System Exploitable With USB

Anonymous Coward writes "Vulnerabilities in USB drivers for Windows could allow an attacker to take control of locked workstations using a specially programmed Universal Serial Bus device." From the article: "The buffer-overflow flaw is in device drivers that Windows loads whenever USB devices are inserted into computers running Windows 32-bit operating systems, including Windows XP and Windows 2000, said Caleb Sima, chief technology officer and founder of SPI Dynamics."

Every time I bag out Microsoft

Every time I bag out Microsoft, some git comes to their defence, telling me it's all hype, they're unfairly picked on, that bill gates donates lots to charity, so MS is OK.

And yet more MS insecurities pop up.

*yawn*. I'm sick of being right.

Re:Every time I bag out Microsoft

[Saven+Marek]

This is not a Microsoft vulnerability, this is a USB vulnerability. It won't matter if its windows or linux or mac you are using in the end, it will be vulnerable the same way and only the attack specifics need to change. the attack vector is the same on all operating systems, flaws in USB itself.

Re:Every time I bag out Microsoft

[MichaelSmith]

This is not a Microsoft vulnerability, this is a USB vulnerability

From TFA:

The buffer-overflow flaw is in device drivers that Windows loads whenever USB devices are inserted into computers running Windows 32-bit operating systems, including Windows XP and Windows 2000, said Caleb Sima, chief technology officer and founder of SPI Dynamics.

So how can it be in all usb drivers?

Re:Every time I bag out Microsoft

"Vulnerabilities in USB drivers for Windows"

did you read that?

Re:Every time I bag out Microsoft

[Luke-Jr]

Bill Gates donates to organisations that murder people.

Re:Every time I bag out Microsoft

[Luke-Jr]

Uh, so USB can act like any other device. Is there a problem with that? I have a feeling it's designed to work that way (for flexibility, you know).
If you've got a security hole in some random driver and physical access to the system, you can exploit it either via USB or via its native connection.
Besides, what makes the actual exploitation the "specifics" and the mere tunnel the problem?

Re:Every time I bag out Microsoft

[cnettel]

Problem is, if you fake the hardware ID, you just need a single USB device driver (not USB controller driver) with a flaw. It doesn't have to be in all of them. The flaw is to allow devices that only have been plugged in to work at all.

On the other hand, I would quite mad if I had to confirm that my new keyboard and mouse should, in fact, be used. (Catch 22, hey?) Only allow plug-and-pray of anything but a very limited set of devices (user configurable?) from anything but Administrator. That would solve most of it.

I wonder when people will start poking more at Nvidia's and ATI's OpenGL drivers on all platforms. That should prove interesting, especially since the binary drivers may actually contain the same flaws on several platforms.

Re:Every time I bag out Microsoft

[afd8856]

OT: did you pay your taxes? I'm sure you must have, one way or another. Step out of the society if you really care about these issues.

Re:Every time I bag out Microsoft

[Luke-Jr]

I'm not part of US "society"-- tell me how I can cease paying taxes, exactly?

Re:Every time I bag out Microsoft

[2008]

Buy a small island (possibly with some libertarian buddies) off some third-world nation, establish it as a country and live there. No taxes.

Re:Every time I bag out Microsoft

[flithm]

How did this get modded insightful? Obviously you AND the mods did not read the article and have absolutely no idea what's going on here.

First of all there is only one USB subsystem driver for Windows. That's not actually technically correct since there are drivers for the various USB control architectures (such as UHCI, OHCI, EHCI), but they use are a small part of a larger unified USB subsystem driver.

I suspect you mistakenly thought the article was talking about the individual usb device drivers (for things like gamepads, cameras, printers, etc).

This is not what's happening at all. This is a Windows vulnerability, and actually has absolutely nothing to do with USB, other than it affects the USB subystem of the Windows (and only Windows) operating system.

There's a buffer overflow in the USB system, which allows any properly designed device to be plugged into a locked Windows computer, and execute arbitrary code (ie unlock the machine, etc).

You may think this isn't a big deal, but this is a huge deal. You can pick up USB dev kits for a couple hundred bucks that come with an FPGA, flash rom, and more. Basically for the price of one of these devices you could theoretically walk into any place where you can gain physical access to a Windows machine, and pwn it.

