Attacking network cards
When considering the vulnerabilities of a system, the hardware is usually ignored. Software certainly presents the biggest target—fairly easily exploited as we have seen—but a new class of attacks goes directly at the hardware, specifically network cards. The results can range from a permanent denial-of-service to a complete compromise of the card's function.
One researcher has overly cutely dubbed this kind of attack "phlashing" because it attacks the firmware on the card, which is typically stored in flash. The basic idea is that an attacker will rewrite the firmware using an image under their control. That image could do any number of fairly nasty things to the card.
Two separate researchers have recently reported on their explorations into this type of attack. Arrigo Triulzi's posting to the, evidently private, Robust Open Source mailing list was reported on Ben Laurie's weblog. Rich Smith of HP also gave a talk on his PhlashDance fuzzing tool at the EuSecWest conference. In both cases, network devices were compromised via insecure remote firmware update capabilities.
Smith's research focuses on causing permanent denial-of-service through overwriting the firmware, presumably with garbage. At that point, the card will no longer function and may, in fact, no longer be able to be updated—remotely or locally—which turns it into a paperweight. More importantly, no network traffic can use the device, so if it is situated in a critical router, for example, it could affect a large number of systems.
A more insidious attack is described by Triulzi. He replaces the firmware with new code, effectively reprogramming the device to do whatever he wants. One of the attacks goes like this:
An additional trick, noted by Laurie and others is to use those same
techniques to read or write the main memory of the host computer. This
could certainly allow sensitive information to leak—or the host
itself to
be
compromised. As Laurie says: "You might even be able to read
disk, too, depending on the disk controller.
"
This is truly frightening stuff that is flying under the radar of most network administrators. There are no known attacks in the wild, but it would seem only a matter of time before that happens. This is definitely something to keep an eye on.
Other than avoiding vulnerable network hardware—lists of which do not seem to be available from either researcher—there doesn't seem to be much that can be done to deal with phlashing attacks. A properly programmed I/O memory management unit (IOMMU) might alleviate some of the worst cases by disallowing DMA outside of approved ranges, but card vendors need to make updates more difficult. It might be more convenient for an administrator of a large network to update multiple cards across the wire, but the price paid for that convenience seems too high.
| Index entries for this article | |
|---|---|
| Security | Hardware |
Posted May 29, 2008 4:53 UTC (Thu)
by ikm (guest, #493)
[Link] (7 responses)
Posted May 29, 2008 7:45 UTC (Thu)
by jengelh (guest, #33263)
[Link] (2 responses)
Posted May 29, 2008 14:55 UTC (Thu)
by ikm (guest, #493)
[Link] (1 responses)
Posted May 30, 2008 20:21 UTC (Fri)
by drag (guest, #31333)
[Link]
Posted May 29, 2008 18:18 UTC (Thu)
by smoogen (subscriber, #97)
[Link] (3 responses)
Posted May 29, 2008 20:48 UTC (Thu)
by dlang (guest, #313)
[Link] (2 responses)
Posted May 29, 2008 23:09 UTC (Thu)
by ikm (guest, #493)
[Link]
Posted May 30, 2008 8:06 UTC (Fri)
by ebirdie (guest, #512)
[Link]
Posted May 29, 2008 8:31 UTC (Thu)
by plundra (guest, #51099)
[Link]
Posted May 29, 2008 8:36 UTC (Thu)
by tialaramex (subscriber, #21167)
[Link]
Posted May 29, 2008 9:54 UTC (Thu)
by ebirdie (guest, #512)
[Link] (1 responses)
Posted Jun 5, 2008 11:51 UTC (Thu)
by ringerc (subscriber, #3071)
[Link]
Posted May 29, 2008 11:31 UTC (Thu)
by NRArnot (subscriber, #3033)
[Link]
Attacking network cards
> you simply overwrite the firmware in both NICs
No, really, how is that -- you simply overwrite it? Which cards allow this and how do they
check for the firmware's authenticity?
Attacking network cards
RealTek cards with an EEPROM (does not work with EPROMs :-)) allow to be reprogrammed with a
DOS tool, so the answer to your first question is: inb and outb.
Of course, that requires that someone has access to the box itself first. As for remote
updatesas the article mentionsyou probably just upload the new firmware through telnet, tftp
or a webinterface. If you are lucky, it may be SSL'ed.
Authenticity? What authenticity? Only a checksum on the file to make sure it was not corrupted
during the transfer but other than that, perhaps a username/password for login, but otherwise,
nope.
Attacking network cards
What article mentions is some sort of remote firmware upgrade mechanism evidently provided by
the card itself, without any sort of OS required to assist. No network card by itself would
really provide any high-level interface, such as telnet or tftp, for that. It would probably
rather be raw ethernet frames.
The article seems scarce on these kind of exact details, though, that's why I was asking.
Attacking network cards
I presumed that if faulty firmware can be 'fuzzed' to produce exploits then one of those
exploits could be overwriting the firmware on the card itself.
I don't see how big of a difference it would be to find a exploitable hole in a OS driver or
firmware for a network card and then write new firmware as long as that it is possible for the
OS or card itself to write new firmware.
