Weekly Edition
Return to the Security page
| |||||||||||||
Attacking network cardsWhen considering the vulnerabilities of a system, the hardware is usually ignored. Software certainly presents the biggest target—fairly easily exploited as we have seen—but a new class of attacks goes directly at the hardware, specifically network cards. The results can range from a permanent denial-of-service to a complete compromise of the card's function. One researcher has overly cutely dubbed this kind of attack "phlashing" because it attacks the firmware on the card, which is typically stored in flash. The basic idea is that an attacker will rewrite the firmware using an image under their control. That image could do any number of fairly nasty things to the card. Two separate researchers have recently reported on their explorations into this type of attack. Arrigo Triulzi's posting to the, evidently private, Robust Open Source mailing list was reported on Ben Laurie's weblog. Rich Smith of HP also gave a talk on his PhlashDance fuzzing tool at the EuSecWest conference. In both cases, network devices were compromised via insecure remote firmware update capabilities. Smith's research focuses on causing permanent denial-of-service through overwriting the firmware, presumably with garbage. At that point, the card will no longer function and may, in fact, no longer be able to be updated—remotely or locally—which turns it into a paperweight. More importantly, no network traffic can use the device, so if it is situated in a critical router, for example, it could affect a large number of systems. A more insidious attack is described by Triulzi. He replaces the firmware with new code, effectively reprogramming the device to do whatever he wants. One of the attacks goes like this:
[...] I've reached my goal of writing a totally transparent firewall bypass
engine for those firewalls which are PC-based: you simply overwrite the
firmware in both NICs and then perform PCI-to-PCI transfers between the two
cards for suitably formatted IP packets (modern NICs have IP "offload
engines" in hardware and therefore can trigger on incoming and outgoing
packets). The resulting "Jedi Packet Trick" (sorry, couldn't resist) fools,
amongst others, CheckPoint FW-1, Linux-based Strongwall, etc. This is of
course obvious as none of them check PCI-to-PCI transfers.
An additional trick, noted by Laurie and others is to use those same techniques to read or write the main memory of the host computer. This could certainly allow sensitive information to leak—or the host itself to be compromised. As Laurie says: "You might even be able to read disk, too, depending on the disk controller." This is truly frightening stuff that is flying under the radar of most network administrators. There are no known attacks in the wild, but it would seem only a matter of time before that happens. This is definitely something to keep an eye on. Other than avoiding vulnerable network hardware—lists of which do not seem to be available from either researcher—there doesn't seem to be much that can be done to deal with phlashing attacks. A properly programmed I/O memory management unit (IOMMU) might alleviate some of the worst cases by disallowing DMA outside of approved ranges, but card vendors need to make updates more difficult. It might be more convenient for an administrator of a large network to update multiple cards across the wire, but the price paid for that convenience seems too high. (Log in to post comments)
Attacking network cards Posted May 29, 2008 4:53 UTC (Thu) by ikm (subscriber, #493) [Link] > you simply overwrite the firmware in both NICs No, really, how is that -- you simply overwrite it? Which cards allow this and how do they check for the firmware's authenticity?
Attacking network cards Posted May 29, 2008 7:45 UTC (Thu) by jengelh (subscriber, #33263) [Link] RealTek cards with an EEPROM (does not work with EPROMs :-)) allow to be reprogrammed with a DOS tool, so the answer to your first question is: inb and outb. Of course, that requires that someone has access to the box itself first. As for remote updatesas the article mentionsyou probably just upload the new firmware through telnet, tftp or a webinterface. If you are lucky, it may be SSL'ed. Authenticity? What authenticity? Only a checksum on the file to make sure it was not corrupted during the transfer but other than that, perhaps a username/password for login, but otherwise, nope.
Attacking network cards Posted May 29, 2008 14:55 UTC (Thu) by ikm (subscriber, #493) [Link] What article mentions is some sort of remote firmware upgrade mechanism evidently provided by the card itself, without any sort of OS required to assist. No network card by itself would really provide any high-level interface, such as telnet or tftp, for that. It would probably rather be raw ethernet frames. The article seems scarce on these kind of exact details, though, that's why I was asking.
Attacking network cards Posted May 30, 2008 20:21 UTC (Fri) by drag (subscriber, #31333) [Link] I presumed that if faulty firmware can be 'fuzzed' to produce exploits then one of those exploits could be overwriting the firmware on the card itself. I don't see how big of a difference it would be to find a exploitable hole in a OS driver or firmware for a network card and then write new firmware as long as that it is possible for the OS or card itself to write new firmware. (Kinda interesting because that 'open' firmware code is something that RMS and his fan club has been clamoring for if the card itself is writable. Open firmware could be required to produce effective defenses against these sort of attacks) And it's common for wireless drivers to have loadable firmware anyways (more sophisticated wired ethernet cards shouldn't be too far behind), so if you get system access then you could hack the card's firmware (either in a file on Linux or embedded in the driver binary for windows) to do all sorts of nasty stuff. That way, depending on your goal, (say you want network access, but you don't care about 'owning' the access point) you could stealthily introduce a firmware hack that would allow you to get WPA keys, sniff traffic, or something like that if you send a specially crafted packet.
Attacking network cards Posted May 29, 2008 18:18 UTC (Thu) by smoogen (subscriber, #97) [Link] Many cards allow for this these days.. Most of it comes from using FPGA and similar things to go faster than other chips allow and needing to send out updates because your code has a bug in it somewhere. When most cards have programmable chips on them.. then you have multiple computers that may or may not be under your control.
