USB Devices Can Crack Windows
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: USB Devices Can Crack Windows

  1. #1
    Junior Member
    Join Date
    Jul 2005
    Posts
    26

    USB Devices Can Crack Windows

    USB Devices Can Crack Windows By Paul F. Roberts

    Vulnerabilities in USB drivers for Windows could allow an attacker to take control of locked workstations using a specially programmed Universal Serial Bus device, according to an executive from SPI Dynamics, which discovered the security hole.

    The buffer-overflow vulnerabilities could enable an attacker to circumvent Windows security and gain administrative access to a user's machine.

    This is just the latest example of a growing danger posed by peripheral devices that use USB (Universal Serial Bus), FireWire and wireless networking connections, which are often overlooked in the search for remotely exploitable security holes, experts say.

    The buffer-overflow flaw is in device drivers that Windows loads whenever USB devices are inserted into computers running Windows 32-bit operating systems, including Windows XP and Windows 2000, said Caleb Sima, chief technology officer and founder of SPI Dynamics.

    SPI is still testing the hole, and hasn't informed Microsoft Corp. about the problem. The company will be demonstrating the vulnerability at this week's Black Hat Briefings hacker conference in Las Vegas, but will not release details of the security hole, Sima said.

    A spokesperson for Microsoft's Security Response Center confirmed that the company has not received a vulnerability report from SPI. The company strongly encouraged any researcher to contact the MSRC if they have a vulnerability to report.

    Rest Of the Story is Here:

    http://testing.onlytherightanswers.c...=article&sid=7

    Where Black, Gray and White Hats Unite to help protect YOU from current and future Exploits http://testing.OnlyTheRightAnswers.com

  2. #2
    Member
    Join Date
    Oct 2004
    Posts
    92
    mmmm... thats interesting, USB (Universal Serial Bus) is obviously alot more universal than planned, I wonder if this exploit will work with LINUX if the following is true "Microsoft feels that this is a hardware issue and doesn't see it as a problem"
    I\'m Dying To Find Out The Hard Way

  3. #3
    Junior Member
    Join Date
    Jul 2005
    Posts
    26
    Originally posted here by c0br4
    mmmm... thats interesting, USB (Universal Serial Bus) is obviously alot more universal than planned, I wonder if this exploit will work with LINUX, probably not though.
    Once a weakness like this is announced ("Without Giving anyone time to patch") it allows people to create proof-of-concepts and maybe even for Linux as well.





    __________________
    Where Black, Gray and White Hats Unite to help protect YOU from current and future Exploits http://testing.OnlyTheRightAnswers.com
    Where Black, Gray and White Hats Unite to help protect YOU from current and future Exploits http://testing.OnlyTheRightAnswers.com

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    There are a couple of points to consider.

    In windows, when you insert a USB device, windows tries to load a device driver. So while Microsoft says it is a hardware problem, if it's a problem arising from how USB was designed, it is functioning normally and installing a driver. So we go back to Windows and security policy. If you have an account actively logged in (say, with a locked screen) and you install a USB device with an 'exploit' driver...


    #1 where did the driver come from? Do these 'exploitable' drivers come standard with Windows installations?

    #2 does the user have a priviledged account?

    #3 why is Windows loading drivers without asking the users permission?


    Now I know #3 is default behavior (I think...), but *WHY* is that? #2 is default behavior most places although it shouldn't be. And as for #1, if it's a default driver with Windows distros, then Microsoft DOES have a problem. If it does not, but it is installed after the fact (by disk, download, etc.) then you have a policy problem in your organization, allowing that driver.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    P.S. I am pretty dissapointed in SPI Dynamics for getting themselves some PR attention via this supposed exploit without first having reported it to MS. That is not the best behavior, for a responsible company. I like those guys, they do good work and are decent folk (yes, I've met some of them), but that seems like pretty irresponsible behavior.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    FYI, also saw a related thing with firewire...the drivers/implementations allowed direct memory access (in some cases write as well as read)...there were some rather amusing presentations at CanSecWest, one of which was 'Owned by an I-pod'). Not really an overflow, but rather taking advantage of the ability to directly read/write to memory, nonetheless, was interesting.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Originally posted here by zencoder
    [B]#1 where did the driver come from? Do these 'exploitable' drivers come standard with Windows installations?
    As far as I have read the 'stock' drivers (Win2000 and up)..

    #2 does the user have a priviledged account?
    Once the drivers are installed that doesn't seem to matter..

    #3 why is Windows loading drivers without asking the users permission?
    Plug and Play baby


    Btw, the link in first post of this thread seems to be a rip from http://www.eweek.com/article2/0,1895,1840131,00.asp
    (they even copied the link texts, not the links)
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  8. #8
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by the_JinX
    As far as I have read the 'stock' drivers (Win2000 and up)..

    Once the drivers are installed that doesn't seem to matter..

    Plug and Play baby


    Btw, the link in first post of this thread seems to be a rip from http://www.eweek.com/article2/0,1895,1840131,00.asp
    (they even copied the link texts, not the links)
    RE: Drivers loading and Plug and Play...

    Yeah, I get all that...was posting in the form of rhetorical questions. Sorry, guess my 'tone' didn't come across too well. The point was, MS may claim it is not their problem, but if the defined behavior allows priviledged access, then it's poorly designed and/or implemented. I don't give a rat's ass if it's their code, an IEEE problem, or some dorkwad engineer who can't write a driver; it's an exploit, on their platform, and they need to address it.

    </rant>
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  9. #9
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by c0br4
    mmmm... thats interesting, USB (Universal Serial Bus) is obviously alot more universal than planned, I wonder if this exploit will work with LINUX if the following is true "Microsoft feels that this is a hardware issue and doesn't see it as a problem"
    Well, as I have implied above, it can only be a hardware issue in the sense that it's probably a lack of security in the specification of how/when a driver loads, when a USB swappable device is detected by system. If MS is following the standard provided (sidenote: is USB an IEEE standard? One would think so...) by the developers of USB, then any failures based on that standard can be said to be 'hardware problems'. I don't really think this is fair or accurate, but it could easily be their approach.

    For this exploit to MAYBE work in Linux, you'd have to have a driver that could work with Linux memory functions and the kernel, and have a system that dynamically loads drivers when USB devices are added (i.e. hotplugging.) Hotplugging is standard in kernel 2.6, and has been available since at least 2.4 I believe (jinX, correct me if I'm mistaken.) So while the possibility is there, it will probably take longer...if at all, since any closed source solution will be poo-poo'ed upon by the community, and an alternative project will spring up at sourceforge within minutes.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  10. #10
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    On linux the hotplug system is active in most modern distributions (both 2.4 and 2.6)..
    The hotplug itself is a series of shell scripts mostly.

    In linux the vulnerability would have to be in either the usb drivers (ohci, uhci or ehci) or some device driver like the usb-storage module, since theř'll all get loaded.

    I don't know about any vulnerabilitys in either though..
    And since they are all in the kernel itselve a fix will be readilly available for all distributions as soon as one is found..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •