We at the Laboratory for Dependable Distributed Systems at RWTH Aachen University, Germany came across FireWire by a pice of Software called FireStarter. As described by the author “FireStarter is a hack that overwrites the screen memory of a victim Mac just by connecting it to the Mac running FireStarter with a FireWire cable. You don’t need to run any software on the target Mac. FireStarter won the Best Hack Contest at MacHack 2002.”
This made us thinking. Write to the screen memory by just connecting a FireWire cable? Uh? Only screen memory? Is reading also possible?
Getting firestarter to work took us some time. It turned out that it doesn’t work with arbitrary Macs but used hard coded IDs, screen memory addresses and screen sized. Also it didn’t compile as we expected on our machines. But once we got it working the results where impressing.
A lot of inspiration we drew from the announcement of FreeBSDs FireWire driver in a post named “FireWire for kernel hackers” by Hidetoshi Shimokawa. The discussion following already outlined the security issues and possible solutions. Kerneltrap spread the word further and drew some comments. The real killer feature in FreeBSD is remote debugging via FireWire. At that time we had no FireWire equipped FreeBSD machines and so played around with other stuff in the meantime.
We then wrote some real FireWire code ourselves which was somewhat a pain. Whe where able with hand driven code to read and write screen memory but also to patch process memory and process structures to get root access. We submitted our findings to PacSec core04 and got accepted. The organizers put out an advisory which spread widely and lead to some discussion (bugtraq, forensics-mailinglist, full disclosure, securiteam, zone-h, hack in the box and a somewhat mixed up account of the advisory on some german Mac news site).
In one of the comments we where pointed to a page by Matt Johnston which suggests that setting set an OpenFirmware security-mode other than “none”, all physical access via FireWire is disabled. So far we haven’t verified this because we are reluctant to mess with OpenFirmware on our production machines.
This is the script of the demonstrations I created mainly to help with the real time translation at PacSec:
This describes the scenarios which will be shown in the demo of the
“0wned by an iPod – Hacking by FireWire” talk on PacSec 2004. The talk
will be given by Maximillian Dornseif. See http://pacsec.jp/ for more
The target is a FreeBSD 5.3 machine connected via FireWire to the
attacker machine. The attacker has only user level access to the target. The
target is just booted up. Via TTY1 there X Windows is started by
./startx for user md. md is logged in via TTY2 at the console. The
attacker machine is a Mac OS X.3 Powerbook.
1. Demo – Screen dump per FireWire
The target is just booted up. The TTY is switched to TTY2. md is
logged in and displayes the file secret.txt. We run
% python demo_textscreenread.py
and display the screen contents of the target machine on the attackers machine.
2. Demo – screen blanking via FireWire
The target is is switched to X Windows. X shows the Firefox Web Browser default
screen. We run
% python demo_screenblank.py
and a part of the screen is deleted showing that we can write arbitrary
values to screen (and other) memory.
3. Demo – screen reading via FireWire
X stays as above, but we conduct steps to restore screen
memory. (Reload in Firefox) We call
% python demo_readscreen.py
% convert -depth 8 -size 1024×768 rgb:screen.raw screen.png
% open screen.png
An image of the targets screen is displayed on the attackers machine machine.
4. Demo – getting root
X is beeing left and a shell on console/TTY2 is open. Via the ‘id’ command the low
process credentials we have are shown. It is shown that /etc/master.passwd can
not be read.
% cat /etc/master.passwd
We start the process to get root on the attackers machine
% python demo_getroot.py
Back on the target it is shown that the process id is now root /
Administrator and the protected file /etc/master.passwd can be viewed:
% cat /etc/master.passwd
Presentation finishes here.
The whole issue is now assigned CAN-2004-1038.