By Jake Edge
January 9, 2013
When using whole-disk encryption, it's sometimes tempting to be less
concerned about attacks requiring physical presence. After all, putting
a laptop to sleep is quite convenient, even though attacks like "Evil Maid" or "Cold Boot" are
possible. A more recent attack just adds another worry to that list.
Inception is a
tool released in 2011 that uses Firewire direct memory access
(DMA) to access the memory of a sleeping (or simply powered-on, but locked)
system. While it is an
an older tool, Inception recently got a notoriety boost from Cory
Doctorow at Boing Boing, which is where I came across it. It is a
rather interesting attack, and one that isn't really exploiting a bug.
In order to facilitate high-speed transfers, Firewire (aka IEEE 1394)
requires the availability of a DMA mode. DMA allows the Firewire
controller to directly access system memory, bypassing the CPU. While
removing the potential bottleneck of the CPU does make transfers faster, it
also opens up the contents of memory for any Firewire device to inspect or
modify.
This is the same memory that contains various things of interest, including
the code to check passwords.
It is the password-checking code that Inception targets. When the
incept program is run, it will patch the
Linux, Windows, or Mac OS X code running on the system
such that any password can be used to log in. After that, one can
log in as root (or Administrator) without need for the password—the
system is fully compromised. Since the patching is in memory only, though,
the change disappears at the next reboot, which may make it more difficult
to detect.
Inception doesn't require a Firewire interface on the targeted system, just
some way to add one (e.g. PCMCIA, ExpressCard). Typically, the system will
detect the Firewire device being added and helpfully install the drivers
needed. The attacker's machine, which is attached to the victim over the
Firewire interface, then sends commands to enable DMA mode. From there,
the program looks for signatures of password authentication modules and
patches any it finds.
There are, of course, other things one can do with access to the memory,
including dumping its contents for use later on. The system memory may well
contain information of interest, for example
credentials of various sorts. Patching other parts of the operating system
are possible as well, and the incept program has support for
using custom signatures and patches. Inception is useful for more than
just attacks, as it can be used to help analyze any running
system—one that has been compromised for example.
The attack code runs on Linux or OS X systems. It requires Python 3
and libforensic1394.
Unsurprisingly, there are some caveats. Targets with more
than 4G of RAM may not be attacked reliably because DMA is limited to the
low 4G and the code of interest might be loaded higher up. In addition,
certain OS X targets may repel the attack by disabling DMA under
certain circumstances (like sleeping).
One obvious mitigation for Linux is to disable the Firewire drivers for
systems that aren't using them. One could, instead, disable Firewire DMA
when the drivers are loaded,
but if
Firewire is actually being used, that will clearly impact performance.
Inception serves as a nice reminder that a powered-on system is
vulnerable to many "physically present" kinds of attacks—even if the disk is encrypted
Comments (22 posted)
Brief items
DRM technology will still fail to prevent widespread infringement. In a
related development, pigs will still fail to fly.
--
Ed
Felten makes predictions for 2013
At a recent conference on the security of connected devices, [Columbia PhD
candidate Ang] Cui
demonstrated how they can easily insert malicious code into a Cisco VoIP
phone (any of the 14 Cisco Unified IP Phone models) and start eavesdropping
on private conversations -- not just on the phone but also in the phone's
surroundings -- from anywhere in the world.
"It's not just Cisco phones that are at risk. All VoIP phones are
particularly problematic since they are everywhere and reveal our private
communications," says [Columbia professor Salvatore] Stolfo. "It's relatively easy to penetrate any
corporate phone system, any government phone system, any home with Cisco
VoIP phones -- they are not secure."
--
Science
Daily
Comments (3 posted)
Two new vulnerabilities (
CVE-2013-0156,
CVE-2013-0155) have been reported in the Ruby on Rails web framework. CVE-2013-0156 is considered a critical vulnerability that should be patched or worked around immediately ("
allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application"), while CVE-2013-0155 can alter some SQL queries when JSON parameter parsing is used. They are different than the
SQL injection we reported on January 3. More information on -0156 can be found in this
analysis.
