User: Password:
Subscribe / Log in / New account

Attacking network cards

Attacking network cards

Posted May 29, 2008 7:45 UTC (Thu) by jengelh (subscriber, #33263)
In reply to: Attacking network cards by ikm
Parent article: Attacking network cards

RealTek cards with an EEPROM (does not work with EPROMs :-)) allow to be reprogrammed with a
DOS tool, so the answer to your first question is: inb and outb.
Of course, that requires that someone has access to the box itself first. As for remote
updates—as the article mentions—you probably just upload the new firmware through telnet, tftp
or a webinterface. If you are lucky, it may be SSL'ed.
Authenticity? What authenticity? Only a checksum on the file to make sure it was not corrupted
during the transfer but other than that, perhaps a username/password for login, but otherwise,

(Log in to post comments)

Attacking network cards

Posted May 29, 2008 14:55 UTC (Thu) by ikm (subscriber, #493) [Link]

What article mentions is some sort of remote firmware upgrade mechanism evidently provided by
the card itself, without any sort of OS required to assist. No network card by itself would
really provide any high-level interface, such as telnet or tftp, for that. It would probably
rather be raw ethernet frames.

The article seems scarce on these kind of exact details, though, that's why I was asking.

Attacking network cards

Posted May 30, 2008 20:21 UTC (Fri) by drag (subscriber, #31333) [Link]

I presumed that if faulty firmware can be 'fuzzed' to produce exploits then one of those
exploits could be overwriting the firmware on the card itself. 

I don't see how big of a difference it would be to find a exploitable hole in a OS driver or
firmware for a network card and then write new firmware as long as that it is possible for the
OS or card itself to write new firmware.

(Kinda interesting because that 'open' firmware code is something that RMS and his fan club
has been clamoring for if the card itself is writable. Open firmware could be required to
produce effective defenses against these sort of attacks)

And it's common for wireless drivers to have loadable firmware anyways (more sophisticated
wired ethernet cards shouldn't be too far behind), so if you get system access then you could
hack the card's firmware (either in a file on Linux or embedded in the driver binary for
windows) to do all sorts of nasty stuff. That way, depending on your goal, (say you want
network access, but you don't care about 'owning' the access point) you could stealthily
introduce a firmware hack that would allow you to get WPA keys, sniff traffic, or something
like that if you send a specially crafted packet.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds