Re: Exploiting PCI-based DMA in OpenBSD
On 15-04-04 02:24 PM, Joel Rees wrote: On Apr 4, 2015 8:50 PM, Ð�ртур ИÑ�томин art.is...@yandex.ru wrote: https://github.com/carmaa/inception/blob/master/README.md I am not accessing that because, right now, I don't have a stable device with which to access arbitrary stuff on the web. Here's the text: INCEPTION = Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces. Inception aims to provide a *relatively* quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA. ### How it works Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim. Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s code. Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system’s password authentication module that is triggered if an incorrect password is entered. *After running that module you should be able to log into the victim machine using any password.* An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the equivalent of a [memory inception] [1]. ### Awesome! But why? The world's forensics experts, governments and three-letter acronym agencies are using [similar tools] [2] already, so why not? Inception is free, as in beer. A professional equivalent tool will set you back thousands of USD. ### Caveats [OS X 10.7.2] [6] and [Windows 8.1] [7] disables FireWire DMA when the user has locked the OS and thus prevents inception. The tool will still work while a user is logged on. However, this is a less probable attack scenario IRL. In addition, [OS X Mavericks 10.8.2 on Ivy Bridge (= 2012 Macs)] [8] have enabled VT-D, effectively blocking DMA requests and thwarting all inception modules. Look for `vtd[0] fault` entries in your log/console. Key data * License: GPL * Author: Carsten Maartmann-Moe (cars...@carmaa.com) AKA ntropy * Twitter: @breaknenter * Site:http://www.breaknenter.org/projects/inception * Source: https://github.com/carmaa/inception The tool makes use of the `libforensic1394` library courtesy of Freddie Witherden under a LGPL license. Requirements Inception requires: * Hardware: * Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port. Linux is currently recommended due to buggy firewire interfaces on OS X * Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port * Software: * Python 3 * git * gcc (incl. g++) * cmake * pip (for automatic resolution of dependencies) * [libforensic1394] [3] * msgpack Installation On Debian-based distributions the installation command lines can be summarized as: sudo apt-get install git cmake g++ python3 python3-pip On OS X, you can install the tool requirements with [homebrew] [4]: brew install git cmake python3 After installing the requirements, download and install libforensic1394: git clone git://git.freddie.witherden.org/forensic1394.git cd forensic1394 cmake CMakeLists.txt sudo make install cd python sudo python3 setup.py install ### Download and install Inception git clone git://github.com/carmaa/inception.git cd inception ./setup.py install The setup script should be able to install dependencies if you have `pip` installed. General usage - 1. Connect the attacker machine (host) and the victim (target) with a FireWire cable 2. Run Inception Simply type: incept [module name] For a more complete and up-to-date description, please run: incept -h or see the [tool home page] [5]. Modules modules, and their functionality is described below. For detailed options on usage, run: incept [module name] -h ### Unlock The `unlock` module can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. module is primarily attended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or
Re: relayd crashes often