(Kinda interesting because that 'open' firmware code is something that RMS and his fan club
has been clamoring for if the card itself is writable. Open firmware could be required to
produce effective defenses against these sort of attacks)
And it's common for wireless drivers to have loadable firmware anyways (more sophisticated
wired ethernet cards shouldn't be too far behind), so if you get system access then you could
hack the card's firmware (either in a file on Linux or embedded in the driver binary for
windows) to do all sorts of nasty stuff. That way, depending on your goal, (say you want
network access, but you don't care about 'owning' the access point) you could stealthily
introduce a firmware hack that would allow you to get WPA keys, sniff traffic, or something
like that if you send a specially crafted packet.
Attacking network cards
Many cards allow for this these days.. Most of it comes from using FPGA and similar things to
go faster than other chips allow and needing to send out updates because your code has a bug
in it somewhere. When most cards have programmable chips on them.. then you have multiple
computers that may or may not be under your control.
Attacking network cards
many cards allow for updates from the system they are plugged into, not from remote systems.
if a hacker takes over your machine and becomes root (which is nessasary to modify the card
from your machine) there are lots of nooks and crannies in the system he can hide stuff, this
is just one more of them (including modifying the BIOS of most modern motherboards)
the network cards are not special unless they have some bug in them that allows for
modification remotely.
for many cards, they don't store the firmware on the card itself, it's downloaded from the OS
at boot time, so if the hacker can modify your kernel they can modify the firmware on the card
next time you boot (but they can also modify anything else in your kernel, so why would they
go to the trouble of targeting a specific piece of hardware when they can do it all from the
common x86 compatible cpu)
Attacking network cards
This all is of course, it's just that the parent article mentioned something about updating
cards "across the wire". Presumably meaning remotely, and, well, probably not just over SSH,
or else what's the point of mentioning it? If you've got root already then of course you can
ruin the system.
Attacking network cards
dlang: "they can also modify anything else in your kernel, so why would they
go to the trouble of targeting a specific piece of hardware when they can do it all from the
common x86 compatible cpu"
To make malware resistant to software reinstall on hardware with some reprogrammable memory.
If firmware malware works badly, it makes normal administrator to trash the hardware. If
firmware malware works fine, it sits there for long and being resistant to many current and
common schemes to prevent and detect malware. Not many of us do reflash hardware, which have
worked fine. At least it goes quite far away from current threat models.
I think the scope of target doesn't have to be limited to specific hardware, but to cracking
software, which can be run once on a compromised system. The software could know more
hardware.
Attacking network cards
It sounds like this is possible on an already booted machine, remotely, without any software
on the host-machnine? If that's really the case... Let's buy som fast GPIO-interfaces and
bit-bang everything from software within our control :)
On a similar matter, a friend of mines X31 a few years back was set (from factory) by default
to accept remote bios upgrades. That seemed a bit spooky back then, but maybe it's still the
case on business-targeted hardware just to aid easy rollouts in large environments?
"network cards" ?
Jake, when I look at Rich Smith's work, what I see is someone attacking embedded software
/via/ the network card, but only in the same sense that someone connects to your SSH daemon
/via/ the network card. So Rich Smith's scenario is at most a timely reminder that if you buy
a black box and plug it into your network it's still a black box and might do (or fail to do)
anything depending on what goofs the designer made. Since he's from HP I'd guess he was
interested in this from the point of view of either their office router products (if sending
nonsense to a router not only crashes it, but permanently disables it, that's a pretty serious
flaw) or their printers (there's a good "protection money" option there, once you demo it on
one printer that's vulnerable the victim has no way to know how many more you could hit, so
they might pay even if actually you can only take out a few of the more expensive ones).
The Arrigo Triulzi thing is a third hand report, it could be anything.
I'm not ruling out the idea that some fancy network cards might incorporate a remote firmware
feature per se, but the idea that cards which have flash storage updated over the network are
"typical" requires a lot more than a hand-waving claim as made in the second paragraph. That's
an expensive feature to silently include in millions of $5-10 products and never bother to
mention in the manual. Right now it's a bit like walking out of a James Bond movie and
declaring "Well, all cars have a missile launcher of course, but the movie doesn't really show
exactly how to operate it so I guess that part will remain a mystery".
What is exactly new in this?
With first passing read of the article I couldn't get clear picture, what is exactly new here?
There have already been Windows viruses writing to BIOS flash and causing obvious havoc. A
year or two ago there was the issue with an wireless adapter firmware cracked to allow access
onto an OS X desktop.
Is the news here that there is new methods to inject trojan firmware into a running system
through remote update mechanisms? Is the increased activity and knowledge in cracking closed
source binary blobs (from Windows to firmwares) causing this kind of security vulnerability as
a real thread to be taken more into account? Or is it that there quite often plenty space in
flash to add unwanted binary and one could only need few hooks into the real firmware code to
make it as a trojan firmware?
Network reflash
It appears that some NICs can be reflashed over the network with no interaction by the host OS
required. The creation of malicious firmware images for such devices is what's new.
The very idea is stupid anyway. If you want to flash a bunch of NICs in bulk the right way to
do that is to have management software running at the OS level that can properly authenticate
the request and then program the flash locally.
Just imagine the "fun" involved if someone attacked an iSCSI SAN with this.
Attacking network cards
A long time ago, firmware used to have a write-enable jumper. Time to reinstate it?
To avoid the inconvenience of having to take the covers off a system and rummage in its
innards, it would be an improvement to design the write-protect for each card (motherboard
BIOS, ethernet, RAID controller ...) to have a standard header capable of connection in
parallel with all the others. Then, a system builder could connect them all together and have
a single firmware-write-enable switch on the outside of the system.
Arguments over whether the jumper should be shipped enabled or disabled are much preferable
to not having a disable at all!