Software Requirements

• Processor: Pentium class or equivalent processor
• RAM: 64MB RAM recommended
• Hard Disk: 14kb free hard disk space
• Supported Operating System: Windows 98/ME/NT/2000/2003/XP/Vista/Win7 *32bit only!

We are offering this for only Only $4.99!! All proceeds go to supporting this site!

]]> http://www.whatsmypass.com/getkey-3-0/feed 4 http://www.whatsmypass.com/apple-keyboard-firmware-hack-demonstrated http://www.whatsmypass.com/apple-keyboard-firmware-hack-demonstrated#comments Sun, 02 Aug 2009 15:59:17 +0000 Dev Team http://www.whatsmypass.com/?p=725 APPLE KEYBOARDS ARE vulnerable to a hack that puts keyloggers and malware directly into the keyboard. This could be a serious problem, and now that the presentation and code is out there, the bad guys will surely be exploiting it.

The vulnerability was discovered by K. Chen, and he gave a talk on it at Blackhat this year. The concept is simple, a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working ram. For the intelligent, this is more than enough space to have a field day.

The machine and keyboard in the demo

K. Chen demonstrated the hack to S|A at Defcon today and it worked quite well. You start out by running GDB, and set a breakpoint in Apple’s HIDFirmwareUpdaterTool. This tool is meant to update the firmware in human interface devices, hence the name. The tool is run, a breakpoint set, and then you simply cut and paste the new code into the firmware image in memory. That’s it.

The breakpoint, code and presentation

Nothing is encrypted, decrypted, and the process is simple. You then resume HIDFirmwareUpdaterTool, and in a few seconds, your keyboard is compromised. Formatting the OS won’t do you any good, the code is in keyboard flash. There are no batteries to pull, no nothing, the keyboard is simply compromised.

While you can re-flash a keyboard, that is fairly hard to do if you don’t have a keyboard. Apple internal keyboards are USB devices, as are the external ones, so the same hack works for them too. Think about that when you count the dwindling number of external USB ports on modern Macs.

The new firmware can do anything you want it to. K. Chen demo’d code that you put in a password, and when you hit return, it starts playing back the last five characters typed in, FIFO. It is a rudimentary keylogger, a proof of concept more than anything else. Since there is about 1K of flash free in the keyboard itself, you can log quite a few keystrokes totally transparently. If you want the code, it is on page 170 of the PDF presentation linked above.

This exploit is simple and does things by the rules. K. Chen is very careful not to do anything in an illegal way, and you have to do all the steps manually. It can’t easily be done remotely. That said, bad guys intent on stealing your data probably won’t have the same high moral standards, and it probably wouldn’t take much to exploit the same vulnerability remotely, silently, with code from a compromised web page.

Apple needs to patch this problem ASAP. It is completely remotely exploitable, and almost impossible to remove, especially if you don’t know it is there. This huge hole that Apple has in it’s hardware turns any remote exploit, Apple is full of them, into a huge security problem.

We would have called Apple to let them know about this, but the last few times we did, they would not so much as return our phone calls. Until Apple releases a way to detect the validity of keyboard firmware and patches this huge hole in their system, anyone using Apple hardware, regardless of the OS running, is vulnerable. Don’t believe them when they try to spin this as minor, owning a keyboard gives you ownership of a system.

VIA:semiaccurate.com

Trillian Password Recovery Software easily recovers and exposes all lost or forgotten AIM saved passwords. Easily retrieves password information instantly regardless of the password length and complexity with full support to all Trillian versions. Trillian Recover is written in pure assembly language.

More information on how the password is stored ::here::

Software Requirements

• Processor: Pentium class or equivalent processor
• RAM: 64MB RAM recommended
• Hard Disk: 5kb free hard disk space
• Supported Operating System: Windows 98/ ME/ NT/ 2000/ 2003/ XP/ Vista /Win7

Trial and registration

Evaluation version is available for FREE download. This unregistered (demo) software recovers only the first 3 characters in password (rest is shown as ‘*’).

Download Trillian Recover Demo

196 downloads

In order to display full Password you should register for licensed Software.
Only $4.99!! All proceeds go to supporting this site!

AOL Instant Messenger Password Recovery Software easily recovers and exposes all lost or forgotten AIM saved passwords. Easily retrieves password information instantly regardless of the password length and complexity with full support to all AIM 6.x versions. AIM Recover is written in pure assembly language.

AIM 6.x (6.5 & beta 6.8) uses 2 algorithms to encrypt your AIM password. First the Blowfish algorithm is used to encrypt the AIM password using a 448 bit keyword.
The encrypted string is then encoded using base64 and stored in the registry at:
\\HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords

Software Requirements

• Processor: Pentium class or equivalent processor
• RAM: 64MB RAM recommended
• Hard Disk: 15kb free hard disk space
• Supported Operating System: Windows 98/ ME/ NT/ 2000/ 2003/ XP/ Vista /Win7

Trial and registration

Evaluation version is available for FREE download. This unregistered (demo) software recovers only the first 3 characters in password (rest is shown as ‘*’).

Download Aim Recover Demo

258 downloads

In order to display full Password you should register for licensed Software.
Only $4.99!! All proceeds go to supporting this site!

The password checking routine of DriveCrypt fails to sanitize the BIOS keyboard buffer before AND after reading passwords.

Affected Software

Secu Star’s DriveCrypt Plus Pack v3.9 (possibly other versions also)

Technical Description

DriveCrypt’s pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0×40:0×1e. It is also possible for a root user to reboot the computer by instrumenting the BIOS keyboard buffer in spite of the full disk encryption.

Impact

1) Plain text password disclosure. Required privileges to perform this operation are OS dependant, from unprivileged users under Windows (any), to root under most Unix. 2) A privileged attacker able to write to the MBR and knowing the password (for instance thanks to 1), is able to reboot the computer in spite of the password prompted at boot time (and in spite of disk encryption) by initializing the BIOS keybaord buffer with the correct password (using an intermediary bootloader that will in turn run DriveCrypt).

Full Technical Whitepaper

http://www.ivizsecurity.com/security-advisory-iviz-sr-0807.html

Immune Systems:
* SafeBoot Device Encryption version 4 Build 4760 and above
* SafeBoot Device Encryption version 5.x

SafeBoot’s pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0×40:0×1e.
http://www.ivizsecurity.com/security-advisory-iviz-sr-08010.html