[ale] usb hack gives kernel level access in win, upnp hack update

David Tomaschik david at systemoverlord.com
Sat Mar 16 18:32:03 EDT 2013


On Sat, Mar 16, 2013 at 11:08 AM, Ron Frazier (ALE) <
atllinuxenthinfo at techstarship.com> wrote:

> Hi all,
>
> They shared some interesting and scary info in the latest Security Now
> episode I thought I'd pass along.
>
> MS just patched a really nasty potential attack vector via USB.  I haven't
> heard of this applying to Linux, but something like it theoretically could.
>
>
> http://news.cnet.com/8301-10805_3-57573972-75/microsofts-latest-patches-address-new-usb-hack/
>
> It does require physical access to the pc, but basically, you put a
> malicious USB stick into the machine, and you own the machine.  This
> happens as long as the machine is powered on - PERIOD.  It doesn't have to
> be logged on.  It doesn't matter if autorun / autoplay is on.  And your
> malicious code runs at the KERNEL level.  It happens during the enumeration
> process for usb, before files or programs even come into play.
>
> So, if you deal with windows, of any type, patch it.  Of course, we all
> know that many machines get patched only infrequently or never.
>
> The TL;DR of the attack is that they weren't properly checking untrusted
input.  It's not clear from anything I've seen what the specific
vulnerability is, but I'm guessing it's a buffer overflow if the descriptor
is too long and/or lies about its length.  Alternatively, it's possible
they use some sort of offsets in the descriptor and specifying a
large/negative/whatever offset allows you to cause the device enumeration
code to jump outside of the device descriptor.


> I would think that, at least conceptually, this type of attack might be
> possible in Linux unless the usb drivers are specifically hardened against
> it.
>
> This "type of attack" is possible in any software that is written without
properly checking untrusted input.  "specifically hardened" means checking
buffer lengths, which is something you should always do.  This
vulnerability, while serious, isn't particularly unusual.  There's been
exploitation of device drivers before, and there will be exploitation of
device drivers again.


> Steve gave an update on the UPNP hack that could make your router
> vulnerable to having it's ports manipulated without your knowledge from the
> outside.  His port scanner application on his GRC server has now detected
> over 3000 routers of people who've tested their systems to be vulnerable to
> this attack.  One listener had a trojan that had been installed in his
> router and one had ALL it's external ports open.  If you haven't tested
> your external facing router, you may want to do so by going to the
> ShieldsUp service at grc.com.
>
> Sincerely,
>
> Ron
>
>
>
> --
>
> Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
> Please excuse my potential brevity if I'm typing on the touch screen.
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone.  I get about 300 emails per day from alternate energy
> mailing lists and such.  I don't always see new email messages very
> quickly.)
>
> Ron Frazier
> 770-205-9422 (O)   Leave a message.
> linuxdude AT techstarship.com
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130316/239dfcf7/attachment.html>


More information about the Ale mailing list