While Black Hat and Defcon have both concluded, we’re going to post a few more talks that we think deserve attention. [Sherri Sparks] and [Shawn Embleton] from Clear Hat presented Deeper Door, exploiting the NIC chipset. Windows machines use NDIS, the Network Driver Interface Specification, to communicate between the OS and the actual NIC. NDIS is an API that lets programmers talk to network hardware in a general fashion. Most firewalls and intrusion detection systems monitor packets at the NDIS level. The team took a novel approach to bypassing machine security by hooking directly to the network card, below the NDIS level.
The team targeted the Intel 8255x chipset because of its open documentation and availability of compatible cards like the Intel PRO/100B. They found that sending data was very easy: Write a UDP packet to a specific memory address, check to make sure the card is idle, and then tell it to send. The receive side was slightly more difficult, because you have to intercept all inbound traffic and filter out the replies you want from the legitimate packets. Even though they were writing low level chipset specific code, they said it was much easier to implement than writing an NDIS driver. While a certainly a clever way to implement a covert channel, it will only bypass an IDS or firewall on the same host and not one on the network.
[photo: Big Fat Rat]
… just another supporting reason for the physical security of your infrastructure!
Not a hack. If someone is soldering things to my network card….
Now if they could remotely rewrite the ROM(Joke intended) thats a hack!
This is not a hack. It’s just direct hardware access. You’re simply skirting the system. I’d also consider this obvious.
Tapping an Ethernet cable and injecting/sniffing data in transit, is also not hacking, its just like anything else.
This is not a hack. Changing the MAC address on the fly is more practical.
This is not a hack. Changing the MAC address on the fly is more practical.
This is not a hack. Changing the MAC address on the fly is more practical.
Where they tapping hardware or writing drivers?
Where does it say they required physical access?
They are writing drivers, which are run on the pc…all this can be done remotely.
@Casey Banner: ^^
I just find it amusing that they said it was easier to code directly for the hardware than to use the API Microsoft probably spent hundreds of thousands of dollars to develop.
“Not a hack”?
This is one of the most important parts once your are post-root (meaning you have root by physical access or SSH etc.) Having a rootkit on a machine is insurance that you will not get noticed. It doesn’t matter how you get one on.