Windows Hacking Tool Released

[Nokia]

That will only really work with Windows 9x boxes - (and maybe Me but don't quote me on that.) The old windows boxes used to store the password in a pwl file which could be copied just like any other file on the system from a bootable floppy- obviously NT now uses the SAM and SYSKEY instead.

(Still worth keeping though - I quite often run into 98 boxes in the corner of offices etc.)

I notice that you say "locked machine". That makes me curious as to what point this vulnerability occurs at. For example if I have a system that:

1. Is powered down.
2. Has a BIOS password.
3. Has a hard drive password.
4. Has an operating system/user ID & password.
5. Has a totally encrypted hard drive.

Would this attack still work?

1) If the system is powered down guess what...Windows is not even loaded....so ermm I'd go out on a limb and say that no it won't work

2) Why would a BIOS password prevent accessing memory via firewires' DMA usage?

3) Why would a hard drive password prevent accessing memory via firewires' DMA usage?

4) Don't understand what you mean.

5) Why would an encrypted hard drive password prevent accessing memory via firewires' DMA usage?

As most have said - the firewire 'hack' has been around for a while, it is not a typical vulnerability in the strictest sense of the word as it is making use of the way 1394 works i.e. DMA.

It is not as difficult to do as it initially appears either - all you need is a laptop, a python script & a few libraries and a firewire cable - and obviously a laptop/pc that it POWERED ON and locked.

I've recently come across security consultants advising that disabling the firewire port on laptop prevents this attack and ensures you are safe......this is not true - Windows will install new hardware even if the screen is locked, so as I demonstrated to a customer last week, all you need is a PCMCIA firewire card, plug it in and Windows will very kindly install it for you. Then hook your laptop up, plug the firewire cable in and run the python script(s), enter any user name and password you desire - voilla you're now logged in.

Just to be clear though, this is not 100% a Microsoft fault - firewire is an IEEE standard and has been for some time - DMA has been around for as long as I can remember.

MS's responsibility lies in the RtlCompareMemory() function in the MSV1_0.dll constantly being available in memory - if you couple this with the fact that firewire has DMA (Direct Memory Access) then you can change certain files that are running in memory, i.e in thuis case it is possible to patch the dl binary loaded in memory and then logon to the system with any user name and password.( Currently, in my office it's not safe to simply lock your laptop and go make a coffee anymore - you have to either take it with you of turn it off completely )

This is just the tip of the ice berg though as technically it is possible to do anything you want when you have direct access to the memory - install malware, rootkits etc etc etc