| |||||||||||||
Attacking network cardsAttacking network cardsPosted May 29, 2008 4:53 UTC (Thu) by ikm (subscriber, #493)Parent article: Attacking network cards
> you simply overwrite the firmware in both NICs No, really, how is that -- you simply overwrite it? Which cards allow this and how do they check for the firmware's authenticity?
(Log in to post comments)
Attacking network cards Posted May 29, 2008 7:45 UTC (Thu) by jengelh (subscriber, #33263) [Link] RealTek cards with an EEPROM (does not work with EPROMs :-)) allow to be reprogrammed with a DOS tool, so the answer to your first question is: inb and outb. Of course, that requires that someone has access to the box itself first. As for remote updatesas the article mentionsyou probably just upload the new firmware through telnet, tftp or a webinterface. If you are lucky, it may be SSL'ed. Authenticity? What authenticity? Only a checksum on the file to make sure it was not corrupted during the transfer but other than that, perhaps a username/password for login, but otherwise, nope.
Attacking network cards Posted May 29, 2008 14:55 UTC (Thu) by ikm (subscriber, #493) [Link] What article mentions is some sort of remote firmware upgrade mechanism evidently provided by the card itself, without any sort of OS required to assist. No network card by itself would really provide any high-level interface, such as telnet or tftp, for that. It would probably rather be raw ethernet frames. The article seems scarce on these kind of exact details, though, that's why I was asking.
Attacking network cards Posted May 30, 2008 20:21 UTC (Fri) by drag (subscriber, #31333) [Link] I presumed that if faulty firmware can be 'fuzzed' to produce exploits then one of those exploits could be overwriting the firmware on the card itself. I don't see how big of a difference it would be to find a exploitable hole in a OS driver or firmware for a network card and then write new firmware as long as that it is possible for the OS or card itself to write new firmware. (Kinda interesting because that 'open' firmware code is something that RMS and his fan club has been clamoring for if the card itself is writable. Open firmware could be required to produce effective defenses against these sort of attacks) And it's common for wireless drivers to have loadable firmware anyways (more sophisticated wired ethernet cards shouldn't be too far behind), so if you get system access then you could hack the card's firmware (either in a file on Linux or embedded in the driver binary for windows) to do all sorts of nasty stuff. That way, depending on your goal, (say you want network access, but you don't care about 'owning' the access point) you could stealthily introduce a firmware hack that would allow you to get WPA keys, sniff traffic, or something like that if you send a specially crafted packet.
Attacking network cards Posted May 29, 2008 18:18 UTC (Thu) by smoogen (subscriber, #97) [Link] Many cards allow for this these days.. Most of it comes from using FPGA and similar things to go faster than other chips allow and needing to send out updates because your code has a bug in it somewhere. When most cards have programmable chips on them.. then you have multiple computers that may or may not be under your control.
Attacking network cards Posted May 29, 2008 20:48 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link] many cards allow for updates from the system they are plugged into, not from remote systems. if a hacker takes over your machine and becomes root (which is nessasary to modify the card from your machine) there are lots of nooks and crannies in the system he can hide stuff, this is just one more of them (including modifying the BIOS of most modern motherboards) the network cards are not special unless they have some bug in them that allows for modification remotely. for many cards, they don't store the firmware on the card itself, it's downloaded from the OS at boot time, so if the hacker can modify your kernel they can modify the firmware on the card next time you boot (but they can also modify anything else in your kernel, so why would they go to the trouble of targeting a specific piece of hardware when they can do it all from the common x86 compatible cpu)
Attacking network cards Posted May 29, 2008 23:09 UTC (Thu) by ikm (subscriber, #493) [Link] This all is of course, it's just that the parent article mentioned something about updating cards "across the wire". Presumably meaning remotely, and, well, probably not just over SSH, or else what's the point of mentioning it? If you've got root already then of course you can ruin the system.
Attacking network cards Posted May 30, 2008 8:06 UTC (Fri) by ebirdie (subscriber, #512) [Link] dlang: "they can also modify anything else in your kernel, so why would they go to the trouble of targeting a specific piece of hardware when they can do it all from the common x86 compatible cpu" To make malware resistant to software reinstall on hardware with some reprogrammable memory. If firmware malware works badly, it makes normal administrator to trash the hardware. If firmware malware works fine, it sits there for long and being resistant to many current and common schemes to prevent and detect malware. Not many of us do reflash hardware, which have worked fine. At least it goes quite far away from current threat models. I think the scope of target doesn't have to be limited to specific hardware, but to cracking software, which can be run once on a compromised system. The software could know more hardware.
|
|||||||||||||