Print

[atomheartmother]

I wasn’t able to see David Maynor’s “You are the Trojan” (pdf) talk at Toorcon, but it’s a really interesting subject. With such a large emphasis being placed on tightening perimeter security with firewalls and IDS systems how do attacks keep getting through? The user: bringing laptops on site, connecting home systems through a VPN, or just sacrificing security for speed.

Peripherals can also be a major threat. USB and other computer components use Direct Memory Access (DMA) to bypass the processor. This allows for high performance data transfers. The CPU is completely oblivious to the DMA activity. There is a lot of trust involved in this situation. Here’s how this could be exploited: Like a diligent individual you’ve locked you Windows session. Someone walks in with their hacked USB key and plugs it into your computer. The USB key uses its DMA to kill the process locking your session. Voila! your terminal is now wide open and all they had to do was plug in their USB key, PSP, iPod… With the XBox 360’s eagerness to work with your iPod, I’m guessing it is probably just vulnerable to this attack as anything else.

Has anyone done this? Maximillian Dornseif presented 0wn3d by an iPod at CanSecWest. The firewire protocol allows direct memory access and doesn’t require a host which makes this attack even easier. He’s got presentation materials and code for iPod Linux on his site. There are legitimate uses. If you were doing forensics you could copy the live memory contents of the machine with minimal effects.

[thax]

QUOTE(atomheartmother @ Nov 11 2005, 08:59 PM)

The USB key uses its DMA to kill the process locking your session. Voila! your terminal is now wide open and all they had to do was plug in their USB key, PSP, iPod… With the XBox 360’s eagerness to work with your iPod, I’m guessing it is probably just vulnerable to this attack as anything else.

If the DMA is automatically estabilished by the hardware, and the hardware gives full access to the entire scope of memory then there is a bug or flaw in the hardware design. The hardware DMA channel should only give access to a buffer region in memory which can't execute on the x360.
The other vulnerability which is expoited in Windows is the support of autorun of code off the USB key, this is the example used as described above. Unfortunately this isn't using "the DMA" to kill the process, it is using software running off of the key. We all know that the x360 doesn't trust any of the storage mediums connected to it, so it would not execute any code off a USB key, let alone autorun it.

The odds of this exploit working with the x360 would be very low.