Re:Every time I bag out Microsoft

[gregorio]

I suspect you mistakenly thought the article was talking about the individual usb device drivers (for things like gamepads, cameras, printers, etc).

No, you are wrong. Specific USB device drivers is what the article is all about.

They even mention this:

For example, an attacker who knows of a vulnerability in a USB device driver can program one USB device--say a portable memory stick--to pose as the kind of device that uses the vulnerable driver, then plug the device into the host system and trigger the exploit when the host system loads the flawed driver, said Darrin Barrall, another SPI researcher.

Re:Every time I bag out Microsoft

[flithm]

The article is a little misleading. If you know more about the Windows USB subsystem (I've created hardware USB devices, and written Windows drivers for them) you'd know how the architecture works.

You're right that the article is talking about individual drivers that interact with the host USB subsystem, although this is a greater symptom of the USB subsystem itself. It IS a Windows vulnerability, and actually has nothing to do with the individual drivers themselves. The proper fix for this is not to patch the drivers, but to patch the USB subsystem that the drivers interact with.

If the underlying Windows USB subsystem wasn't flawed it wouldn't allow buffer overflows in device drivers to compromise the system.

As someone who's done USB device and driver development I can say that the Windows USB implementation is absolutely terrible. It comes as no suprise to me that a vulnerability was found.

Re:Every time I bag out Microsoft

[afd8856]

I consider every government a crime against humanity, but I'm just too anarhistic. Of course, beyond the reply of the other poster, what can I do?

Re:Every time I bag out Microsoft

[Deviate_X]

I believe all operating systems which have device drivers are vulnerable exploition if the device drivers are written incorrectly.

If the underlying Windows USB subsystem wasn't flawed it wouldn't allow buffer overflows in device drivers to compromise the system.

Please remember that windows XP SP2/2003 and x64 and Itanium editions of Windows have built in protection against buffer overflows in software. Its not 100% perfect but is their any widely used operating system with guranteed protection against buffer overflows?

... and buffer overflows are not the only way to exploit a flaws in software anyhow!!

As someone who's done USB device and driver development I can say that the Windows USB implementation is absolutely terrible. It comes as no suprise to me that a vulnerability was found.

I haven't seen any greater problems with the windows USB implementation as compared to for example Linux. From the users point (the user is the point afterall) of view USB inmplementation on windows is pretty dammed seamless. Linux USB on the other hand is as well, troublesome...

BTW - your websites certificates are nearly 6 months out of date...

Re:Every time I bag out Microsoft

[Luke-Jr]

Know of any groups interested in this?

Re:Every time I bag out Microsoft

[__aaclcg7560]

Every now and then a group of slashdotters would try to do this. Half would die from not getting their porn fix when they realize that the Internet haven't come to their island. The other half would start religious wars over various topics and wipe each other out. After that, it's game over.

Re:Every time I bag out Microsoft

[Luke-Jr]

One point would be to get away from sexual perversions and abuse of women such as porn.

Re:Every time I bag out Microsoft

[sumdumass]

I would imagine the problem being that the usb devices can be reliably conected while the computer is on and the driver loaded without user interaction. Unlike printers ports or serial conections, there really isn't a way of doing this without rebooting the computer or running some program that searches for the devices.

Aslo, physical access to the computer might not be much more then a casual walk by were you drop a pen on the floor and insert your device while picking it up. This is somethign that wouldn't be as noticable as if someone had the computer case open or had failed logon attemps loged wich might open more eyes.

One of ther bigest concernce is that windows comes with alot of these exploitable drivers preinstalled. That might be the only reason it is of concern to them. Who's fault would it be if i used some usb device to crack into your computer because of a faulty device driver that was preinstalled for some device that you don't even use. Who's fault would it be if i was able to gather all your customers personal data including creditcard numbers used for payment, maybe even medical records and such by doing somehtign like this.

I'm not sure drivers should stop being supplied with windows but there should be some more user control over it. USB is great for people who don't knwo anythign about computers and even better for those who do and don't have time to fuck with it.

Re:Every time I bag out Microsoft

I bet you run out of EVERY color trying to draw a self portrait don't you fatty?

Re:Every time I bag out Microsoft

[__aaclcg7560]

Kiss my faq, you fat-loving retard!

Re:Every time I bag out Microsoft

[gregorio]

Nobody is going to fall for your forced and falacious authority empiricism, forget about it. The article is very clear about specific devices and their drivers.

