6

I have a few questions about DVD drives.

  1. Are DVD drives and SATA interfaces vulnerable to issues like BadUSB caused by being able to reprogram firmware of the drive or disk or even spreading to other hardware such as NIC, RAM, CPU, BIOS once infected?

  2. Do DVDs have any sector like MBR or GPT that can be programmed to give commands, have access to the kernel, core file system which could be exploited to hack within the instant the disc is loaded?

  3. Would a strong anti-virus/firewall protect against any hardware-based live attacks, such as BadUSB, or if inserting a disk, can the DVD drive be hacked?

  4. Would it be possible for DVD/CD to have TDSS-like stealth hidden file-system? Do blank CDs/DVDs from reputable companies like Sony, Verbatim, Mosaerbaer have encrypted firmware?

forest
  • 64,616
  • 20
  • 206
  • 257
Aoi. T_015
  • 203
  • 2
  • 10
  • 2
    I consider this question as too broad. These are lots of question packed into one: attacking the DVD drive, attacks possible using corrupted DVD's (not drive), protections offered by AV products, possibility to hide files inside DVD, vendor specific questions ... – Steffen Ullrich Dec 10 '17 at 17:34

2 Answers2

10

You have quite a few different questions in here. Let's try to answer them.

Are DVD drives & SATA infrastructure vulnerable like badusb

The SATA protocol is used exclusively for storage, not any other class like a keyboard.

"BadUSB" is a class of frankly overhyped attacks that involve a USB devices acting as a Human Interface Device (HID) like a mouse or keyboard and interacting with the computer. This is possible because the USB protocol is designed to be, well, universal. It's up to the USB slave to provide its purpose to the host, called the class. As such, a flash drive will expose itself as a mass storage device, whereas a keyboard will expose itself as a HID. The problem stems from the fact that a flash drive, if reprogrammed or designed maliciously, can tell the host it is a HID and the host will happily accept keystrokes from it. This is not an issue with SATA because it is designed exclusively for data transfer. A SATA device cannot tell the host that it is a keyboard.

or even spreading to other hardware such as NIC, RAM, CPU, BIOS once infected?

DVD/CD goes over SATA, which does not have (arbitrary) DMA capabilities.

This would require a DMA attack, which requires a feature on the PCI bus called bus master, a PCI configuration bit, set through privileged software on the host and stored in registers on the device. A hardware driver can enable the bus master bit for a given PCI device, allowing it to access any system memory it wants, and that is the case with the SATA hub. However, a DVD player does not control the SATA hub directly, but rather communicates with it. The limitations of the SATA protocol affect how dangerous such a drive can be, and since SATA requires driver support for performing arbitrary DMA on behalf of the client, a malicious DVD drive cannot write to arbitrary memory without it being allowed by the driver. What happens is, the SATA client (the DVD drive) communicates over the link to the SATA hub (built into the ICH on modern systems), giving it the data the host requested. The hub, which is a virtual PCI device, then uses DMA (usually called UDMA for mass storage devices) to write the data to the host. The client usually cannot tell the hub where it wants the data written, only what the data to write.

Note that it may be possible in some circumstances for a client SATA device to DMA directly onto the host, according to section 10.3.7 of the SATA standard. Whether or not a given driver allows this or not, your system's I/OMMU should, with proper DMAR tables in your BIOS, isolate this DMA.

Do DVDs have any sector like MBR or GPT that can be programmed to give commands, have access to the kernel, core file system which could be exploited to hack within the instant the disc is loaded?

Any partition can contain a MBR/GPT, but you have to boot from it for it to do anything.

MBR and GPT are features of any bootable partition, regardless of medium. MBR is just a bit of data (a flat executable and the partition table) that fits on the first 512 byte sector of a bootable partition and nothing more. If you were to use a DVD with a bootable partition, it could have an MBR that behaves like this, but this is not present on the average DVD and you would have to boot from it for it to have any effect anyway. Disable booting from the DVD drive in your BIOS to be sure!

Also, would a strong anti-virus/ firewall protect against any hardware-based live attacks, such as badusb, or if an inserted a disk, DVD drive can be hacked?

Antivirus programs only scan files, not hardware. Firewalls only restrict the network.

No. Antivirus is designed for scanning malicious files, and it has two modes of operation. First, it can do signature-based detection where it looks for known strings in files that are unique to malware. This is very fast and tends not to have false positives but it is easy to defeat (just modify the malware slightly) and requires foreknowledge of the malicious software. The second technique is heuristic detection, where a set of "sketchy" actions by an executable are flagged. For example, if an executable uses internal encryption, and immediately after being opened it downloads another executable from the internet and sets the hidden flag on that file, those red flags all add up and antivirus software will block the action. This is slower and tends to result in false positives, but it can detect (at least a fraction of) unknown malware. While it is more effective at detecting new malware than signature-based detection, it can be evaded. Antivirus does not even consider hardware attacks as part of their threat model. As for a firewall, they are just for restricting networking access, not detecting malware. Firewalls are a completely different technology.

Would it be possible for DVD/CD to have TDSS-like stealth hidden file-system?

A DVD does not have any filesystem. It is up to the OS to format it with a filesystem.

