hole"?

Re:host memory! (3, Interesting)

iangoldby (552781) | more than 6 years ago | (#22634842)

Because it is not USB.

Actually, what do I know? But I do believe that Firewire doesn't have the concept of host and slave nodes. All nodes on a Firewire network are equivalent AFAIK.

If it were necessary to explictly allow direct memory access on a node whenever it was requested, you would not be able to plug a Firewire cable into a control-less box (for example) and do things with it, without first accessing the control-less box through a non-Firewire method to enable Firewire DMA.

Anyway, that's my ignorance on the subject. And as Adam Boileau says, it is a Feature, not a Bug. It is intended behaviour, so there must be a good reason (even if it is not the above).

Re:host memory! (3, Insightful)

TheRaven64 (641858) | more than 6 years ago | (#22635088)

It's a design flaw. The peer-to-peer nature shouldn't come into it. What ought to happen is that one peer requests DMA rights to a memory location in another peer, and the driver then returns yes or no before the controller decides whether to permit the DMA request. In simple devices, like hard drives, the driver would always return true (allow). In multitasking systems the driver would only return yes for pointers to pages it owns.

Re:host memory! (4, Interesting)

Jah-Wren Ryel (80510) | more than 6 years ago | (#22635138)

So why exactly is it a desirable feature for a firewire node to be able to access another node's memory unsolicited?
Well, for one thing, it should make cracking any of these "untrusted computing" DRM schemes pretty trivial.

2 Year bug report.. (1, Insightful)

LingNoi (1066278) | more than 6 years ago | (#22634772)

This isn't the first guy to get frustrated with Microsoft's lack of commitment in the security vulnerability area and just release his nasty onto the world.. It probably won't be the last either.

Re:2 Year bug report.. (1)

obergfellja (947995) | more than 6 years ago | (#22634818)

Report in from Microsoft: "Security, Who cares?"

wow...amazing....*yawn* (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22634782)

And what stops someone from doing the same thing against Linux? Nothing. OMG linucks developers haven't fixed this critical issue in years. Stop the presses! These awful arrogant linucks developers. I 3 stories by idiots who don't know what they're talking about.

Re:wow...amazing....*yawn* (1, Informative)

TripMaster Monkey (862126) | more than 6 years ago | (#22634828)

And what stops someone from doing the same thing against Linux?

See my previous post [slashdot.org] on that subject.

Re:wow...amazing....*yawn* (0)

Anonymous Coward | more than 6 years ago | (#22635458)

I don't think you understand the meaning of a hypothetical question. I don't come to slashdot to learn.

Physical access (3, Insightful)

nickv111 (1026562) | more than 6 years ago | (#22634786)

Not to say that Microsoft shouldn't have patched this, for it is certainly a design flaw to allow computers hooked up to a machine to access its memory, but if you're plugging something into the Firewire port of a computer, then you're sitting at that computer, aren't you? It's true of all hardware that if you have physical access, then you can do whatever you want with it anyway.

-Nick

Up to a point. (2, Interesting)

SmallFurryCreature (593017) | more than 6 years ago | (#22634924)

A lot of workplaces will have physically secured machines but nonetheless with ports open. People might notice if you remove a server from a rack to access its insides, but just plugging in a cable?

Yes offcourse, not that many machines have firewire and servers are even rarer (although my pc has a port) but still, there is a major difference between the access needed to open a PC and gets its HD and just plugging in a cable.

See it as the difference between having to steal secret documents and being able to copy them at the spot.

If this tools indeed works in seconds then that is a lot faster then opening up a PC, taking out its HD, installing it in another machine, breaking its security, reading the contents you want (which at this point would give you only the contents on the HD, not the network), re-installing it and closing the cover and removing every trace of your access.

A lot of security is about inconvenience. Safes ain't rated for being unbreakable, but how long it takes to open them. ANY safe can be opened, the trick is making the process take so long that it can not be done without being found out. Thanks to MS, breaking its security has just become a lot more convenient.

Re:Physical access (1)

Anonymous Coward | more than 6 years ago | (#22634934)

Yeah but per Microsoft's security assurances, I also expect that if proper security is set up and I'm logged out it will be difficult for someone to just sit down at my machine and start rifling through my mail/files. Now I know it's pretty easy.

