Hackszine.com: Ram dump over Firewire

Ram dump over Firewire

Unlike USB2, the Firewire spec allows devices to have full DMA access. By impersonating the appropriate device, a PC can essentially obtain full read/write access to another machine's RAM, just by connecting the two machines with a Firewire cable. Adding to the recent discussion about the insecurities of physical access and Princeton's cold-boot RAM dump demonstration, Adam Boileau released a Linux Firewire utility that will give you immediate Administrator to an XP machine:

It's two years later, and I think anyone who was going to get the message about Firewire has already got it, and anyone who was going to be upset about it has got over it. Besides, according to Microsoft's definition, it never was a Security Vulnerability anyway - screensavers and login prompts are - as Bruce says - about the Feeling of Security. Anyway, today's release day for Winlockpwn, the tool I demoed at Ruxcon for bypassing windows auth, or popping an admin shell at the login window.
...

Yes, you can read and write main memory over firewire on windows.
Yes, this means you can completely own any box who's firewire port you can plug into in seconds.
Yes, it requires physical access. People with physical access win in lots of ways. Sure, this is fast and easy, but it's just one of many.
Yes, it's a FEATURE, not a bug. It's the Fire in Firewire. Yes, I know this, Microsoft know this. The OHCI-1394 spec knows this. People with firewire ports generally dont.

Adam's tools include a few Python apps that can copy and impersonate Firewire device signatures, dump RAM on a remote machine, bypass Windows authentication, and extract BIOS passwords. It's not exactly comforting, but I've got a new appreciation for Firewire now. This is the sort of access that used to only be possible by creating hardware that physically connects to the PCI bus. Now all you need is a cable and a laptop.

Firewire, DMA & Windows - direct memory access over Firewire - [via] Link

Posted by Jason Striegel | Mar 4, 2008 07:08 PM
Cryptography, Data, Linux, Network Security, Windows | Permalink | Comments (5)

Comments

Newest comments listed first.

Posted by: anonymous on March 4, 2008 at 8:39 PM

A few years ago I remember someone making an iPod Linux application for Firewire iPods that did the same thing.

I'm sure the page is still out there if you feel like googling for it.

Posted by: Paul on March 5, 2008 at 6:36 AM

Surely though this is not just Windows, but any OS that automatically mounts a device?

Posted by: TheBlunderbuss on March 5, 2008 at 8:57 PM

Paul: The Firewire standard seems to be at fault, since the guy can attack the big 3 OSes.
Check the link.

Posted by: TheBlunderbuss on March 6, 2008 at 11:05 AM

Also, I wonder if this whole thing can be prevented by turning off the FireWire port (via kernel module removal, or the hardware manager) on the victim PC.

Posted by: nemo on July 19, 2008 at 4:44 PM

msramdmp: McGrew Security RAM Dumper

Check this tool out: "msramdmp: McGrew Security RAM Dumper"

//--------------------------------------
Information Security Comments
http://cryptoexperts.blogspot.com
//--------------------------------------