Full Disclosure mailing list archives
Re: Firewire Attack on Windows Vista
From: "Eric Rachner" <eric () rachner us>
Date: Wed, 12 Mar 2008 22:33:52 -0700
Re. where you said, "yes, if the system is off and you can turn it on (e.g. no bios or hdd encryption passwords) you can bypass the logon screen. this is because the tool searches for the function "MsvpPasswordValidate" in memory and patches it to allow any password." That's correct, but not entirely. Yes, you can patch Winlogon to allow any password, but that does not necessarily mean you can access the user's data. #1, you will not be able to access any resources which are encrypted using Windows protected storage. This includes all EFS-protected files, as well as stored passwords for IE, Outlook, etc. All of these secrets are protected using keys which are derived from the user's credentials. Obviously if the system is unable to reconstruct these keys, then the protected data will be out of reach. (This would be true regardless of whether or not the logged-on account belongs to a domain.) #2, you will not be able to access network resources as the user. Again, this is because when the machine authenticates to remote resources, it does so by providing a proof which is calculated from the user's credentials. And again, without access to the user's credentials, the system won't be able to perform network authentication on the user's behalf. In a real-world scenario, as the attacker, I would prefer to install a Trojan in order to capture the user's credentials the next time they log on. - Eric -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of FD Sent: Monday, March 10, 2008 11:50 AM To: Larry Seltzer Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com Subject: Re: [Full-disclosure] Firewire Attack on Windows Vista
How much should the average user worry about this? Not very much. Most notebooks from average users don't even have Firewire on them and you would have an easier time cracking them with a dictionary attack on the password and other such things, which means that this attack makes you no more vulnerable to compromise if you've already granted physical access than you were before.
you don't need a firewire port on your laptop, a pcmcia slot is enough where an attacker inserts a firewire card. but still.. it's a physical access attack.. regarding your other email:
OK, I guess I misunderstood the original paper (http://www.sec-consult.com/fileadmin/Whitepapers/Vista_Physical_Attacks .pdf). It now looks to me like they are claiming they can disable password authentication *even while the system is not logged on* - do I have that right?
yes, if the system is off and you can turn it on (e.g. no bios or hdd encryption passwords) you can bypass the logon screen. this is because the tool searches for the function "MsvpPasswordValidate" in memory and patches it to allow any password. FD _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Firewire Attack on Windows Vista, (continued)
- Re: Firewire Attack on Windows Vista Tim (Mar 08)
- Re: Firewire Attack on Windows Vista Larry Seltzer (Mar 08)
- Re: Firewire Attack on Windows Vista Tim (Mar 08)
- Message not available
- Re: Firewire Attack on Windows Vista Larry Seltzer (Mar 09)
- Re: Firewire Attack on Windows Vista Stefan Kanthak (Mar 09)
- Re: Firewire Attack on Windows Vista Larry Seltzer (Mar 09)
- Re: Firewire Attack on Windows Vista Jardel Weyrich (Mar 09)
- Re: Firewire Attack on Windows Vista Kern (Mar 10)
- Re: Firewire Attack on Windows Vista Stefan Kanthak (Mar 10)
- Re: Firewire Attack on Windows Vista FD (Mar 12)
- Re: Firewire Attack on Windows Vista Eric Rachner (Mar 12)
- Re: Firewire Attack on Windows Vista Erik Trulsson (Mar 09)
- Re: Firewire Attack on Windows Vista Pavel Kankovsky (Mar 15)
- Re: Firewire Attack on Windows Vista Thor (Hammer of God) (Mar 06)
- Re: Firewire Attack on Windows Vista Daniel O'Connor (Mar 05)
- Re: Firewire Attack on Windows Vista Tonnerre Lombard (Mar 05)
- Re: Firewire Attack on Windows Vista Tim (Mar 06)