Comments (6 posted)
New vulnerabilities
cups: unauthorized access to administration interface
| Package(s): | cups |
CVE #(s): | CVE-2012-6094
|
| Created: | January 7, 2013 |
Updated: | April 5, 2013 |
| Description: |
From the Mageia advisory:
During the process of CUPS socket activation code refactoring in
favor of systemd capability a security flaw was found in the way
CUPS service honored Listen localhost:631 cupsd.conf configuration
option. The setting was recognized properly for IPv4-enabled systems,
but failed to be correctly applied for IPv6-enabled systems. As a
result, a remote attacker could use this flaw to obtain (unauthorized)
access to the CUPS web-based administration interface. |
| Alerts: |
|
Comments (none posted)
dovecot: denial of service
| Package(s): | dovecot |
CVE #(s): | CVE-2012-5620
|
| Created: | January 7, 2013 |
Updated: | January 9, 2013 |
| Description: |
From the Red Hat bugzilla:
Dovecot 2.1.11 was released and includes a fix for a crash condition when the IMAP server was issued a SEARCH command with multiple KEYWORD parameters. An authenticated remote user could use this flaw to crash Dovecot. |
| Alerts: |
|
Comments (none posted)
freeciv: denial of service
| Package(s): | freeciv |
CVE #(s): | CVE-2012-5645
|
| Created: | January 7, 2013 |
Updated: | January 15, 2013 |
| Description: |
From the Red Hat bugzilla:
A denial of service flaw was found in the way the server component of Freeciv, a turn-based, multi-player, X based strategy game, processed certain packets (invalid packets with whole packet length lower than packet header size or syntactically valid packets, but whose processing would lead to an infinite loop). A remote attacker could send a specially-crafted packet that, when processed would lead to freeciv server to terminate (due to memory exhaustion) or become unresponsive (due to excessive CPU use). |
| Alerts: |
|
Comments (none posted)
inkscape: denial of service
| Package(s): | inkscape |
CVE #(s): | CVE-2012-5656
|
| Created: | January 7, 2013 |
Updated: | February 14, 2013 |
| Description: |
From the Red Hat bugzilla:
An XML eXternal Entity (XXE) flaw was found in the way Inkscape, a vector-based drawing program using SVG as its native file format performed rasterization of certain SVG images. A remote attacker could provide a specially-crafted SVG image that, when opened in inkscape would lead to arbitrary local file disclosure or denial of service. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | firefox thunderbird |
CVE #(s): | CVE-2013-0749
CVE-2013-0770
CVE-2013-0760
CVE-2013-0761
CVE-2013-0763
CVE-2013-0771
CVE-2012-5829
CVE-2013-0768
CVE-2013-0764
CVE-2013-0745
CVE-2013-0747
CVE-2013-0752
CVE-2013-0757
CVE-2013-0755
CVE-2013-0756
CVE-2013-0743
|
| Created: | January 9, 2013 |
Updated: | February 18, 2013 |
| Description: |
From the Ubuntu advisory:
Christoph Diehl, Christian Holler, Mats Palmgren, Chiaki Ishikawa, Bill
Gianopoulos, Benoit Jacob, Gary Kwong, Robert O'Callahan, Jesse Ruderman,
and Julian Seward discovered multiple memory safety issues affecting
Firefox. If the user were tricked into opening a specially crafted page, an
attacker could possibly exploit these to cause a denial of service via
application crash, or potentially execute code with the privileges of the
user invoking Firefox. (CVE-2013-0769, CVE-2013-0749, CVE-2013-0770)
Abhishek Arya discovered several user-after-free and buffer overflows in
Firefox. An attacker could exploit these to cause a denial of service via
application crash, or potentially execute code with the privileges of the
user invoking Firefox. (CVE-2013-0760, CVE-2013-0761, CVE-2013-0762,
CVE-2013-0763, CVE-2013-0766, CVE-2013-0767, CVE-2013-0771, CVE-2012-5829)
A stack buffer was discovered in Firefox. If the user were tricked into
opening a specially crafted page, an attacker could possibly exploit this
to cause a denial of service via application crash, or potentially execute
code with the privileges of the user invoking Firefox. (CVE-2013-0768)
Jerry Baker discovered that Firefox did not always properly handle
threading when performing downloads over SSL connections. An attacker could
exploit this to cause a denial of service via application crash.