On 15-03-26 07:26 AM, Felipe Scarel wrote: On Thu, Mar 26, 2015 at 12:37 AM, Yonas Yanfa yo...@fizk.net wrote: On 15-03-24 03:26 AM, Claudio Jeker wrote: On Mon, Mar 23, 2015 at 11:54:41PM -0400, Yonas Yanfa wrote: Hi, I'm running relayd/OpenBSD 5.6-stable on a KVM virtual machine. relayd always crashes within a few hours of restarting it, but works properly before that. I guess you are talking about reloading relayd (as in relayctl reload)... Killing all relayd processes and then running relayd. When relayd stops working, sometimes the relayd process is up but `relayctl show summary` says that /var/run/relayd.sock doesn't exist. Other times none of the relayd processes are running. I hit similar issues and came up with the following diff against -current. It may apply to 5.6 but did not test that at all. I'm not 100% sure about the ca.c change since OpenSSL is a black box. Thanks for the patches. Before I try to apply the patches, I think the issue might be caused by having too many CLOSE_WAIT connections. I seem to have 2,236 CLOSE_WAIT connections: $ netstat -n|grep CLOSE_WAIT|wc -l 2236 And relayd seems to have 501 active connections: relay www, session 1806 (501 active), 0, xxx.xxx.xxx.xxx - :0, hard timeout How can I get relayd to close these connections? Cheers, Yonas I can confirm this has also been observed on my end, using relayd as a forward ssl-inspecting proxy on amd64 hardware. Runs without issue for a few hours, next time I look all the (ca|hfe|pfe) processes are gone, only relays and the parent process remains. Killing all of them and restarting the daemon solves the problem. From what I understand, relayd is suppose to send an ACK packet when the connection is in the CLOSE_WAIT state. There must be a bug in relayd that prevents this from happening. If this happened, the connection would be in LAST_ACK instead of CLOSE_WAIT. The connection could be also be closed if it receiving the following ACK. Yonas
Re: relayd crashes often
On 15-03-24 03:26 AM, Claudio Jeker wrote: On Mon, Mar 23, 2015 at 11:54:41PM -0400, Yonas Yanfa wrote: Hi, I'm running relayd/OpenBSD 5.6-stable on a KVM virtual machine. relayd always crashes within a few hours of restarting it, but works properly before that. I guess you are talking about reloading relayd (as in relayctl reload)... Killing all relayd processes and then running relayd. When relayd stops working, sometimes the relayd process is up but `relayctl show summary` says that /var/run/relayd.sock doesn't exist. Other times none of the relayd processes are running. I hit similar issues and came up with the following diff against -current. It may apply to 5.6 but did not test that at all. I'm not 100% sure about the ca.c change since OpenSSL is a black box. Thanks for the patches. Before I try to apply the patches, I think the issue might be caused by having too many CLOSE_WAIT connections. I seem to have 2,236 CLOSE_WAIT connections: $ netstat -n|grep CLOSE_WAIT|wc -l 2236 And relayd seems to have 501 active connections: relay www, session 1806 (501 active), 0, xxx.xxx.xxx.xxx - :0, hard timeout How can I get relayd to close these connections? Cheers, Yonas
relayd crashes often
Hi,
I'm running relayd/OpenBSD 5.6-stable on a KVM virtual machine. relayd
always crashes within a few hours of restarting it, but works properly
before that.
When relayd stops working, sometimes the relayd process is up but
`relayctl show summary` says that /var/run/relayd.sock doesn't exist.
Other times none of the relayd processes are running.
Here's some info:
$ uname -a
OpenBSD 5.6 GENERIC.MP#333 amd64
$ relayctl show summary
relayctl: connect: /var/run/relayd.sock: No such file or directory
$ ps aux|grep relay
_relayd 16788 0.0 0.3 1624 3156 ?? S 3:02AM0:15.65
relayd: pfe (relayd)
_relayd 12960 0.0 0.9 6620 9356 ?? S 3:02AM0:19.04
