You are on page 1of 2

Physical Secuiity Attacks on Winuows vista SEC Consult 0nteinehmensbeiatung umbB

PBYSI CAL SEC0RI TY ATTACKS 0N


WI NB0WS vI STA
Petei Panholzei
SEC Consult vulneiability Lab vienna

Theie aie seveial attacks known touay which leveiage physical access to fully patcheu systems
to ieau oi patch system memoiy 0ne of them is the Colu Boot Attack which allows copying
the system memoiy aftei the system has been poweieu off anu extiacting the keys of enciypteu
haiuuisks fiom it Anothei technique known foi yeais now is the copying anu manipulation of
memoiy using fiiewiie which among othei things also can be useu to ietiieve enciyption keys
Seveial papeis uesciibe the technical backgiounu of the fiiewiie attack In a nutshell it is
possible to access the system memoiy of othei noues on a fiiewiie bus via BNA anu fiiewiies
auuiessing scheme This woiks foi ieauing as well as foi wiiting The only iequiiement on the
taiget is a fiiewiie inteiface which most laptops anu a lot of woikstations have built in Laptops
without a fiiewiie inteiface can be pioviueu by an attackei with a PC Caiu PCNCIA Caiu which
is automatically installeu even if the scieen is lockeu This means that even laptop computeis
without a fiiewiie inteiface aie vulneiable It has been pioven that Linux NAC 0S X anu
Winuows XP aie vulneiable to this attack In Naich Auam Boileau ieleaseu a tool calleu
winlockpwn which implements seveial attacks against Winuows XP SP
A while ago SEC Consult has implementeu its own pioof of concepts foi most veisions of
Winuows This incluues woikstations iunning Winuows vista The vista P0C uisables passwoiu
authentication in the uefault login ioutine making it possible to log in to the woikstation with an
aibitiaiy passwoiu What follows is a high level oveiview of oui vista unlock tool


In Winuows vista NTLN authentication is peifoimeu by the NTLN secuiity suppoit pioviuei
Nsvull which is useu to authenticate against the SAN uatabase Buiing oui tests its coue
segment was always founu in physical memoiy making it possible to peifoim a patch at any
time
Auapting the unlock hack to vista basically boils uown to finuing the coiiect coue location foi
applying the patch In vista the actual passwoiu compaiison is uone with a call to
RtlCompareMemory() in the function MsvpPasswordValidate() of NSvull figuie
By patching the subsequent conuitional jump with N0PInstiuctions the memoiy
compaiison is effectively uisableu

Bue to SEC Consults uisclosuie policy we aie not alloweu to ielease the tool itself
Physical Secuiity Attacks on Winuows vista SEC Consult 0nteinehmensbeiatung umbB

FIu0RE PASSW0RB vERIFICATI0N
In shoit oui vista unlock tool uses signatuie matching to finu the iespective binaiy coue in the
taiget noues memoiy the same methou is useu in winlockpwn The piocess of seaiching the
pattein anu manipulating the BLL coue in memoiy takes a few seconus up to a few minutes
Aftei the patch has been applieu any useiname anu passwoiu can be specifieu at the login
piompt foi a successful login
The manipulation of the authentication piocess is just one of many possibilities Inseition of
Nalwaie oi opening a shell woulu be otheis It is also possible to uo a full memoiy uump anu
seaich foi haiuuisk enciyption keys just like the Colu Boot Attack but without having to ieboot
the system These attacks too woik on Winuows vista taigets
Theie is no secuiity upuate pioviueu by Niciosoft anu possibly nevei will be as these attacks aie
not baseu on a vulneiability but meiely aie possible because of the uesigns anu piotocols The
only known effective way of piotecting against the fiiewiie attack is to ueactivate all fiiewiie
anu PC Caiu poits in the uevice managei The uevice managei of Winuows vista can be accesseu
via Stait Contiol Panel System anu Naintenance System Bevice Nanagei Right click
on all fiiewiie anu PC Caiu PCNCIA poits anu choose ueactivate Theie is no known
counteimeasuie against the colu boot attack at the moment but iestiicting physical access to
youi systems
About tbe Vulnerability Lab
Nembeis of the SEC Consult vulneiability Lab peifoim secuiity ieseaich in vaiious topics of
technical infoimation secuiity Piojects incluue vulneiability ieseaich anu the uevelopment of
cutting euge secuiity tools anu methouologies anu aie suppoiteu by paitneis like the Technical
0niveisity of vienna The lab has publisheu secuiity vulneiabilities in many highpiofile
softwaie piouucts anu selecteu woik has been piesenteu at top secuiity confeiences like
Blackhat anu BeepSec
Foi moie infoimation see httpwwwsecconsultcom
REFERENCES
Halderman Alex ) et al Lest We Remembei Colu Boot Attacks on Enciyption Keys 0nline
Febiuaiy Citeu Febiuaiy
httpcitppiincetoneuunyuunetpubcolubootpuf
Boileau Adam Bit by a Bus Physical Access Attacks with Fiiewiie 0nline Citeu
Febiuaiy httpstoimnetnzstaticfilesabfiiewiieiuxkfinalpuf
Becber Micbael Dornseif Maximillian and Klein Cbristian N FiieWiie all youi memoiy
aie belong to us 0nline Citeu Febiuaiy
httpmuhuuoiauepiesentationsfiiewiiefiiewiiecansecwestpuf
Winlochpwn tool httpstoimnetnzstaticfileswinlockpwn

You might also like