A DVD/CD is just a blank medium. In theory, a specially designed DVD drive and a specially designed DVD could store a secondary, hidden filesystem, but this does not happen in practice. When using a regular DVD drive, it's up to the OS to format the disc with whatever filesystem provides the necessary features. The normal format for storage DVDs is usually iso9660 or UDF, and they do not support hidden filesystems.

Do blank CD's/ DVD's from reputable companies like Sony, Verbatim, Mosaerbaer have encrypted firmware?

The actual discs are just a dumb medium for data storage with no firmware.

DVDs themselves do not contain firmware anymore than the physical platters in a hard drive contain firmware. They are just "dumb" discs with a special design that allows one or more layers of a substance to change reflectivity when hit with a strong enough beam. DVD drives have firmware, however, and it can only be updated using special privileged commands on the host. I am not aware of any DVD drives which allow firmware updates directly from discs (though they might exist). Whether or not it is encrypted, I don't know, but I would guess that it is not and is instead obfuscated/encoded. It most likely uses something simple like huffman encoding which can be broken with enough time and effort. The reverse engineering would be the real challenge, though.

I should note that a malicious DVD drive may be able to do some nasty things, such as modifying data before giving it to you. If you execute a file off a DVD and the drive is malicious, it can give you a malicious file, same way a router could if you downloaded an executable from the network. A SATA device is nothing more than a small computer with huge storage serving requests over a high-bandwidth, low-latency network. Treat it as such.

forest
  • 64,616
  • 20
  • 206
  • 257
  • I see, thank you very much for informative answer, if my DVD-drives does gets infected by a hardware-level nasty rootkit (like zeroaccess), could it be able to infect discs, official produced media like bought games, movies, music discs if insterted, or data burned discs that are finalized & doesn't allow any further rewrites? – Aoi. T_015 Dec 11 '17 at 05:26
  • 3
    Officially produced media will be DVD-ROMs, which cannot be written to without an _immensely_ powerful burner. Your little DVD burner can't even come close to modifying it. A read-only disc like DVD-R/DVD+R would be very difficult to write to (or at least, to write to without corrupting it). A DVD-RW/DVD+RW can obviously be modified, though. There was a great answer which explained why it's so hard to modify DVD-R/DVD+R after it's been fixated. If I find it I'll edit my answer to reference it. – forest Dec 11 '17 at 05:38
  • by powerful burner, do you mean like spinning speed, like 48x, 16x? – Aoi. T_015 Dec 11 '17 at 08:39
  • 2
    No, like a dedicated device used in factories to either burn physical pits into the medium, or press them using a plastics-molding stamper. A DVD you might buy at the store with a movie or a video game on it is not a regular recordable that's already been burnt. It's an entirely different technology. See [this forum post](https://forum.videohelp.com/threads/134397-Whats-the-difference-between-a-Pressed-DVD-and-a-burned-DVD). – forest Dec 11 '17 at 08:46
  • What about UDF or any burned data discs that hasn't been finalized yet, if a rootkit has access to kernel, could it perform low-level activities on the disc, such as spreading worms to files or trying to put an exploit kit? – Aoi. T_015 Dec 11 '17 at 08:48
  • 1
    If it hasn't been finalized, then it would be possible to add extra sectors at the end, though not modify existing data. Any DVD that's in use though will likely be finalized, and if it's specifically a rewritable DVD, then it should naturally be at risk of being modified. – forest Dec 11 '17 at 08:50
  • if I burn a new disc with data tick finalize, using a third party burner from an possibly infected PC, would it be possible disc being infected low-level? – Aoi. T_015 Dec 11 '17 at 08:55
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/70030/discussion-between-aoi-t-015-and-forest). – Aoi. T_015 Dec 11 '17 at 08:55
  • Sorry for bumping the old thread, but IIRC I remember reading that NSA delivered malware (Flame/Equation group?) in early previous decade, to some Mexican scientists/researchers using an official software (Java?) CD, parcel/courier but intercepted, MITM'ed instead before recipients receiving said disk, to deliver their malware in official software CD, by NSA, but is that/how is it thereotically possible? – Aoi. T_015 Jun 13 '18 at 12:41
  • @Aoi.T_015 Most likely by replacing the official disc with one they created. – forest Apr 29 '21 at 08:15
  • 1
    It is possible to have multiple sessions on a dvd with files form previous sessions hidden instead of merged. However, this is not very interesting for infection purposes. Old versions of some operating systems will autorun specially crafted files on dvds -- this is a (mis)feature that has been disabled on most current operating systems. Some systems, when opening disks, will autoscan them and display contents, possibly with thumbnails. It is possible to trigger buffer overruns in the scanner and thumbnailer, but this is not easy. That's about the extent of exploits with a dvd. – user10489 May 16 '21 at 13:06
-1

A DVD drive has flashable firmware like any other modern device. Typically, the ability to send the commands needed to flash firmware are restricted to admin/root, so if an attacker could get such access on a system then yes a DVD drive could be hacked.

AV software can mitigate the risk by trying to stop the software that would flash the firmware from executing, but it will not detect malicious firmware.

Swashbuckler
  • 2,115
  • 8
  • 9
  • 1
    Any malware that is sophisticated enough to actually contain a payload for a DVD drive is exceedingly unlikely to be detected by _any_ AV vendor. If anything, at that level of sophistication, it's more likely that AV will be a privilege escalation vector than a mitigation. – forest Dec 20 '17 at 07:37