Exploiting Hardware Vulnerabilities

Hardware vulnerabilities are generally caused by the exploitation of features that have been put into the hardware to differentiate it from the competition or to aid in the support and maintenance of the hardware. Some features that have been exploited include terminals with memory that can be reread by the computer, and downloadable configuration and password protection of all types of devices, including printers. It is the hacker's creative misuse of these features that can turn a feature into a vulnerability.

Smart Terminals

A smart terminal is a terminal that has some local processing capability that is generally used to off-load the processing from the host system.

Some terminals have memory and the ability to access that memory via escape sequences. A hacker may be able to send an escape sequence to the terminal that will make the terminal send him the information that is in the terminal's memory. It may also be possible to send a command string to the terminal and force the terminal to send it to the program that is running on the terminal. The program will not have the ability to tell that the command was not typed at the terminal. This can be extremely valuable to a hacker if root leaves a session unattended. If the hacker is desperate, he might try to do these "screen gymnastics" right in front of the root user while he is logged on. This feature can also be used to send letter bombs . A hacker can send e-mail that has the escape sequences for the terminal; then, when the letter is read, the "commands" are run on the terminal. He may be able to reconfigure the terminal and possibly password protect the terminal's configuration.

First, you must educate the users on the importance of never leaving a terminal session unattended. A hacker can gain your privileges by accessing your unattended terminal, either physically or from the computer. Secondly, whenever anyone logs on, he or she should set messages off. Each user's start-up script should include the command

 mesg n # Turn off messages 

This command will keep other users from sending data to your terminal.

The log-off process should clear all of the terminal's memory, not just the visible screen memory, so that this type of program will not get any useful information.

Graphics Display Systems

An X terminal is a graphics terminal that runs the X protocol. Originally, all the X programs ran on another computer system; now many of the standard X clients are available to run on the X terminal itself. As X terminals continue to become more powerful, with X clients running locally and with attached peripherals, they become a more inviting target of subversion.

Many of the X terminals that allow local clients will allow you to execute the clients via a remote shell or other protocol and route the output to any X terminal. So a hacker can run terminal software on another person's X terminal. He may also be able to get remote access to the peripherals that are attached to another X terminal. These may include floppies, CD-ROMs, or scanners . If the remote access is not properly restricted, this will open a security issue.

System Start-up

Every time a computer system is started, whether it is a server system or a workstation, the boot ROM has to search for a device from which to boot the system. This boot ROM is also programmed so that a system manager or support engineer can interrupt the standard boot sequence and alter the boot path . This may be required due to hardware failure or a change in configuration. This may be as simple as inserting a support disk or tape so the system will boot from it or there may be a user interactive implementation of the boot ROM so that the system support personnel can enter the information directly into the boot ROM. In either case, if physical access to a system is permitted, the standard boot process can be interrupted with an alternate boot.

Any system can be compromised if physical access is allowed. Even those vendors who advertise a secure boot process must have a way to override this in the case that the secure option is set and there is no useful boot device available. Physical security is a must.

Hackers may be able to override the boot process by introducing a removable disk or tape into the system and rebooting the system. Most boot ROMs have the ability to disable booting from removable media. This feature should be enabled. Boot ROM passwords should be set to prevent the systems boot parameters from being changed. Boot ROM passwords require strong passwords, since there are password cracking tools for boot ROM passwords.

On PA-RISC systems, the ability to interrupt the boot ROM can be disabled by setting security on at the ISL prompt of the boot ROM. The following ISL command disables the ability to interrupt the boot process:

 Secure ON 

Even with these precautions , a system can be compromised if physical access is allowed. Disconnecting all drives from the system will make it fail the boot process and return it to the ISL prompt.

The Linux Loader (LILO) is the primary mechanism for booting Linux. This loader can be password protected by editing /etc/lilo.conf and adding the following lines after the "prompt" line:

 password =  lilo-password  restricted 

where lilo-password is the password in clear text. Since the password is in clear text in this file, the permissions should be 600 for this file. To make this change take effect, execute the command:

 /sbin/lilo 

Red Hat 7.2 has introduced a new boot loader, GNU GRUB, GRand Unified Bootloader. It requests a password during install. The GRUB configuration information is located in /boot/grub/grub.conf .