hack.lu Part #9

Back from coffee break, let’s play with hardware now. Philippe Teuwen talked about smart cards and how they are protected. First attack is performed via the power line but recent smart cards are quite well protected. Flash attacks and electromagnetic attacks are other possibilities. Philippe’s slides were based on nice pictures but made the topic difficult to follow for people without smart card deep knowledge like me…

Ok, back to software with a presentation on the Windows memory management by Damien Aumaître. Do you remember the FireWire attack against Windows memory? Damien remembered some basic facts on memory (physical .vs. virtual memory). It’s always good to refresh some basic OS features in our mind! One of the major problems with physical memory: there are many ways to access it and create security breaches! Example: FireWire, PCMCIA, PCI, VMware, Sandman/Hibernation files, cold boot attacks or forensics tools. The FireWire way was discussed deeper. Even if FireWire is disabled by default on Windows, some storage devices may access it (like an iPod). It’s very easy to change a FireWire device ID and, as example, fake an iPod with a Linux laptop. All operations (Read / Write / Execute) can be used against physical memory. A read access on the memory reveals lot of critical information: processes, threads, open files, share libraries, data (example forensics researches). Damien made a demo of his own tools to read a VMware guest memory. The next demo was made in a read/write context: How to unlock a locked Windows desktop by changing two (!!!) bytes in the memory! (the two bytes simply marked the account as password less). Funny! A third demo showed process privileges escalation: a simple cmd.exe process running as a standard users was escalated to full administrative rights. Finally the “execute” access was demonstrated by installing some hooks: Damien owned a Windows XP PC without logging in (spawned a cmd.exe and started an explorer). The conclusion was very simple: “physical access == root”. Cool presentation with some “show”!

Let’s have a lunch and come back soon with the last presentations…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.