And if you really knew anything about development you would have noticed that the specific drivers are the ones responsible for data manipulation (therefore allow buffer overflows), while the USB subsystem is mainly a high-level management system. If this guy were talking about a bug in the whole subsystem, we would not have needed to be specific about device impersonation (meaning: you need to fake a specific device, with its specific device driver).

Re:Every time I bag out Microsoft

[silverkniveshotmail.]

I don't see how it's abuse when it's legal (i.e. not kiddie porn), especially when they're being paid.

suprised?

[TheCoop1984]

Hands up anyone who is suprised. No? Ah well...

What would be funny is if Vista had this bug when it shipped...

Re:suprised?

[Mister+Impressive]

I believe the key word is when. By that time USB may be obsolete :P

More realistically though, by the time it's released, USB will probably be taken out of Vista.

I'm here 'til Thursday, try the veal!

Re:suprised?

[Neticulous]

"What would be funny is if Vista had this bug when it shipped..."

Hey there, this is microsoft, in order for us to not get sued we need you to use "Windows" in conjuction with the word "Vista". So please kindly edit your post, you wouldnt want us to get sued, would you? darling? sweety?

Re:suprised?

[insert_username_here]

It probably will be...

The flaw isn't within Windows; it's within the device drivers. So it isn't a matter of Microsoft fixing it, it's a matter of every USB driver manufacturer fixing it.

What's more, this kind of issue will apply to any OS with shoddy drivers.

This is but one of the many reasons why device drivers should never run in kernel mode - that goes for everyone!

Re:suprised?

[KodeK]

Edit...post...? Isn't that a feature that's part of Windows Vista?

Re:suprised?

I think it was removed.

Re:suprised?

[caspper69]

The problem is that we do not have a modern operating system architecture that is fast enough to allow for drivers to run in another privilege level. Seen the wonderful server performance of OSX? That's what happens when you put drivers at a different privilege level than the kernel. The real issue is twofold. Firstly, context switches are extremely slow, even on modern processors. In the IA-32 architecture, which has three privilege levels, most microkernels have put kernel code at ring 0 (most privileged), drivers at ring 1, and user code in ring 2. But what you end up with is every system call going from user -> driver -> kernel -> driver -> user. This greatly slows down the system, especially in a uniprocessor multitasking operating system. Things get even more complicated when you're trying to write a portable operating system (Linux/*BSD/NT Kernel), since most other chip architectures only offer two privilege levels (user & supervisor).

I guess my point is simply that we've tried this isolation you speak of, but it truly offers horrendous performance, especially graphics subsystems. Take a look at some of the research on Mach, why no one uses it (well, except Apple). Check out Jochen Leudtke's research on the L4Ka microkernel, and how they've gotten near monolithic type speed out of a microkernel by caching calls between privilege levels to minimize context switching.

OS Development is fun! It also allows you to look at the common (and not so common) operating systems in a whole new light. And don't get me started on the Linux kernel. Until the 2.4 series, I could have done better with 6 months and an unlimited supply of pizza and Sun Drop (and no, I can't get the good Sun Drop where I live!!)

So in short, every modern operating system (sans OSX) runs drivers in Kernel mode. It's a necessary evil. Maybe one day, the speed decline will be negligible, but as long as context switches take over 1,000 cycles, and as long as you can trigger tens of thousands of context switches relatively easily in user/driver/system interactions, with very few user-level instructions (i.e. libc), we'll always have this problem.

Re:suprised?

[5plicer]

No, speed does NOT necessitate that drivers run in the kernel. A GOOD microkernel architecture like QNX Neutrino is a perfect example. QNX powers Cisco's CRS-1 Carrier Routing System - a router which Guinness World Records has certified as the highest capacity internet router ever developed. It can handle up to 92 terabits/sec total throughput.

Also, the Mac OS X kernel, XNU, contains code which is based on Mach, but it isn't Mach - I.E. it's not a true microkernel.

Re:suprised?

[caspper69]

I understand that. That's why I pointed out L4Ka. The problem is with early microkernels and the original Mach design in particular. Without specifically taking the context switching into account, performance is terrible. Embedded realtime operating systems such as QNX are not a good example. They are designed in such a way that they can guarantee realtime performance up to a specific system load, which must not be exceeded for the system to function properly. Remember though, that as of yet QNX is not a general purpose operating system. Further, I suggest you check out the recent performance issues of XNU as compared to Linux for common server applications such as Apache, MySQL, etc. Speed is most certainly an issue, and until a general purpose operating system is designed in such a way as to minimize context switching across system calls, it always will be an issue with separating drivers from kernel and user space.