Re:Physical access (1)

Locklin (1074657) | more than 6 years ago | (#22634944)

As mentioned before, this potentially allows access to mounted encrypted disks, passwords in memory, and bypasses physical locks on machines and bios passwords.

Armed with this on a PDA like device I could walk through a room of computers and discretely compromise one after another -provided they have firewire ports, which are probably rare in public and corporate computers.

Re:Physical access (2, Insightful)

Chops (168851) | more than 6 years ago | (#22635014)

It's true of all hardware that if you have physical access, then you can do whatever you want with it anyway.

That's certainly not true. To use one of a huge multitude of examples, students at my school had physical access to the machines in the computer lab, but it would definitely be a problem if they installed a keylogger to sniff other students' passwords.

Re:Physical access (2, Insightful)

gad_zuki! (70830) | more than 6 years ago | (#22635314)

Yeah, if Im sitting at it I can boot from USB, wipe the administrator password, reboot and log in. No need for a fireware card, cable, etc. I can do the same with OSX but I have to use the install disc instead of the USB keychain in my pocket.

Yes this is all very "shocking." This is the slashdot equivalant of CNN playing that lock-pick video over and over again.

Re:Physical access (4, Interesting)

SharpFang (651121) | more than 6 years ago | (#22635466)

Depends on the length of the (fire)wire. ;)

In case of most of hardware with mid-to-high physical security you need some 15 minutes of totally unsupervised access, it involves removing the case (to reset the BIOS password), rebooting the system (sometimes by power cycling) and generally implies very dirty and easy to detect hack - you do gain the access but you're not stealthy at it.

You plug the inconspicuous cable in the side/back of the PC, stash the laptop under the desk, and walk away whistling quietly. Then you sit down, access your laptop from another one through wi-fi then proceed to download contents of the compromised box, over the firewire cable.

Done previously (5, Informative)

TripMaster Monkey (862126) | more than 6 years ago | (#22634790)

Maximillian Dornseif demonstrated [matasano.com] this same Firewire vulnerability against Linux and OS X machines in 2005. Adam Boileau just gets more press because he performed the hack against Windows PCs.

Re:Done previously (2)

EvilRyry (1025309) | more than 6 years ago | (#22634868)

Any word if Linux and/or OS X have a fix for this issue. Yes, I've read TFA and it doesn't mention it.

Re:Done previously (2, Informative)

ockegheim (808089) | more than 6 years ago | (#22635036)

If you're concerned about it, there was another post above which suggested disabling the firewire interface when you're not using it. An applescript that ran a shell command to enable, disable or toggle the firewire interface could just sit on your desktop. Alas, I'm not Unix-literate enough to write the shell script bit though.

How to filter Mac and Linux. (1)

LingNoi (1066278) | more than 6 years ago | (#22635144)

This PDF [hudora.de] shows how you can filter Linux and Mac firewire.. No idea if this has been integrated into the distros..

Page 37 for Linux, 38 for Mac

Re:Done previously (2, Interesting)

cobaltnova (1188515) | more than 6 years ago | (#22635478)

As for Debian, it looks like unstable firewire stack implementation (JuJu) handles the security issues. [nabble.com] However, that same article suggests that Lenny (the next version of Debian) will probably be released with the vulnerable, stable stack because it has more compatibility.

Re:Done previously (1)

Maniac-X (825402) | more than 6 years ago | (#22634976)

Mod parent up. It's definitely worth mentioning to put all this into perspective.

Interesting, but (1)

mrbah (844007) | more than 6 years ago | (#22634814)

Or you could just, you know, use any old livecd to steal the SAM file and crack it in a few minutes. That way your adversary doesn't know they've been compromised.

Re:Interesting, but (0)

Anonymous Coward | more than 6 years ago | (#22634892)

Yea. Try that with a boot password, hard drive password, and encrypted disk dumbass. You're not smart because you know what ophcrack is.

Re:Interesting, but (1)

ilovegeorgebush (923173) | more than 6 years ago | (#22634912)

You can only use a Live-CD if the PC is turned off or at least not logged-on. Kinda pisses on your fireworks if it's locked and in-use, just not attended to at that moment in time. The hack referenced in the article can be used when it's locked. From the article:

"unlock locked Windows machines or login without a password ... merely by plugging in your Firewire cable and running a command"
A little contradictory I think. How can you run a command if the PC's locked?

