Mi lamento sempre di quanto la mia testa faccia cilecca ma dalla serie "il cervello non smette mai di lavorare" con un tempo computazionale di 17 giorni ecco il risultato
Firewire port == owned.
I read about Max Dornseif's work on doing memory forensics (and bad things) using the physical-memory-DMA feature of Firewire earlier this year. Being curious, I implemented my own stack of tools to try it out against my Linux laptop (before I knew that Max's OSX python-firewire bindings had been ported to Linux!). It worked just like Max said, and of course, because physical-memory-DMA-busmastering is the Fire in Firewire.
However, despite working fine against Linux, Macs and BSD boxen, it didn't work against Windows. My colleague Tmasky set to it, and soon enough had found the miracle ingredient.
Skip forward a few months, and it's now a big deal for reasons I'm not wholly sure about. I presented "Hit By A Bus: Physical Access Attacks With Firewire" at Ruxcon 2006, and hopefully if you came along, you were entertained.
At Ruxcon I released my firewire libraries (high level python bindings for libraw1394), the tool for fooling windows into giving you DMA (romtool), and a forensic memory imager (1394memimage). I demoed some of the malicious uses (like unlocking a locked Win XPSP2 workstation, and spawning an admin shell), but I'm not going to release that code (uh, unless you've got a compelling reason, I suppose). The talk and the tools are available just below.
[Via www.storm.net.nz Projects]
Chi la dura la vince
* Yes, you can read and write main memory over firewire on windows.
* Yes, this means you can completely own any box who's firewire port you can plug into in seconds.
* Yes, it requires physical access. People with physical access win in lots of ways. Sure, this is fast and easy, but it's just one of many.
* Yes, it's a FEATURE, not a bug. It's the Fire in Firewire. Yes, I know this, Microsoft know this. The OHCI-1394 spec knows this. People with firewire ports generally dont.
0 Comment:
Posta un commento