Automated os x macintosh password retrieval via firewire

I’ve successfully created a Python script which can extract username and login password from a mac running OS X tiger (going to test with leopard asap) via firewire using a linux laptop, based on great paper Hit By A Bus: Physical Access Attacks with Firewire by Adam Boileau. Once the attackers Linux laptop is connected to target machine via firewire, the password can be automaticly extracted from memory via firewire in about 10 seconds.

Thisosx-memory-password hack exploits the fact that OS X keeps username and password in memory, even after a macbook is resumed from hibernation. Usin this technique a cracker can open the screen of a suspended macbook, wait until the unlock screen is displayed, plugin the linux laptop used for the attack to the firewire bus and run the password download script which extracs the password in under ten seconds.

The username and password is located in a memory page which can be identified by multiple static byte sequences. One of these sequences is a string dsAttrTypeStandard:UserShell which is located 1448 bytes from the start of the memory page. The attacker can simply iterate over every memory page and to look if this string exists 1448 bytes from the start of the memory page being iterated. Once this memory page has been identified and downloaded the script searches for string username inside this page. The actual username is a null ending string which starts at starting_offset_of_username_string + 12 bytes. The password can be found by searching string password and retrieving the actual password at starting_offset_of_password_string + 12 bytes.

This attack is very dangerous because it allows the attacker to gain access to a mac which is turned of into hibernation or suspend-to-disk mode. As Maximillian Dornseif presented in his keynote 0wned by an iPod the attacker can install Linux to a normal iPod and setup needed programs to implement a firewire memory attack. This means that the attacker needs just to carry an ipod with him, which is much less prone to attract security aware personels. Just wait for a goot moment, insert an iPod from your pocket into the target mac and login within a few seconds with the password you just extracted from the target machine memory.

EDIT: Some people have asked if similar attacks works in other operating systems. The answer is yes. I can also bypass a Windows XP SP2 login screen, just for an example. This was already proven by Adam Boileau last year (check out the link on the first chapter)

WPG2 patch to display random images from a specified album

I recently installed WPG2 and Gallery2 to my block to manage the photos and images which are related to my blog entries and generally to store the photos taken by me. I found WPG2 quite good, but it lacked a feature I missed: To display random images from an album which is related to a specified blog entry. What I mean, that I take a bunch of photos, import them into my gallery2 installation and then write a blog entry about them. This patch allows to add a “related-gallery” -custom field to the blog article, which the Sidebar Grid Block then picks up and it displays random images from that album.

Usage instructions:

  1. Install WPG2 (I’m using 3.0.2)
  2. Apply the patch: WPG2 patch against WPG to add support for Related Gallery to Sidebar Grid Block
  3. Add the Sidebar Grid Block to your layout from Presentation -> Widgets
  4. Configure the Sidebar Grid Block from WPG2 -> Sidebar Grid Block
  5. Upload some photos to your Gallery2 installation
  6. Obtain the album id where you uploaded your images. The album id can be found from the URL of the album. This is an example from my album: “”. In this url the album id is 37. Obtain this numeric id.
  7. Write a blog entry and add a custom field from the bottom: key is related-gallery and value is the id you just obtained from the step 6.
  8. All done, go and see the results.

Known problems and limitations:

  • Currently you need to obtain the album id manually by looking the Gallery2 urls. This could be made easier by some kind of wizard.
  • You need to use the Custom Fields -feature.

I’ve asked Ozgreg, the founder/programmer of the WPG2 project, if he could add my patch to the main trunk of WPG2. Let’s hear if he likes this :)