Attacking network cards Posted May 29, 2008 20:48 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link] many cards allow for updates from the system they are plugged into, not from remote systems. if a hacker takes over your machine and becomes root (which is nessasary to modify the card from your machine) there are lots of nooks and crannies in the system he can hide stuff, this is just one more of them (including modifying the BIOS of most modern motherboards) the network cards are not special unless they have some bug in them that allows for modification remotely. for many cards, they don't store the firmware on the card itself, it's downloaded from the OS at boot time, so if the hacker can modify your kernel they can modify the firmware on the card next time you boot (but they can also modify anything else in your kernel, so why would they go to the trouble of targeting a specific piece of hardware when they can do it all from the common x86 compatible cpu)
Attacking network cards Posted May 29, 2008 23:09 UTC (Thu) by ikm (subscriber, #493) [Link] This all is of course, it's just that the parent article mentioned something about updating cards "across the wire". Presumably meaning remotely, and, well, probably not just over SSH, or else what's the point of mentioning it? If you've got root already then of course you can ruin the system.
Attacking network cards Posted May 30, 2008 8:06 UTC (Fri) by ebirdie (subscriber, #512) [Link] dlang: "they can also modify anything else in your kernel, so why would they go to the trouble of targeting a specific piece of hardware when they can do it all from the common x86 compatible cpu" To make malware resistant to software reinstall on hardware with some reprogrammable memory. If firmware malware works badly, it makes normal administrator to trash the hardware. If firmware malware works fine, it sits there for long and being resistant to many current and common schemes to prevent and detect malware. Not many of us do reflash hardware, which have worked fine. At least it goes quite far away from current threat models. I think the scope of target doesn't have to be limited to specific hardware, but to cracking software, which can be run once on a compromised system. The software could know more hardware.
Attacking network cards Posted May 29, 2008 8:31 UTC (Thu) by plundra (subscriber, #51099) [Link] It sounds like this is possible on an already booted machine, remotely, without any software on the host-machnine? If that's really the case... Let's buy som fast GPIO-interfaces and bit-bang everything from software within our control :) On a similar matter, a friend of mines X31 a few years back was set (from factory) by default to accept remote bios upgrades. That seemed a bit spooky back then, but maybe it's still the case on business-targeted hardware just to aid easy rollouts in large environments?
"network cards" ? Posted May 29, 2008 8:36 UTC (Thu) by tialaramex (subscriber, #21167) [Link] Jake, when I look at Rich Smith's work, what I see is someone attacking embedded software /via/ the network card, but only in the same sense that someone connects to your SSH daemon /via/ the network card. So Rich Smith's scenario is at most a timely reminder that if you buy a black box and plug it into your network it's still a black box and might do (or fail to do) anything depending on what goofs the designer made. Since he's from HP I'd guess he was interested in this from the point of view of either their office router products (if sending nonsense to a router not only crashes it, but permanently disables it, that's a pretty serious flaw) or their printers (there's a good "protection money" option there, once you demo it on one printer that's vulnerable the victim has no way to know how many more you could hit, so they might pay even if actually you can only take out a few of the more expensive ones). The Arrigo Triulzi thing is a third hand report, it could be anything. I'm not ruling out the idea that some fancy network cards might incorporate a remote firmware feature per se, but the idea that cards which have flash storage updated over the network are "typical" requires a lot more than a hand-waving claim as made in the second paragraph. That's an expensive feature to silently include in millions of $5-10 products and never bother to mention in the manual. Right now it's a bit like walking out of a James Bond movie and declaring "Well, all cars have a missile launcher of course, but the movie doesn't really show exactly how to operate it so I guess that part will remain a mystery".
What is exactly new in this? Posted May 29, 2008 9:54 UTC (Thu) by ebirdie (subscriber, #512) [Link] With first passing read of the article I couldn't get clear picture, what is exactly new here? There have already been Windows viruses writing to BIOS flash and causing obvious havoc. A year or two ago there was the issue with an wireless adapter firmware cracked to allow access onto an OS X desktop. Is the news here that there is new methods to inject trojan firmware into a running system through remote update mechanisms? Is the increased activity and knowledge in cracking closed source binary blobs (from Windows to firmwares) causing this kind of security vulnerability as a real thread to be taken more into account? Or is it that there quite often plenty space in flash to add unwanted binary and one could only need few hooks into the real firmware code to make it as a trojan firmware?
Network reflash Posted Jun 5, 2008 11:51 UTC (Thu) by ringerc (subscriber, #3071) [Link] It appears that some NICs can be reflashed over the network with no interaction by the host OS required. The creation of malicious firmware images for such devices is what's new. The very idea is stupid anyway. If you want to flash a bunch of NICs in bulk the right way to do that is to have management software running at the OS level that can properly authenticate the request and then program the flash locally. Just imagine the "fun" involved if someone attacked an iSCSI SAN with this.
Attacking network cards Posted May 29, 2008 11:31 UTC (Thu) by NRArnot (subscriber, #3033) [Link] A long time ago, firmware used to have a write-enable jumper. Time to reinstate it? To avoid the inconvenience of having to take the covers off a system and rummage in its innards, it would be an improvement to design the write-protect for each card (motherboard BIOS, ethernet, RAID controller ...) to have a standard header capable of connection in parallel with all the others. Then, a system builder could connect them all together and have a single firmware-write-enable switch on the outside of the system. Arguments over whether the jumper should be shipped enabled or disabled are much preferable to not having a disable at all!
|
|||||||||||||