Re:Interesting, but (2, Insightful)

betterunixthanunix (980855) | more than 6 years ago | (#22634958)

The command is run on a second system that is connected via firewire.

Here's the thing though: this requires physical access. That makes it a low-salience attack, because gaining that kind of access is only an iota easier than pointing a gun at someone's head and demanding their password.

Re:Interesting, but (1)

ilovegeorgebush (923173) | more than 6 years ago | (#22635066)

Assuming you have a gun :D

Re:Interesting, but (3, Informative)

liquidpele (663430) | more than 6 years ago | (#22635068)

I disagree. It gives the attacker admin privileges. That means you can go to the library or kinkos, and install whatever you want to steal credit card numbers or website passwords from the people using those public machines. Sure you could probably do that other ways, but this makes it *really* easy.

Plus, if you were to break into an office you could steal all kinds of stuff from the computers without the owner knowing it had been done. Things that come to mind are architecture drawings, patents, and reading all the CEO's emails.

Re:Interesting, but (1)

mrbah (844007) | more than 6 years ago | (#22635436)

Those kinds of machines (especially in businesses) don't generally have 1394 ports, so you're not going to be able to use this attack.

Re:Interesting, but (0)

Anonymous Coward | more than 6 years ago | (#22635082)

Hardly. Similar to that guy who was stealing laptops from computers, but even easier. You stroll in with your PDA or your laptop and pretend to look like an IT guy. Hell, if average joe asks what you're doing, say you're the new IT guy just checking something or taking inventory. (something menial sounding).

Plug. run a little script or so. Put your software on their PC. you've got yourself a host. If you can convince average joe that you ARE the IT guy. Why not do his whole department?

Sounds like something that in the end will fall on Corporate IT, to disable all firewire ports.

Also affects OS X and linux (5, Informative)

mooglez (795643) | more than 6 years ago | (#22634884)

This same vulnerability also affects OS X as reported here: http://blog.juhonkoti.net/2008/02/29/automated-os-x-macintosh-password-retrieval-via-firewire [juhonkoti.net]

As well, as Linux, as reported in an earlier 2005 report about this firewire feature: http://www.matasano.com/log/695/windows-remote-memory-access-though-firewire/ [matasano.com]

Re:Also affects OS X and linux (2, Interesting)

JasterBobaMereel (1102861) | more than 6 years ago | (#22635106)

It sounds like it is a problem with firewire and therefore any system which uses it?

Not to say it should not be patched in all systems, but surely this would have had to be written into the driver deliberately for it to work, so the real question is why firewire requires direct access to the system memory (and potentially passes this onto the external device) when USB does not?

Probably for lower overhead (4, Interesting)

Sycraft-fu (314770) | more than 6 years ago | (#22635348)

One of the things I always hear in the USB vs Firewire debates is how much lower overhead Firewire is. In informal testing, this certainly seems to be the case. Well, one of the reasons it might be is if it has DMA. You'll find that's how a lot of PCI hardware works. It can read and write directly to memory, it doesn't have to do things through the processor. Keeps system load much lower, it'd quickly peg the CPU if it had to deal with shuffling around all data on the system. However, it also can lead to problems, of course.

Well, if Firewire has the same capability, it would explain why it is much lower overhead than USB, but it would also allow for things like this.

In general, DMA is probably something that needs to be looked at being cleaned up/reworked. It is a non-trivial cause of system instability: Hardware goes nuts (or maybe driver orders hardware to so something stupid), craps on memory it shouldn't system goes down. However anything like that is going to take a back seat to performance, at least in regular PCs. As nice as it would be to have the CPU fully in charge of everything, people aren't going to put up with it if it means a 10x drop in performance.

So? And? (1)

Monty Worm (7264) | more than 6 years ago | (#22635196)

Having worked with (possibly alongside is closer) Adam in the past, that's not the point. In all probability, this hasn't occurred to him. It would still be interesting to test, but let's face it, isn't bashing windows the main point here. Whether such and such getting_more_obscure_hardware breaks is one thing, but it breaks in windows! And in truth, if your security is compromised to the point where people can plug things in, it's essentially useless anyway.

Mod parent down (1, Informative)

LingNoi (1066278) | more than 6 years ago | (#22635334)

There also happens to be a fix for Mac and Linux [slashdot.org] too.. What's your point?

