Firewire vulnerability applicable on FreeBSD?
Ben Kaduk
minimarmot at gmail.com
Sun Mar 23 06:30:27 UTC 2008
Hi Jeremie,
On 3/22/08, Jeremie Le Hen <jeremie at le-hen.org> wrote:
> Hi there,
>
> I've stumbled on this article. I wonder if this is applicable to
> FreeBSD. Would it still be possible to exploit it without a firewire
> driver?
>
> http://www.dailytech.com/Lock+Your+Workstations+Or+Not+New+Tool+Bypasses+Windows+Logon/article10972.htm
>
``That's not a bug, it's a feature''.
That is, the firewire spec requires that it has full read/write access to all
physical memory, in the same way that the PCI bus has full read/write
access to physical memory.
Thus, with direct access to a firewire port, a malicious person can
grub around kernel memory and frob whatever they want (yet
another reason why physical security is important).
It seems that the windows vulnerability was due to storing credentials
information in a consistent place from system to system; that is
certainly the case for a GENERIC kernel, but if you have a custom
kernel there is no longer a _trivial_ ``exploit'' -- an attacker must
do some work to find where things are (and be able to hot-patch
machine language, but I know several people that could do that,
even one that's basing his thesis project on it).
Basically, once an attacker has physical access to your machine,
you've lost; this is just one possible route that such an attacker
could take.
We can use this feature as a true feature, as well, though -- it
allows dcons to be used instead of a serial port for kernel
debugging when you've totally confused your kernel.
-Ben Kaduk
More information about the freebsd-security
mailing list