Hardware hack grants remote persistent password bypassing

Attackers could gain persistent access to machines by hacking hardware HD controllers, a researcher has found.

Jeroen Domburg.

The technical attack to be presented at the Breakpoint conference in Melbourne tomorrow focused on "mysterious" hard disk controllers which hardware hacker Jeroen Domburg (@SpritesMods) reverse-engineered to alter the firmware which ran on the processors.

In a demonstration on a previously compromised web server at the OMH2013 conference in the US, Domburg was able to remotely set an authentication password and flush a cached shadow file.

"A hypothetical attacker could own a box by using an exploit to gain root access on it, then reading the firmware from the hard disk, modifying it and writing it back again," Domburg said. 

If the victim then reinstalled a clean operating system and patched any vulnerabilities, they could still be compromised from the hardware.

"The attacker has just modified the hard disk firmware and the hardware is looking for a specific magic string [which] when written to the hard disk enables a bit of code," he said.

"If [the target] is a web server, [an attacker] can request a URL with the trigger string in it which eventually ends up in the webserver's log files and is then written to the hard disk ... it will then activate the bit of code and every time it sees etc/shadow (which keeps tabs on user passwords) the hardware will modify it to something the attacker has set earlier."

The machine, Domburg said, was then "completely reowned".

But disks with such modified firmware could be used for harmless purposes including creating storage that cannot be copied in a linear fashion -- which would grant access to an operating system but not users attempting to harvest files -- or it could be used as a universal SATA client.

Domburg runs hardware hacking site Spritesmods. Last year he produced a pocket-sized arcade machine that ran the MAME gaming platform.

Copyright © SC Magazine, Australia