Exploiting Network Cards

Now this is a scary (and pretty cool) potential abuse of network card firmware and PCI bus architecture to bypass firewalls described by Arrigo Triulzi (quoted on Ben Laurie’s blog):

3) from 1 & 2 above, after about two years, I’ve reached my goal of writing a totally transparent firewall bypass engine for those firewalls which are PC-based: you simply overwrite the firmware in both NICs and then perform PCI-to-PCI transfers between the two cards for suitably formatted IP packets (modern NICs have IP “offload engines” in hardware and therefore can trigger on incoming and outgoing packets). The resulting “Jedi Packet Trick” (sorry, couldn’t resist) fools, amongst others, CheckPoint FW-1, Linux-based Strongwall, etc. This is of course obvious as none of them check PCI-to-PCI transfers,

Ben reckons it’s possible to do even more:

IMO: because of the nature of the PCI bus, you can use the same technique on any machine with a vulnerable NIC to read all of RAM.

Of course the attacker would need to compromise the card first, either by cracking the box or supplying malicious hardware.

Leave a Reply

Your email address will not be published. Required fields are marked *