System Exploitable With USB 310
Anonymous Coward writes "Vulnerabilities in USB drivers for Windows could allow an attacker to take control of locked workstations using a specially programmed Universal Serial Bus device." From the article: "The buffer-overflow flaw is in device drivers that Windows loads whenever USB devices are inserted into computers running Windows 32-bit operating systems, including Windows XP and Windows 2000, said Caleb Sima, chief technology officer and founder of SPI Dynamics."
Tonight at 11: (Score:5, Insightful)
And at 11:30... (Score:3, Funny)
Re:Tonight at 11: (Score:3, Insightful)
Yep. Got boot? You've got root.
That said however, the Operating System should at least try to protect sensitive data - make it so the attacker is going to have to pull that hard drive out of the box & mount it from another machine to try & brute-force the password file (or whatever)
There is no need to make it as easy as plugging in a USB device....
Re:Tonight at 11: (Score:2)
There, boot but no root.
One should ensure that all cables cannot be removed. In fact, one should ensure that all cables go from one flush surface to another, in plain view of the user. so there is no way any sniffers can be added. And make sure that the comput
Re:Tonight at 11: (Score:2, Insightful)
Re:Tonight at 11: (Score:2, Informative)
Not impossible, but it'd be easier to take the HDD out (unless of course it is also encrypted with the TCPA chip)
Re:Tonight at 11: (Score:4, Funny)
What's physical access? (Score:5, Insightful)
For many situations, a computer with a locked case in a room that is staffed is considered "physically secure", as it's not likely that you'll break the physical security (lock on the case) without attracting the attention of the staff. Hell, even a computer in a staffed room in a case that has screws on it is fairly physically secure. The USB problem circumvents the physical security.
Security is all about deterrent. My apartment has a dead bolt lock on the door. Does this mean it's impossible to break into my apartment? Of course not - it just makes it harder.
Being able to break security on a locked computer with a USB drive is like leaving the key to your apartment under your door mat.
Re:What's physical access? (Score:5, Informative)
Actually, security in this case is about doing a calculation of the worth of what it is you're protecting against the cost (be it a cost in terms of cash for access controls, or a cost in terms of user convience and system functionality) of the security. I've seen financial instituations who had all their workstations in a central computer room and just ran KVM terminals to each desk. The server room looked more like a vault. It was important to them to keep the workstations secure. On the other hand if you're a library and your only trying to keep them secure so that you don't have to reinstalls every week because some 12 yr old types cat
It's just like insurence really, you sit down and calculate how much your information is worth. After you do that, you put into place access controls equal or greater then the value.
Min
Mitigating physical access (Score:2)
Reinstall every week? Better to reinstall for every user, like Laptop Lane [wayport.net] does. After each rental user logs off, the machine is reimaged from a hidden location (probably an image on a local server, though it happens after the renter leaves the cubicle, so I couldn'
Re:What's physical access? (Score:2, Insightful)
Being able to break security on a locked computer with a USB drive is like leaving the key to your apartment under your door mat.
Taking the analogy further it's actually more like buying an apartment with a deadlock from a disreputable source (No, not just Microsoft) who always leave a key under the mat without telling you. 1 savvy burglar and the whole buildi
Re:What's physical access? (Score:2)
Temporary solution: Disable the USB ports.
Re:What's physical access? (Score:2)
You have to place that key under the mat. You're actively thwarting your security for conveinence. If you feel that security needs tightening, you'll have the option of removing that key and not providing the conveinence anymore.
Some labs that care about USB security don't hook up the USB ports to the motherboard. That's a good simple solution, until you require a USB device. It used to be that you could get along without USB devices very easily, but with the (thank goodn
Re:Tonight at 11: (Score:3, Insightful)
Re:Tonight at 11: (Score:2, Insightful)
The interesting scenario is a running machine with everything mounted. All you need then is a few seconds to plug in your USB device. Buffer overflow in a driver will get you kernel level access.
Re:Tonight at 11: (Score:2)
Such as system is resisted to physical attacks since most of those require shutting down the computer - which causes loss of the decryption key stored in RAM.
This attack would allow you to unlock the computer while it is running, and therefore while the OS still has the drives unlocked. You could possibly just store the key that i
Re:Tonight at 11: (Score:3, Insightful)
You can have tripwire installed, but if I've rooted the kernel I control access to the filesystem so any files I've installed don't show up to your 'normal' access to the system.