Re:suprised?

The problem is that we do not have a modern operating system architecture that is fast enough to allow for drivers to run in another privilege level.

Linux does. Not by default, but it does if you install nooks.

Re:suprised?

[labratuk]

And don't get me started on the Linux kernel. Until the 2.4 series, I could have done better with 6 months and an unlimited supply of pizza and Sun Drop.

But instead you're posting on slashdot.

Re:suprised?

[caspper69]

There's only so many hours per day to do kernel development! And where better to discuss actual issues with kernels rather than religious zealotry between Linux and Windows? Oh wait... nevermind. That's what alt.os.development is for...

Tonight at 11:

[ZxCv]

Computers with physical access are susceptible to "unintended root-level access".

Re:Tonight at 11:

[tpgp]

Computers with physical access are susceptible to "unintended root-level access".

Yep. Got boot? You've got root.

That said however, the Operating System should at least try to protect sensitive data - make it so the attacker is going to have to pull that hard drive out of the box & mount it from another machine to try & brute-force the password file (or whatever)

There is no need to make it as easy as plugging in a USB device....

Re:Tonight at 11:

[glottis5]

Instead of exploiting this flaw, why not just hit the computer with a hammer or something? This seems rather impractical.

Re:Tonight at 11:

[miffo.swe]

Yes, but this perhaps makes crypting the HD and such very very worthless? In theory a hacker just boots the darn thing, plug in the USB stick up and has access to the encrypted HD.

Re:Tonight at 11:

[torpor]

boring, not insightful. i mean c'mon. its been a mantra for 20 years in compute-room environments, sure, that physical-access=no security.

but, in case you haven't been outside lately, PC's are freakin' everywhere man. are you ignoring the fact that not everyone lives in their moms' basement surrounded by beige?

lets see, in the last 24 hours, i've seen public-access PC's running Windows, with USB keyboards, in about 20 places.

of course, i live near a large number of rather large cities, not in mom's basement .. but still. this is a huge thing.

the question begs asking: what other OS's are susceptible to such attacks? suddenly, those bulk-basement discount USB fob's are not just cheap places to stack pr0n, but also a potential network host which must be firewalled .. especially if they've got "Made in the ROC" on them.

well done Windows, anyway. glad i haven't used microsoft products in earnest for at least 10 years, but i'm still going to try a few of my own attacks on some drivers/usb/*.c sooner or later ..

Re:Tonight at 11:

[Phleg]

Um, where would you get a silly idea like that? The hard drive is encrypted against a key that's unlocked via a password. No USB driver hack is going to magically unlock that key.

Re:Tonight at 11:

[Dogtanian]

especially if they've got "Made in the ROC" on them

I'm not sure what point you're making here; ROC (Republic of China) is Taiwan; I suspect you meant the 'People's Republic of China', which is either labelled "Made in China" or "Made in PRC".

Do you think there's a conspiracy by the Chinese government to exploit security holes in Western computers by sneaking code into little USB keys? Or is the fact that they're made in the PRC, ROC, North Korea or the Moon irrelevant to the story anyway?

Re:Tonight at 11:

[alba7]

The interesting scenario is a running machine with everything mounted. All you need then is a few seconds to plug in your USB device. Buffer overflow in a driver will get you kernel level access.

Re:Tonight at 11:

[Rich0]

Actually, this would provide an attack against a computer which decrypts a hard drive using a key supplied at boot time (perhaps via USB key or just a passphrase that is typed).

Such as system is resisted to physical attacks since most of those require shutting down the computer - which causes loss of the decryption key stored in RAM.

This attack would allow you to unlock the computer while it is running, and therefore while the OS still has the drives unlocked. You could possibly just store the key that is in RAM and then shut down the PC and work on the rest of the drive, or you could just copy the whole contents of the drive to remote storage and then work on the rest at home.

I agree that you couldn't just boot up a powered-off computer with an encrypted hard drive and then apply the attack to it. The computer couldn't be booted without the key, unless it is stored internally. If it is stored internally you don't need this new attack at all.

