Direct Memory Access is evil!

Hello,

Everybody should know that DMA is evil since the first Firewire Exploit was released arround 2003. The problem is that besides fast memory access for peripheral equipment it allows everybody, who gets physical access to a computer with a DMA capable port (FireWire, Thunderbolt, ExpressCard, PC Card, PCI/PCIe Interfaces), to alter or even dump the entire memory.

The two first attacks that come to mind are:

  • Circumvent Login (especially for full disk encrypted machines)
  • Dump the entire memory for offline analysis (also handy for forensic analysis of abused/compromised machines)

After stumbling over Inception (http://www.breaknenter.org/projects/inception/) I got curious about DMA Exploitation and bought myself an Apple Firewire to Thunderbolt adapter and some cables and adapters to be able to connect to every Firewire port:

IMG_4640 - Arbeitskopie 2

The installation of Inception on OSX 10.8.2 was a bit bumpy (dependencies to be specific)  So I will give a detailed Installation instruction for simple people like myself:

1. Map out and install the dependencies:

The inception README.cmd file lists the following dependencies:

### Dependencies

* Python 3 (http://www.python.org)
* git (http://git-scm.com)
* gcc (incl. g++) (http://gcc.gnu.org)
* cmake (http://www.cmake.org)
* libforensic1394 (http://freddie.witherden.org/tools/libforensic1394/)

* Python 3 is an easy one: go to http://www.python.org/download/ and download the right installer for your OSX.

* git, gcc and cmake are a bit more tricky: As far as I know they do not come with a default OSX installation. I use MacPorts which in my simple terms is a great tool which provides you with a huge collection of linux command line tools ported to OSX.

To get MacPorts running just follow the detailed instructions on their homepage: http://www.macports.org/install.php

After MacPorts is installed you can use it in an aptitude fashioned syntax:

sudo port install git gcc cmake

* gcc alternatively can be installed via xcode (run xcode -> preferences -> downloads -> install command line tools)

* libforensic1394 can then be installed as explained in the README.cmd instructions:

git clone git://git.freddie.witherden.org/forensic1394.git
cd forensic1394
cmake CMakeLists.txt
sudo make install
cd python
sudo python3 setup.py install

2. Install inception

This is also quite easy, just git clone the inception git repository and run the setup.py script:

git clone git://github.com/carmaa/inception.git
cd inception
sudo setup.py install

3. Usage

Warning: Inception can crash the attacker machine when reaching 4GB memory limit! So don’t run it on important machines/beside important tasks!

The inception binary is called “incept” and will be placed under /usr/local/bin/ and thus will be available in path.

Inception will need to run with root rights in default setup.

The inception homepage gives detailed examples of the usage and the –help output is also nicely detailed:

inception help

Limitations

As mentioned on the Inception homepage you can only dump the first 4GB of memory of the target machine. I have not yet read up on the actual technical limitations leading to this but I guess something like that the Firewire protocol can only address 4GB of RAM because the memory address is limited to 32bit or something simple like that.

Who knows maybe there are already tools for Thunderbolt-2-Thunderbolt connections that can dump all available memory of a 64bit machine.

Also my OSX keeps crashing when it reaches 3,79GB. But I guess thats a flaw in OSX (or even my setup) and could be fixed by some troubleshooting or switching to linux (preferably backtrack) on the attacker machine.

Further thoughts:

So patching the windows logon routine to log into machines with full disk encryption (with no pre boot authentication) is one of the main goals of inception.

But the ability to dump the entire memory (first 4GB anyways) is even more interesting in my opinion. If an attacker finds an unguarded machine with a firewire port, he can quickly dump the memory by just plugging in the firewire cable and issuing one command. The resulting memory dump can then be searched for interesting information without pressure and even parallel by a number of people.

Restroom breaks in where one leaves a notebook unattended or cleaning staff with unrestricted access to, often continuously running, desktop computers come to my mind when thinking about this.

Also think about mini keyloggers powered via usb with the ability to constantly dump memory for analysis and the possibility to inject malware/trojan-code into the memory via firewire at runtime. Combined with a bluetooth/wifi/gsm chip such a keylogger/memory dumper could be used for some serious spying operation!

If the raspberry pi would have firewire or thunderbolt this could even be built at home for under 100$/€!

Memory Investigation

If you think the content of your memory is not valuable outside of your machine where you can patch logon routines and running programs think about this: nearly everything your computer processes runs through your memory.

  • Passwords get hashed/compared in memory
  • Entire documents are stored in memory for editing
  • Every running program keeps its runtime data stored in memory
  • Operating Systems do not necessarily free up memory after closing programs right away. The data can sometimes stay in memory for minutes up to hours in the memory.
  • Closed laptops that stay into suspension can provide attacker with your data without you ever knowing about it.

To see what you can find in a memory dump for yourself dump the memory of your own computer. It does not matter if osx, linux, windows or just straight external via Firewire from another machine using inception.

You can even grab vmem files from virtual machines or hibernation and pagefiles from windows!

After you acquired a memory dump just run it through the linux command strings:

strings memory.dump

You will see a lot of gibberish but a lot of times you will see readable stuff and if you have dumped a machine that you worked on for some time you will find a lot of residual data like emails, websites and so on in there.

Try run your memory dump through strings and grep for interesting stuff like your passwords, your username, document classification tags and so on.

Volatility

volatility is a python based tool designed to analyze memory dumps easy and structured. It is available at https://www.volatilesystems.com 

Describing it thoroughly is worth another full blogpost so I will only scratch its surfe for the end of this post.

With volatility you can analyze (mostly windows) memory dumps and do stuff like recreating the list of running processes, network connections, internet explorer history and much much much much (much….) more!

It is as easy to set up as Inception and the usage is also quite easy for the basic commands. It however is capable of letting you dive into a memory dump very deeply and you quickly get lost if you don’t know what you are doing/looking for.

It gets explained a bit in the book Malware Analysts Cookbook (a pretty good read!) from the same author as the tool itself and is described in the context of, surprise, malware analysis there.

Interesting Links to presentations on the topic

———————-
Linux Arbeitsspeicheranalyse – german (http://www.dfn-cert.de/dokumente/workshop/2012/Folien_Schreck.pdf)
Physical Memory forensics (http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf)
Manipulating Memory for Fun & Profit (http://www.exploit-db.com/wp-content/themes/exploit/docs/24482.pdf)
———————-

Also make sure to read the Inception website as it contains further informations and make sure to give them props for this great tool!

So this will conclude this post for now. If you have questions or find errors in the above descriptions please dont hesitate to leave a comment!

Regards
Sebastian

Advertisements

About SebastianB

read it in my blog
This entry was posted in miscellaneous and tagged , , , , , , , , , , . Bookmark the permalink.

2 Responses to Direct Memory Access is evil!

  1. V says:

    Hello Sebastian, I would like to ask about the specific wires that you used. I have the Apple Thunderbolt to FireWire converter, but I am lost as to what wires to use next I looked for any variants in the shops in my areas, and found none, so I would like to know what you used so that I order them through Amazon.

    Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s