Even rebooting won't help because I've modded
Re:Tonight at 11: (Score:3, Interesting)
And I actually had mod points... (Score:2)
Use a very long passphrase and you got pretty good security, but with time it is crackable.
How many millions of years do you have?
Re:Tonight at 11: (Score:2)
Read the OP. "So a hacker just boots the damn thing, jacks USB pen drive in, and gets data."
Now, if we're talking about a machine that's already up and running with a user logged in, and it's simply "locked", this kind of attack will work. But that's not what the OP said.
Re:Tonight at 11: (Score:2)
I'm not sure what point you're making here; ROC (Republic of China) is Taiwan; I suspect you meant the 'People's Republic of China', which is either labelled "Made in China" or "Made in PRC".
Do you think there's a conspiracy by the Chinese government to exploit security holes in Western computers by sneaking code into little USB keys? Or is the fact that they're made in the PRC, ROC, North Korea or the Moon irrelevant to the story anyway?
Similar problems... (Score:4, Informative)
Re:Similar problems... (Score:2, Interesting)
> precisely which Windows versions it was, 95 and earlier I suspect. It was
> possible to write a program that would autorun from an inserted CD and copy
> the screen saver password file to a floppy from where it could be later
> cracked at leisure.
If you're physically at the computer, you can reboot it and hit escape at the login prompt (or any number of other possibilities). Windows XP makes this rather harder than it was
Re:Similar problems... (Score:2)
Re:Similar problems... (Score:4, Insightful)
> being rebooted... oh *wait*
Exactly. They might notice, but nobody's going to bat an eye. Frankly, most folks wouldn't bat an eye if they saw WinXP being rebooted either, not because it's necessary nearly as often but because people do it constantly anyway, because they've been conditioned that way. About half the population instinctively reboots at the first sign of abnormality, e.g., if the website they're trying to visit doesn't resolve because they mistyped the URI. It's likely to take a very long time for this expectation to change.
Misleading first few paragraphs? (Score:5, Informative)
From the summary and the article:
Vulnerabilities in USB drivers for Windows...The buffer-overflow flaw is in device drivers that Windows loads...running Windows 32-bit operating systems, including Windows XP and Windows 2000...
The article then goes on to say:
However, the flaw is with USB, not Windows, said David Dewey, a research engineer at SPI.
Re:Misleading first few paragraphs? (Score:3, Informative)
if you RTFA you will see they say the problem is in the drivers
drivers often do not verify data correctly and always run with system level privileges,
meaning you just need to find one driver that is installed by default (or auto installed) to attack the system.
Re:Misleading first few paragraphs? (Score:5, Insightful)
Re:Misleading first few paragraphs? (Score:4, Insightful)
In a way, I hope the identical problem is present in all of Win/Lin/OSX, as it would give us a very nice way to compare how good and quick the fixes are. I'm not too worried that Microsoft have a headstart on a fix
Re:Misleading first few paragraphs? (Score:5, Interesting)
Best of all, for attackers, the device drivers run with System-level privileges, giving an attacker full control of the host system once the exploit has been triggered. SPI tested attacks on Windows systems, but any operating system that is USB-compliant is probably vulnerable, he said.
Re:Misleading first few paragraphs? (Score:5, Insightful)
If it's a buffer overflow, then it's a software bug, not a problem with USB per se.
If it's a vulnerability in a driver, then it doesn't matter if Microsoft didn't write the driver, if they ship it with Windows, they are responsible for it. There's no useful distinction between "Windows" and the drivers that ship as part of Windows.
Semantic gaming (Score:2)
Re:Misleading first few paragraphs? (Score:2)
Re:Misleading first few paragraphs? (Score:4, Insightful)
cannot be USB (Score:2)
Blaming USB for a privilege escalation is like blaming Ethernet for someone 0wning your box.
Overflows are fun! (Score:2, Insightful)
Re:Overflows are fun! (Score:2)
But of course a locked-down system won't boot from CD.
Locked down how? (Score:2)
Re:Locked down how? (Score:2)
Usually the problem is not that someone can get access to the system. You only want to protect against doing that without being detected.
