More ways to gain access to systems you have physical access to
In a previous article I discussed several ways to reset/recover/circumvent root password. While the article was written to assist people who have lost or forgotten a root password it was also a statement about security. As I was reading up on the subject I noticed there are some things I didn't know about, as my knowledge of the subject has aged a bit.
Security
While the article was not meant to be about security it certainly touched on it's surface. When it comes to security there's a lot more to say.
First of all there's another way of circumventing the kernel access control. It's called DMA attack this is based on a hardware flaw and if you have a firewire port in your system you have a big chance of being vulnerable to this.
DMA
The DMA attack is based on a "feature" of firewire which gives it direct read/write access to memory.
DMA as most of you probably know is a feature used to speed up access to memory by bypassing the processor, this is needed for instance by graphic cards which do their own processing on data in memory. It's a great enhancement to allow for speedy input/output of data where the main processor is not needed. The firewire protocol allows external devices to directly access memory for read/write operations. This makes it easily possible to change data in system memory using an external device (like a modified ipod for example)
root access
This can give you root access to a running Linux system as long as it has a working firewire port.
You can read more about this specific security flaw as well as methods of mitigating it here (the part about windows is especially amusing)
Implications
The implications related to this particular attack are very big as it even seems to allow reading from real mode bios keyword buffer (containing disk encryption passwords) and therefore allows circumventing disk encryption. Read this article (read the comments). While this security flaw is already pretty dated it seems like it's also still pretty valid.
Cold boot
The next thing I learned about is the cold boot attack. While I used to think memory would be empty as power was taken of the system, it seems this is not entirely true.
Here's a wikipedia article about that. The data in memory is readable for seconds up to minutes after shutdown and this can be prolonged to hours by freezing the memory modules. If you have the possibility to take out the memory module or boot the system from usb, you can save the contents of memory and analyze it for cryptographic keys and the like.
Of course if you can boot a system from usb you are in already, but this also allows for circumventing encrytped disk systems.
Is there more I need to know? Do you know more ways of gaining access I (and others) should know about to protect my systems? Please leave a comment. It can take a while before comments get published (other time zone)
Popular content
Recent blog posts
- Cool Linux keyboard, X86 hardware ultimate geek sound machine
- Linux coolness: Linux Cooler, Linux serves you beer
- All you need to know about /proc/sys manipulate a running kernel
- exploring proc LPIC tutorial exam 101 part 2
- LPIC 101 tutorial part 1 hardware
- 8 tips for passing the Linux Professional Institute Certification exam
- 10 things you should know about Linux security
- Dynamically creating gui objects on demand in Perl
- Easy and cheap web developement in Java with the google App Engine
- Differences in Linux hosting options
Navigation
Best scoops
Tags
Best karma users
- dave-d
- Timothy van Zad...
- j00p34
- martin_d
- kaikokan
Categories
Best published scoops


don't forget to vote if you find something useful!!
4 days 20 hours ago
6 days 11 hours ago
2 weeks 2 days ago
2 weeks 2 days ago
2 weeks 2 days ago
2 weeks 2 days ago
2 weeks 3 days ago
2 weeks 5 days ago
2 weeks 5 days ago
2 weeks 5 days ago