[ale] Fwd: Recent developments in FireWire Attacks

Greg Freemyer greg.freemyer at gmail.com
Wed Sep 8 17:38:21 EDT 2010 

Might be of interest to ALErs....discusses the 2.6.22 and newer kernel
being subject to firewire attacks.

-Greg

Begin forwarded message:

From: Freddie Witherden <freddie at witherden.org>
Date: September 7, 2010 11:14:03 AM CDT
To: bugtraq at securityfocus.com
Subject: Recent developments in FireWire Attacks

Hello,

The security vulnerabilities associated with open FireWire ports are
nothing new, having been covered extensively by Maximilian Dornseif
(2004 and 2005) and more recently by Adam Boileau (2006 and 2008).
Unfortunately the tools released as part of these disclosures (pyfw,
pythonraw1394 and winlockpwn) have all started to succumb to bit rot. In
addition, there has been comparative lack of research on the
vulnerabilities of Mac OS X against FireWire attacks.

Therefore I would like to share my updated research in the field. This
includes a open source cross platform (GNU/Linux and Mac OS X) library,
libforensic1394, for performing memory forensics/attacks over FireWire
and a paper on the subject. (Although written from a forensics
standpoint the security implications associated with the interface are
discussed at great length.)

The paper can be found here:

 https://freddie.witherden.org/pages/ieee-1394-forensics.pdf

with the associated pages for it and libforensic1394 being

 https://freddie.witherden.org/pages/ieee-1394-forensics/
 https://freddie.witherden.org/tools/libforensic1394/

Included in the paper is:
- A comprehensive discussion on obtaining memory access over the interface.
- Coverage of the new "Juju" FireWire stack, introduced in the 2.6.22
Linux kernel. (Its features, susceptibility to memory access attacks, etc.)
- Limitations of existing libraries and how libforensic1394 represents
an improvement over them.
- User-space code samples showing how responses to read/write requests
can be spoofed my a malicious application on the target system.
- Updated attack signatures for 32- and 64-bit versions of Windows to
bypass logon passwords.
- Similar signatures for Mac OS X 10.6 along with a discussion of how
the user logon password can be extracted from a (locked) system. This,
from a security standpoint, is particularly concerning.
- Mitigation for Windows, Mac OS X and GNU/Linux.
- Source code for all sample programs.

Polemically yours, Freddie.


_______________________________________________
Cce2 mailing list
Cce2 at certified-computer-examiner.com
http://lists.certified-computer-examiner.com/mailman/listinfo/cce2




-- 
Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
CNN/TruTV Aired Forensic Imaging Demo -
   http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com

More information about the Ale mailing list