Re:Overflows are fun! (Score:3, Funny)
Grump
Re:Overflows are fun! (Score:2)
Re:Overflows are fun! (Score:2)
However, if the system partition is actually encrypted, there is very little you can do without NSA-grade bruteforcing.
Re:Overflows are fun! (Score:3, Insightful)
Assume I have a system with one 40GB HD, containing one 40GB NTFS partition that is encrypted. I have no usernames nor passwords on hand.
How do I get (local) admin, assuming I have physical access to the computer? How about if I can't just pluck out the HDD and move it to another computer?
I know many tools to crack open admin access to an unencrypted Windows installation, but I have no idea how to do the same to an encrypted disk.
Re:Overflows are fun! (Score:3, Interesting)
Re:Overflows are fun! (Score:2)
The easy way to do this is to download Knoppix, Burn the iso, Insert the CD, Reboot. If Windows doesn't load as the operating system, there will be n
Re:Overflows are fun! (Score:5, Insightful)
How about this: I lend my usb key to you so that you can transfer a file. While connected to your system the usb device cracks the security on your windows box and grabs the information I was looking for.
I don't need access to your system for that to work. I don't even have to know where it is. I have a usb key/mp3 player device which will let me reflash the firmware, so perhaps I could put the exploit in that way.
You don't have to LEND (Score:2)
eWeek Sensationalism (Score:3, Insightful)
Surprise, it's just a little more sensationalism at eWeek. If this weren't somehow related to Microsoft Windows, then it might not have been given a front page reference here at Slashdot. Corporate espionage and cyberterrorism, oh my!
Perhaps it's intended to evoke an image of a man standing at a workstation and inserting a USB device that automatically captures all of t
Re:Overflows are fun! (Score:2)
Plugging in a USB device isn't unrestricted physical access. With USB memory sticks basically replacing floppy disks, this is a serious threat. Especially in places like universities that have fairly restricted workstations, messing around with a computer's case, or plugigng into ethernet would be immedeately obvious. Plugging in a USB device, getting administrator righ
Re:Overflows are fun! (Score:2)
You'd slip it in, take it out, and wait for it to "phone home"-- or have it collect data silently until you attached a USB collection device.
What are the vulnerabilities?
A) public computers: not just university computer labs and libraries, but kiosks in shopping malls, airports, you name it. Look
Re:Overflows are fun! (Score:2)
We do?
Circumvents the encryption? Dear Lord, and how would that be done? Without a recovery key the data remains encrypted.
does anyone else think Slashdot should have a special section for buffer overflows?
No, but a section for grossly-uniformed comments would seem in order.
Re:Overflows are fun! (Score:2)
That's true, but what about if someone has *restricted* physical access. So they can bring their own data to work on but other than that only run the programs that you set with the privileges that you set. For starters, these USB drivers should be moved to user space. Indeed FUSE should help here for Linux.
Now this is what i call (Score:4, Funny)
Be Careful! (Score:4, Funny)
Re:Be Careful! (Score:2)
Hehe, Ab Fab meets /.
Not new idea (Score:5, Interesting)
It is not about "Windows" (Score:5, Insightful)
Sadly enough it is not at all suprising that Slashdot immediately goes for the anti-Windows slant rather than actually reading and comprehending the article and exploit in question. Too few actual axploits in Windows as of late to get up to the required quota perhaps?
In a more direct comment about the "exploit" I don't consider it terribly important, hardware access leads to a lot of trivial expoits. This one can be made more user-friendly than most with appropriate hardware, but it is not really worse than just inserting a boot CD that copies the relevant data to a secure server or so. It can also of course easily be fixed by disallowing loading of USB drivers without confirmation from the user.
Re:It is not about "Windows" (Score:2)
As to the lack of actual exploits in Windows, perhaps you should read the news [google.com]. There's been *many* exploits that slashdot has simply ignored.
For your third paragraph, you're full of shit and don't understand the exploit in question.
This is all about Windows (Score:3, Interesting)
There's many specifications (IPV4 springs to mind) that weren't designed with security in mind. It's the responsibility of the OS writers to design their OS to handle such insecurities. There's nothing in the USB specs that say that the OS must run the USB driver at ring 0.
It is in no way about Windows, but actually about any operating system than implements USB
Scary. (Score:5, Insightful)
USB flash drives are already quite highly accepted amongst non-technical users; both my parents have bought pendrives, as have many of my friends. They're quite comfortable with just popping in the drive, waiting for the OS to see it, and grabbing files off it.
