Albert Spruyt & Rory Breuk (Students, University of Amsterdam)

SIGINT TITLE:  Integrating DMA Attacks in Metasploit

SIGINT ABSTRACT:

Several years ago DMA (Direct Memory Access) based FireWire attacks on computers were demonstrated. These types of attacks use arbitrary reading and writing of a computer’s memory, opening the possibility for runtime patching of the operating system and code injection. Demonstrated attacks were bypassing various login screens and opening command prompts.

Currently, DMA attacks via FireWire are possible on all popular operating systems. And with the introduction of the brand new DMA-enabled Thunderbolt interface, adversaries have a bright future. But while the demonstrated attacks showed great potential, DMA attacks are not widely abused. Therefore, widespread awareness is lacking. If this class of attacks could be integrated into an existing exploitation framework, attacks can be performed more easily, in a shorter time frame and with greater flexibility. We hope that this will alert users and cause OS and hardware developers to take action, as the impact remains the same: full system compromise with only very limited possibilities for countermeasures.

To illustrate the possibilities of DMA attacks, we present a scenario of a sophisticated multi-phase attack. In the first phase the attacker, who has physical access to the target laptop, plugs in a FireWire cable and uses Metasploit to insert the payload into memory. A drive-by-attack is performed, after which the attacker disconnects and leaves. In the second phase, the payload gets executed by the target and creates a reverse shell connection via the network interface to a remote computer controlled by the attacker. In the third phase the remote attacker uses the reverse shell to perform the regular post exploitation actions, e.g. remote control, information gathering and pivoting.

METASPLOIT INTEGRATION 

In our research we present a first step towards integrating DMA attacks into exploitation frameworks. We present a proof of concept which integrates FireWire attacks into Metasploit. The proof of concept demonstrates that we are able to inject basic payloads, like reverse TCP shell, via the FireWire interface. We enhanced the basic exploit with fork capabilities to prevent the system from “hanging”. This allows an attacker to compromise a computer with a FireWire interface and retain control of the system via the network. We also discuss further improvements related to multi-stager payloads. The flexibility of DMA could allow for greater refinement of attacks. In particular, areas of anti-forensics and control over the exploited process. Marrying these possibilities with advanced payloads could create a formidable penetration tool and illustrate the need for a proper defense against these types of attacks.

PATCHING PROCESS

Uploading a payload randomly and hoping for the best does not have a high probability of success. Therefore, a process must be selected to patch. On Ubuntu 11.10 we have selected LightDM. It has root privileges and can be interacted with, without being logged in. We must locate a place in the execution path. The payload is injected at this location. By trying to login, the injected code is executed, instead of the original.

IMPROVING THE ATTACK 

In our initial design, a user returning to her computer would immediately realise that something was amiss. Since the process is now running our payload, it appears to hang. Also, patching could be detected by an IDS such as Tripwire. Because the physical page that the code is read from is also in the file system cache, reading the file reads the patched version. We hereby present a way to reverse the modifications, while keeping the payload and host process running.

We introduce a FireWire stager. This stager has two functions. First, it forks, which allows the original process to continue executing. Secondly, it allocates a memory page. This page is located by the attacker, the real payload is written to this page and executed. After this, the modified process can be restored by replacing the stager with the original code.

DEMO

An Ubuntu 11.10 default install laptop is shown at the Lightdm login screen. Lightdm is Ubuntu’s default desktop manager. Another laptop is connected through FireWire and UTP. On this laptop, a Metasploit console is running. We run our exploit, which will search for the signature of the code we want to patch. Then Meterpreter is injected into the victim’s process. By trying to login on this laptop, a Meterpreter session with the attacker’s laptop is established.

ABOUT ALBERT SPRUYT

Albert Spruyt is currently a masters student at the University of Amsterdam where he studies System and Network Engineering. He has an interest in all things related to security. In particular, reverse engineering and cryptography. In his non-existent free time he enjoys playing around with embedded systems.

ABOUT RORY BREUK

Rory Breuk is a Dutch student at the UvA. After getting his bachelor’s degree in Artificial Intelligence he started doing something more fun: studying System and Network Engineering. Rory is especially interested in (anti)forensics and security. Besides working behind his computer, he enjoys playing the drums in his band, the Awkward Silence, kite surfing and scuba diving.