relayd: relay (relayd)
_relayd 9157 0.0 0.3 1556 3188 ?? I 3:02AM0:00.02
relayd: ca (relayd)
_relayd 26941 0.0 0.3 1560 3184 ?? I 3:02AM0:00.03
relayd: ca (relayd)
_relayd 1633 0.0 0.3 1548 3164 ?? I 3:02AM0:00.02
relayd: ca (relayd)
_relayd 10017 0.0 0.3 1548 3088 ?? I 3:02AM0:00.01
relayd: ca (relayd)
_relayd 23462 0.0 0.3 1552 3152 ?? I 3:02AM0:00.02
relayd: ca (relayd)
_relayd 21549 0.0 0.3 1268 2820 ?? S 3:02AM0:30.23
relayd: hce (relayd)
_relayd 30665 0.0 0.9 6572 9384 ?? S 3:02AM0:18.71
relayd: relay (relayd)
_relayd 5491 0.0 0.9 6676 9500 ?? S 3:02AM0:18.86
relayd: relay (relayd)
_relayd 20565 0.0 0.9 6648 9452 ?? S 3:02AM0:19.12
relayd: relay (relayd)
_relayd 29017 0.0 0.9 6664 9492 ?? S 3:02AM0:19.40
relayd: relay (relayd)
$ tail /var/log/daemon
Mar 23 23:23:41 obsd relayd[20565]: relay www, session 1329 (501
active), 0,xxx.xxx.xxx.xxx - 10.8.0.2:80, last write (done), GET
Mar 23 23:23:41 obsd relayd[20565]: relay www, session 1330 (501
active), 0, xxx.xxx.xxx.xxx - 10.8.0.2:80, last write (done), GET
Mar 23 23:24:39 obsd relayd[12960]: relay www, session 1351 (501
active), 0,xxx.xxx.xxx.xxx - :0, hard timeout
Mar 23 23:26:38 obsd relayd[5491]: relay www, session 1335 (501 active),
0,xxx.xxx.xxx.xxx - :0, hard timeout
Mar 23 23:30:39 obsd relayd[30665]: relay www, session 1320 (501
active), 0,xxx.xxx.xxx.xxx - :0, hard timeout
Mar 23 23:31:39 obsd relayd[29017]: relay www, session 1340 (501
active), 0,xxx.xxx.xxx.xxx - :0, hard timeout
Mar 23 23:31:40 obsd relayd[29017]: relay www, session 1341 (501
active), 0, xxx.xxx.xxx.xxx - 10.8.0.2:80, last write (done), GET
Mar 23 23:31:40 obsd relayd[29017]: relay www, session 1342 (501
active), 0,xxx.xxx.xxx.xxx - 10.8.0.2:80, last write (done), GET
Mar 23 23:34:39 obsd relayd[20565]: relay www, session 1331 (501
active), 0,xxx.xxx.xxx.xxx - :0, hard timeout
Mar 23 23:34:40 obsd relayd[12960]: relay www, session 1352 (501
active), 0,xxx.xxx.xxx.xxx - :0, hard timeout
Mar 23 23:34:40 obsd relayd[20565]: relay www, session 1332 (501
active), 0,xxx.xxx.xxx.xxx - 10.8.0.2:80, last write (done), GET
Mar 23 23:34:40 obsd relayd[12960]: relay www, session 1353 (501
active), 0,xxx.xxx.xxx.xxx - 10.8.0.2:80, last write (done), GET
Mar 23 23:37:38 obsd relayd[5491]: relay www, session 1336 (501 active),
0,xxx.xxx.xxx.xxx - :0, hard timeout
Mar 23 23:37:39 obsd relayd[5491]: relay www, session 1337 (501 active),
0,xxx.xxx.xxx.xxx - 10.8.0.2:80, last write (done), GET
$ cat /etc/relayd.conf
#
# Relayd
#
interval 10
timeout 1000
prefork 5
log updates
ext_addr=xxx.xxx.xxx.xxx
ext_if=em0
server1=10.8.0.2
table webhosts { $server1 }
http protocol www {
match header append X-Forwarded-For value $REMOTE_ADDR
match header append X-Forwarded-By value
$SERVER_ADDR:$SERVER_PORT
}
relay www {
listen on $ext_addr port http
protocol www
#forward to webhosts check http / code 200
forward to webhosts check tcp
}
http protocol httpssl {
match header append X-Forwarded-For value $REMOTE_ADDR
match header append X-Forwarded-By value
$SERVER_ADDR:$SERVER_PORT
match header set Connection value close
# Various TCP performance options
tcp { nodelay, sack, socket buffer 65536, backlog 128 }
ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
ssl session cache disable
}
relay wwwssl {
# Provide SSL termination
listen on $ext_addr port 443 ssl
protocol httpssl
# Forward to hosts in the webhosts table
forward to webhosts port http check tcp
}
$ top
load averages: 0.80, 0.90, 0.58
50 processes: 49 idle, 1 on processor
CPU0 states: 0.0% user, 0.0% nice, 0.2% system, 0.0% interrupt,
99.8% idle
CPU1 states: 0.2% user, 0.0% nice, 0.0% system, 0.0% interrupt,
99.8% idle
Memory: Real: 70M/331M act/tot Free: 650M Cache: 196M Swap: 0K/1264M
Cheers,
Yonas