So, what if someone handed them a pendrive and asked them to grab some files from it, and it turns out that this pendrive would cause an attack like this? One could be switched by a black-hat, or planted, or mailed... put simply, the attacker wouldn't need physical access, just access to someone who does.
Re:Scary. (Score:2)
Re:Scary. (Score:2)
Re:Scary. (Score:2)
Re:Scary. (Score:2)
Re:Scary. (Score:4, Insightful)
The letter says - dear information computing professional, MS would like you to test-drive our latest (insert name of fancy software package here). The enclosed demo will not interfere with any of your existing software, and as a thank-you for trying out our newest offering you can keep this handy 128MB USB drive. Feel free to pass along to your colleages as well.
At work we get demo CDs all the time for various expensive software applications. If you want to do some real industrial espionage send google a USB drive with the latest open source code-profiling tool, or Pfizer a flashy-looking clinical data analysis tool, or whatever.
Do the whole thing in flash so that it looks like something as high-tech as what you'd see in star trek (it isn't like you actually have to write the algorithm - just an animation). It will get passed all over the place to countless managers. And in most companies you can't give a worker-bee access to a system without giving it to their manager, so you have countless management drones with access to systems they never even look at, but your newly-introduced worm can poke around freely...
Re:Scary. (Score:2)
In response to actual article title... (Score:2)
Firewire and Linux (Score:5, Informative)
Buffer Overflows (Score:2, Interesting)
BIos option (Score:2, Interesting)
A lot of systems do not have the option.
Re:BIos option (Score:2)
And to just disable the 'front panel' easy access USBs, just yank the cables out of the motherboard
Re:BIos option (Score:2)
Problem is with USB? (Score:2, Interesting)
Trojan Flash (Score:3, Interesting)
Or leave a few lying around at Starbucks (like the exploding toy-like objects the Soviets dropped on Afghanistan).
Seems Fishy... (Score:4, Interesting)
They haven't explained what the problem really is, to us, or even filed a report with Microsoft.
They also claim that any OS is vulnerable, though it's only been tested with Windows drivers.
The whole thing just stinks of someone wanting publicity or setting up to try to sell some protection software.
Nothing new... (Score:2, Interesting)
Backdoor/Virus distributed by hardware (Score:2)
This is not just a Windows problem (Score:2)
The article does make an excellent point: any hot-pluggable device (USB, Firewire, PCMCIA, etc) is a potential attack vector if it is possible for a malicious device to expolit vulnerabilities in the host operating system's drivers. An attacker could exploit this weakness to extract data from a locked workstation without leaving any obvious evidence.
That said, any buffer-overflow vulnerabilities in the USB/Firewire/PCMCIA/whatever drivers are problems with the operating system itself.
I can't wait to see a
Re:This is not just a Windows problem (Score:3, Informative)
Re:This is not just a Windows problem (Score:3, Informative)
Attacks are not, but exploits can be, and this one is very creative.
I'm 41 and I've been in the software industry for 23 years, so I'm hardly a kid.
DUH. (Score:2)
hell I have a linux laptop and a usb-IDE cable. I'll simply pry open the case, pop the cable off your drive, put it on the USB device and then dump the data off to my laptop if all other attacks fail.
the ONLY way to protect your data is to have it encrypted on the drive. those encryption sleds for hard drives are a good sta
ummm. (Score:3, Informative)
Re:ummm. (Score:2)
So, how would you boot from CD now?
This is NOT true (Score:2)
excellent (Score:2)
me: "yes honey....just plug this device over here.....yup..u just hacked the system...congrats"
she: "this is l33t"
So how do _we_ deal with this? (Score:2, Interesting)
Of course 1. is to make sure that all drivers in our trees have no overflow bugs. Or any others, or course. This takes work, but we now know that it is needed. You cannot trust any info that a USB device gives us. Shoulda known.
Of course, s
Go Figure (Score:2)
Article:Device Drivers filled with flaws (Score:2)
http://www.theregister.co.uk/2005/05/27/device_dr i ver_flaws/ [theregister.co.uk] Device drivers filled with flaws
By Robert Lemos, SecurityFocus (tips at securityfocus.com)
Published Friday 27th May 2005 13:48 GMT
The uneven skills of driver programmers have left a legion of holes in software that ships with Windows and Linux, security experts say.
