Two hackers, Loic Duflot and Yves-Alexis Perez, just presented the way that they found to exploit a buffer overflow vulnerability in a particular NIC at Hack.lu 2010, this year's annual conference for hackers in Luxembourg. Here's the summary of their presentation on the hack.lu web site:
Closer to metal: reverse-engineering the Broadcom NetExtreme's firmware
French researchers Loic Duflot and Yves-Alexis Perez discovered a major security flaw in the firmware of Broadcom network cards. The vulnerability is a buffer overflow leading to remote code execution on the device, which can then lead to OS corruption through DMA accesses. This raises the following question: how much can you trust your hardware when you don't even know how it operates behind your back, nor what the firmware code is actually doing? Given the lack of will from manufacturers to give details about their device internals, the best thing we can do is to retrieve this information by ourselves using reverse engineering techniques. Fortunately, Broadcom released part of their Ethernet card specifications. Nevertheless some details are still obscure, and firmware source code is not available… This presentation will focus on the reverse engineering study case of the Broadcom Ethernet NetExtreme family firmwares. Firstly, I detail a simplified view of the device architecture needed for further understanding : the embedded MIPS CPU, registers, internal memory layout, and the firmware bootstrap sequence. Developing our own Linux kernel module then allows us to quickly communicate with the device through PCI transactions, and offers read/write primitives on the device memory to userland processes. On top of that are built two home-made firmware debuggers: – InVitroDbg, a Qemu-based firmware emulator, dynamically interacting with device internal memory. – InVivoDbg, a complete MIPS code debugger, making use of dedicated device debug registers. InVivoDbg is strongly integrated with Metasm, the assembly manipulation suite, and has been extended to perform advanced code analysis: tracing the execution flow, call-graph visualization, playing and recording of memory accesses, and so forth. The firmware code can be executed and debugged in real-time in the Metasm IDA-like graphical interface. Using this robust instrumentation toolset, we were able to easily observe the firmware's behavior in its natural environment.
There's more information about this work available here, and the full presentation from Hack.lu 2010 is available here. Hacking a NIC makes all sorts of interesting things possible for hackers that are much harder to find than typical attacks on an OS or applications. Maybe we'll be seeing more attacks like this in the future.