(CVE-2013-0764)
Olli Pettay and Boris Zbarsky discovered flaws in the Javacript engine of
Firefox. An attacker could cause a denial of service via application crash,
or potentially execute code with the privileges of the user invoking
Firefox. (CVE-2013-0745, CVE-2013-0746)
Jesse Ruderman discovered a flaw in the way Firefox handled plugins. If a
user were tricked into opening a specially crafted page, a remote attacker
could exploit this to bypass security protections to conduct clickjacking
attacks. (CVE-2013-0747)
Sviatoslav Chagaev discovered that Firefox did not properly handle XBL
files with multiple XML bindings with SVG content. An attacker could cause
a denial of service via application crash, or potentially execute code with
the privileges of the user invoking Firefox. (CVE-2013-0752)
Mariusz Mlynski discovered two flaws to gain access to privileged chrome
functions. An attacker could possibly exploit this to execute code with the
privileges of the user invoking Firefox. (CVE-2013-0757, CVE-2013-0758)
Several use-after-free issues were discovered in Firefox. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit this to execute code with the privileges of the user invoking
Firefox. (CVE-2013-0753, CVE-2013-0754, CVE-2013-0755, CVE-2013-0756)
Two intermediate CA certificates were mis-issued by the TURKTRUST
certificate authority. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to view sensitive
information. (CVE-2013-0743) |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | firefox thunderbird xulrunner seamonkey |
CVE #(s): | CVE-2013-0744
CVE-2013-0746
CVE-2013-0748
CVE-2013-0750
CVE-2013-0753
CVE-2013-0754
CVE-2013-0758
CVE-2013-0759
CVE-2013-0762
CVE-2013-0766
CVE-2013-0767
CVE-2013-0769
|
| Created: | January 9, 2013 |
Updated: | February 18, 2013 |
| Description: |
From the Red Hat advisory:
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2013-0744, CVE-2013-0746, CVE-2013-0750, CVE-2013-0753,
CVE-2013-0754, CVE-2013-0762, CVE-2013-0766, CVE-2013-0767, CVE-2013-0769)
A flaw was found in the way Chrome Object Wrappers were implemented.
Malicious content could be used to cause Firefox to execute arbitrary code
via plug-ins installed in Firefox. (CVE-2013-0758)
A flaw in the way Firefox displayed URL values in the address bar could
allow a malicious site or user to perform a phishing attack.
(CVE-2013-0759)
An information disclosure flaw was found in the way certain JavaScript
functions were implemented in Firefox. An attacker could use this flaw to
bypass Address Space Layout Randomization (ASLR) and other security
restrictions. (CVE-2013-0748) |
| Alerts: |
|
Comments (none posted)
openshift-origin-node-util: multiple vulnerabilities
| Package(s): | openshift-origin-node-util |
CVE #(s): | CVE-2012-5646
CVE-2012-5647
|
| Created: | January 9, 2013 |
Updated: | January 9, 2013 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way the administrative web interface for restoring
applications (restorer.php) processed options passed to it. A remote
attacker could send a specially-crafted request to restorer.php that would
result in the query string being parsed as command line options and
arguments. This could lead to arbitrary code execution with the privileges
of an arbitrary application. (CVE-2012-5646)
An open redirect flaw was found in restorer.php. A remote attacker able to
trick a victim into opening the restorer.php page using a specially-crafted
link could redirect the victim to an arbitrary page. (CVE-2012-5647) |
| Alerts: |
|
Comments (none posted)
php-pear-CAS: missing CN validation of CAS server certificate
| Package(s): | php-pear-CAS |
CVE #(s): | CVE-2012-5583
|
| Created: | January 9, 2013 |
Updated: | January 9, 2013 |
| Description: |
From the Fedora advisory:
* CVE-2012-5583 Missing CN validation of CAS server certificate [#58] (Joachim Fritschi) |
| Alerts: |
|
Comments (none posted)
rails: input validation error
| Package(s): | rails |
CVE #(s): | CVE-2012-5664
|
| Created: | January 7, 2013 |
Updated: | January 9, 2013 |
| Description: |
From the Debian advisory:
joernchen of Phenoelit discovered that rails, an MVC ruby based framework
geared for web application development, is not properly treating
user-supplied input to "find_by_*" methods. Depending on how the ruby
on rails application is using these methods, this allows an attacker
to perform SQL injection attacks, e.g., to bypass authentication if
Authlogic is used and the session secret token is known.
See this advisory for more information, patches, and workarounds. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
