Windows login bypass tool released
Security expert Adam Boileau has released the winlockpwn tool, which makes it possible to bypass the Windows login via a FireWire port without knowing a Windows password. The program manipulates the login routines in the memory of a running system using direct memory access (DMA), making a FireWire connection possible. So far, the tool supports Windows XP with SP2 as the target system. Neither the tool nor the attack are new: Boileau demonstrated both two years ago.
"People with physical access to a system can win in a number of ways," Boileau writes on his website, but with winlockpwn it is "quick and easy". The New Zealander gave a presentation about the FireWire vulnerability at the Ruxcon security conference in 2006. In the presentation he also explained the trick necessary to gain access: Using a copied FireWire ID, the software tricks the targeted OS into thinking it is a device like an iPod that needs DMA.
Microsoft does not view FireWire DMA as a security problem, since it is part of the IEEE-1394 specification. According to Boileau, this is the reason why Redmond is not considering a fix. Direct memory access is essentially independent of the operating system used, so Linux and Mac OS X are susceptible. To protect systems where security is critical, unused FireWire ports should be deactivated as a rule.
See also:
- Firewire, DMA & Windows, Project page by Adam Boileau
- Hit By A Bus: Physical Access Attacks with Firewire, Presentation by Adam Boileau at Ruxcon 2006
(mba)