Operating system vendors and hardware makers should commit more resources toward systematically auditing Windows and Linux device-driver code for flaws, security
This is setting off my BS detector. (Score:2, Interesting)
"I was really looking to them to address this issue, but Microsoft feels that this is a hardware issue and doesn't see it as a problem," he said.
Which one is it, you told them or you didnt?
Then he goes really REALLY far out of his way not to mention which driver is supposedly exploitable... is it a driver HE wrote?!
I'm giving this 95% that its a driver HE wrote and installed to exploit ring 0 access, not an exp
PR article (Score:2)
USB BSOD (Score:2)
I couldn't believe it, just like that, BANG reset. Found it was a "known problem", so I followed the instructions on the M-Audio website, to the letter. Tried it again, still BSOD'd. To this day I can't use my USB MIDI controller in Windows 2000. Fortunately I use it mostly in Linux, where it works just fine.
(For the record, it does work under Windows XP)
Root kit delivery system (Score:2)
Missing the point (Score:2)
However, this USB exploit lets anybody defeat all that with just plugging in a USB device. This should be fixed. It is serious IN SOME CIRCUMSTANCES.
Re:Every time I bag out Microsoft (Score:5, Insightful)
From TFA:
So how can it be in all usb drivers?
Re:Every time I bag out Microsoft (Score:3, Insightful)
On the other hand, I would quite mad if I had to confirm that my new keyboard and mouse should, in fact, be used. (Catch 22, hey?) Only allow plug-and-pray of anything but a very limited set of devices (user configurable?) from anything but Administrator. That would solve mos
Re:Every time I bag out Microsoft (Score:4, Insightful)
First of all there is only one USB subsystem driver for Windows. That's not actually technically correct since there are drivers for the various USB control architectures (such as UHCI, OHCI, EHCI), but they use are a small part of a larger unified USB subsystem driver.
I suspect you mistakenly thought the article was talking about the individual usb device drivers (for things like gamepads, cameras, printers, etc).
This is not what's happening at all. This is a Windows vulnerability, and actually has absolutely nothing to do with USB, other than it affects the USB subystem of the Windows (and only Windows) operating system.
There's a buffer overflow in the USB system, which allows any properly designed device to be plugged into a locked Windows computer, and execute arbitrary code (ie unlock the machine, etc).
You may think this isn't a big deal, but this is a huge deal. You can pick up USB dev kits for a couple hundred bucks that come with an FPGA, flash rom, and more. Basically for the price of one of these devices you could theoretically walk into any place where you can gain physical access to a Windows machine, and pwn it.
Re:Every time I bag out Microsoft (Score:3, Informative)
No, you are wrong. Specific USB device drivers is what the article is all about.
They even mention this:
Re:Every time I bag out Microsoft (Score:2)
Re:No big deal-- Physical Access == Compromise (Score:2)
If I walk past your computer in the office I could sit down and rip the drive out or boot up in single mode or whatever...
But that takes time and I risk getting caught.
If I can just insert a usb dongle and then run a quick command I can now be up and going quicker [plus I can logout and leave the box like you left it].
This is just "yet another thing" MSFT got wrong further lending credence to the fact their "reports", er... "press rel
Re:suprised? (Score:5, Informative)
I guess my point is simply that we've tried this isolation you speak of, but it truly offers horrendous performance, especially graphics subsystems. Take a look at some of the research on Mach, why no one uses it (well, except Apple). Check out Jochen Leudtke's research on the L4Ka microkernel, and how they've gotten near monolithic type speed out of a microkernel by caching calls between privilege levels to minimize context switching.
OS Development is fun! It also allows you to look at the common (and not so common) operating systems in a whole new light. And don't get me started on the Linux kernel. Until the 2.4 series, I could have done better with 6 months and an unlimited supply of pizza and Sun Drop (and no, I can't get the good Sun Drop where I live!!)
So in short, every modern operating system (sans OSX) runs drivers in Kernel mode. It's a necessary evil. Maybe one day, the speed decline will be negligible, but as long as context switches take over 1,000 cycles, and as long as you can trigger tens of thousands of context switches relatively easily in user/driver/system interactions, with very few user-level instructions (i.e. libc), we'll always have this problem.