Ben Laurie blathering

Exploiting Network Cards

A friend of mine, Arrigo Triulzi (no web page that he wants to admit to), has just posted this fantastically scary missive to the Robust Open Source mailing list (no public archive, so I will quote it in its entirety)

I’ve been working on firmware for the past two and a bit years, in particular in the field of firmware viruses.

Without needlessly boring everyone with the various steps allow me to share an interesting observation: drivers often assume the hardware is misbehaved but never malicious. It is fascinating to discover what can be done by making the hardware malicious.

Summarising briefly my work, as yet unpublished except the obligatory notices to the affected vendors (in what follows please read NIC as strictly wired, no wireless cards):

1) there are remarkably naive “protection” methods to prevent malicious users from overwriting NIC firmware with something of their choice,

2) as an extension to 1) above it is amazing to discover how simply firmware can be updated over the wire on specific NICs,

3) from 1 & 2 above, after about two years, I’ve reached my goal of writing a totally transparent firewall bypass engine for those firewalls which are PC-based: you simply overwrite the firmware in both NICs and then perform PCI-to-PCI transfers between the two cards for suitably formatted IP packets (modern NICs have IP “offload engines” in hardware and therefore can trigger on incoming and outgoing packets). The resulting “Jedi Packet Trick” (sorry, couldn’t resist) fools, amongst others, CheckPoint FW-1, Linux-based Strongwall, etc. This is of course obvious as none of them check PCI-to-PCI transfers,

4) I have extended the technique to provide VM escape support: one writes packets from a bridged guest into the network which initiates the NIC firmware update, updates the firmware and then the NIC firmware is used to inject code into the underlying VM host. The requirement to write to the network is then dropped as all that is required is the pivoting in the NIC firmware.

This scares the crap out of me, just as it stands. But he’s missed a trick, IMO: because of the nature of the PCI bus, you can use the same technique on any machine with a vulnerable NIC to read all of RAM. You might even be able to read disk, too, depending on the disk controller.

Oh boy, this is going to be a can of worms once exploits start appearing (if they haven’t already, that is).


  1. These have existed for a while. I’ve seen one example use this to establish a zero-footprint rootkit i.e. one which leaves no trace on disk.

    Comment by Charles Darke — 15 May 2008 @ 17:14

  2. A list of tested NIC would be great.
    And are there any protection for this kind of attack except changing to a better NIC?

    Comment by Aurimas — 15 May 2008 @ 20:10

  3. “it is amazing to discover how simply firmware can be updated over the wire on specific NICs”

    Does this mean you can remotely update the firmware of a NIC? That alone is pretty scary, considering that most PCs lack an IOMMU and are thus pretty much vulnerable to any bad hardware that uses DMA…

    Comment by tsuraan — 15 May 2008 @ 20:22

  4. [...] jestem ciekawe detali tej sprawy. Ciekawy pomysł na zdalną modyfikację firmware na karcie sieciowej, i wykorzystanie tegoż [...]

    Pingback by Śmierć przyjdzie przez kabel « Ice tea junkie — 15 May 2008 @ 21:38

  5. I believe Charles is referring to John Heasman’s work on PCI and ACPI: absolutely true, that exists already, not to mention work on in-memory rootkits for SCADA systems which I am not certain has been openly published although I am definitely aware of it. To be perfectly honest I think the real issue is that eventually the whole debate on trusting hardware will have to be opened again and this will have to include tainted terms such as “trusted computing”. Will we be able to disassociate DRM from security this time?

    Regarding a list of tested NICs as I work alone and in my own spare time I can hardly have tested many. It will have to suffice to say that the cheaper the worse (no surprise there?).

    With respect to IOMMU: yes, that is a good fix assuming it is appropriately programmed so this window will slowly close.

    Comment by arrigo — 16 May 2008 @ 5:12

  6. [...] Ben Laurie: Bypass the firewall by bypassing everything but the PCI bus. This entry was written by Rich and posted on May 16, 2008 at 2:16 pm and filed under computers, [...]

    Pingback by rich text » Exploiting NIC firmware — 16 May 2008 @ 19:17

  7. I wasn’t aware of Heasman’s work – I’ve actually not been actively involved in security since around 2001, but still keep in touch with former colleagues and try to keep abreast of developments. I became aware of over the wire NIC exploits at least 2-3 years ago. As you probably know, a lot of interesting stuff never makes it into the public domain.

    Comment by Charles Darke — 16 May 2008 @ 21:59

  8. [...] Links » Exploiting Network Cards Interesting thoughts on exploiting network cards. This is something I’m bookmarking to take a closer look at later. [...]

    Pingback by McGrew Security Blog » Blog Archive » links for 2008-05-16 — 16 May 2008 @ 23:32

  9. Curious… what is the Robust Open Source list ?

    Comment by James Morris — 21 May 2008 @ 15:03

  10. I thought this more general paper on malicious hardware was interesting:

    Comment by Pádraig Brady — 27 May 2008 @ 12:54

  11. Could you elaborate on the procedure for flashing firmware on a NIC card remotely? The only stuff I can find on Google so far seems to imply that you’re netbooting and upgrading the firmware through the netbooted OS. This seems like an obvious and trivial hole but is well known and easy to stop (via BIOS config or a layer 3 hop between the NIC and the untrusted domain).

    I hunger for more information about this, particularly as it pertains to PC firewalls and routers.

    Comment by Deez — 27 May 2008 @ 22:31

  12. [...] this is a scary (and pretty cool) potential abuse of network card firmware and PCI bus architecture to bypass firewalls described by Arrigo Triulzi (quoted on Ben Laurie’s blog): 3) from 1 & 2 above, after [...]

    Pingback by The Musings of Chris Samuel » Blog Archive » Exploiting Network Cards — 1 Jun 2008 @ 3:07

RSS feed for comments on this post. TrackBack URI

Leave a comment

Powered by WordPress

E-mail It