Re:Also affects OS X and linux (1)

t35t0r (751958) | more than 6 years ago | (#22635384)

Anyone know if this affects all Linux kernels?

"If someone does plug into your port unexpectedly" (3, Insightful)

Chops (168851) | more than 6 years ago | (#22634954)

My favorite part of the article:

Paul Ducklin, head of technology for security firm Sophos, said the security hole found by Boileau was not a vulnerability or bug in the traditional sense, because the ability to use the Firewire port to access a computer's memory was actually a feature of Firewire.

"If you have a Firewire port, disable it when you aren't using it," Ducklin said.

"That way, if someone does plug into your port unexpectedly, your side of the Firewire link is dead, so they can't interact with your PC, legitimately or otherwise."

"You see, this serious security problem was designed in from the start, so therefore... it's not a problem! Ta-da!"

Hosted on his personal webpage... (2, Funny)

ProdigySim (817093) | more than 6 years ago | (#22634972)

Not anymore! Microsoft probably submitted this article.

Most laptops have firewire. (1)

hilather (1079603) | more than 6 years ago | (#22635030)

Most of the people in my computer class lock their laptops and take off while on break. If this does indeed work, I'm going to have some fun with it.

Re:Most laptops have firewire. (0, Redundant)

Shados (741919) | more than 6 years ago | (#22635396)

Most lap-tops have firewires? Err? I mean, maybe where you are, as an anecdotal evidence...but aside advertised in stores or something, I've personally never seen anyone who owned one. USB2? Yes. Firewire? Nope.

Physical Security (4, Insightful)

Chysn (898420) | more than 6 years ago | (#22635076)

Once your machine's physical security is compromised, just about anything can happen. If someone is in your data center or office unattended and hooking up equipment to your PC, you're sort of in a world of hurt anyway.

In related news... (4, Funny)

muffen (321442) | more than 6 years ago | (#22635078)

... it turns out, his site is vulnerable to the slashdot effect :)

Who cares? (0, Offtopic)

Tatsh (893946) | more than 6 years ago | (#22635276)

Once again, on Slashdot, I say, 'who cares?' This is a Windows vulnerability and I thought Slashdot was an open source outlet for news and for some stories that people so-called 'care about', not Windows vulnerabilities. Yeah sure, every time a Windows Vista (which is always negative, in fact every Microsoft story is negative) story comes out and we can bash all we want and everything, and same for a story similar to this, but this is getting old. It has gotten old. I do not feel the need to bash Microsoft any more, they're going whatever which way they are, bad or not.

I know the poster of this story certainly feels like 'this'll definitely get them started', or whatever. Not me. I could go on and on all day about the mistakes that I feel Microsoft is making right now and past mistakes that are causing all these issues of now, but nothing is going to change substantially until we stop bashing and start pushing open source software usage, if that is what we care about. I am not going to waste much time bashing Microsoft.

I need not go any further than 'Windows + security = joke'. We already know that. That makes this news old. I do not care about this news because I, like most other 'power computer users', know how to use Windows 'properly' enough to not run into these vulnerabilities. Besides, don't we use Linux most of the time anyway? (I know I do.)

All I'm saying is, Slashdot has no need to post these stories about vulnerabilities in Windows or Mac. If stories are going to be related at all to Windows or Mac, then it should have to do with open source. Apple praise/Microsoft bashing is old. Soon enough, if Apple takes over the market, it will become Apple bashing. We all know this. Apple is easily able to be just anti-open-source as Microsoft.

We want open source OS's (Linux, FreeBSD, Syllable, etc) to be the most-used, don't we? Well, posting stories like this just to point and laugh at Microsoft makes the open source community look very pretentious, like looking at a 'Windows admin' and laughing at them because they do not know basic UNIX commands. How about this: teach, do not laugh. It is the only way to get those people on our side.

Nothing to see here... (0)

Anonymous Coward | more than 6 years ago | (#22635284)

Who gives a damn?!

I mean you need PHYSICAL access to the PC to carry out this attack, and secondly, a PC with a Firewire port.

I have yet to come across a single PC anywhere which has firewire.

A matter of seconds? (0)

Anonymous Coward | more than 6 years ago | (#22635320)

Adam Boileau, a security consultant based in New Zealand has released a tool that can unlock Windows computers in seconds without the need for a password.
You know, a value such as 30 hours can be expressed in seconds...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?