Re:Tonight at 11:

So, you are saying that, while being observed by a guard and only having access to a computer for a couple of minutes (enough to put an USB "upgrade" into the Windows box), it should come as no surprise that the attacker would gain root level access? If that was true, why would Microsoft bother to fix it at all? I think you are just repeating something you read on Slashdot.

Re:Tonight at 11:

[torpor]

the fact that ROC is pumping out millions of chipsets capable of being exploited is the point. its not a political statement; its a reflection on the state of the USB fob market.

system-on-chip USB firmware is a fresh target for virus writers. there are more USB fobs in the world than PC's ..

Re:Tonight at 11:

[Bloater]

This is not actually true. Most BIOS' can refuse to be configured without a password, so they go straight to boot loader. Then the bootloader is configured to prevent any choosing of options, etc and goes straight to kernel, which then goes to login.

There, boot but no root.

One should ensure that all cables cannot be removed. In fact, one should ensure that all cables go from one flush surface to another, in plain view of the user. so there is no way any sniffers can be added. And make sure that the computer itself is inside a really tough, immovable box attached fast to the underside of the desk so everything is contained. The powercable should go into a locked floorbox. The only way anybody can do anything is by breaking the peripherals or cutting through a live cable. Or exploiting bugs in the software.

Not sure though if USB hubs are safe. Somebody could attach a sniffer to a hub and I'm not sure if it could see traffic between host and device.

Re:Tonight at 11:

[nfarrell]

so every program running on the OS has to have the decryption key? I think not. Encrypted partitions are usually decrypted at bootup, and don't expect 'unauthorised' access to occur until it's shutdown again. It's about as good a safeguard against this attack vector as RAID is useful to protect data against software-level data corruption.

Re:Tonight at 11:

[The+Warlock]

So you open the case and pull the password jumper or reset the BIOS, allowing you to fuck with the BIOS settings and boot from CD.

It's not THAT hard.

Re:Tonight at 11:

[Waffle+Iron]

Do you really think that somebody who went through all of the paranoid steps that the OP described would neglect to lock the case? Just about every PC case that I've ever seen has been lockable.

Re:Tonight at 11:

[twiddlingbits]

You can always encrypt the sensitive files on the encrypted hard drive. Use a very long passphrase and you got pretty good security, but with time it is crackable. I've seen it both ways, where the whole drive is decrypted with the key or where each application has to decrypt. Both have strong and weak points. It all depends on what you consider secure enough!

Re:Tonight at 11:

[GeeBee2k]

There are also PC's around (eg, some IBM/Lenovo ThinkCentre desktops, Thinkpad Laptops and also some HPaq Notebooks) where this will do no good. Where de-soldering the security chip is about all you can do.

Not impossible, but it'd be easier to take the HDD out (unless of course it is also encrypted with the TCPA chip)

Re:Tonight at 11:

[Phleg]

Read the OP. "So a hacker just boots the damn thing, jacks USB pen drive in, and gets data."

Now, if we're talking about a machine that's already up and running with a user logged in, and it's simply "locked", this kind of attack will work. But that's not what the OP said.

Re:Tonight at 11:

Exactly. You need console access for USB. If you have console access...there are a million things you can do besides USB hacks.

Re:Tonight at 11:

[sigloiv]

You mentioned a boot loader and a kernel. It sounds like Linux to me unless you use Windows' piece of crap boot loader.

Ctrl+S? Doesn't matter if the boot loader doesn't allow passing options to the kernel. It'll still work. Mac OS X included (trust me, I've tried it).

Then again, even if you were talking about Windows XP/2000/NT, most likely there's the Safe Mode trick. You know, Safe Mode, log in as Administrator with no pass? It's pretty simple for any school or office administrator to neglect.

Then again, you might be talking about Windows 98 or 95. Just hit Cancel at the password screen and BOOM!, you're in.

Of course, I'm sure there's one for ME (I didn't spend much time with that crappy OS). I do know however that the Cancel "trick" was fixed.

Also, you talked about BIOS loading orders. Any administrator in their right mind would make a floppy disk the first item to boot to. It's just common sense. If anything happens to the password or the OS install gets corrupted, it's much easier to just boot to a floppy to fix it in DOS (or any other more specialized tool such as Partition Magic). The problem with this is: it's fairly easy to make a floppy that just tells the computer to boot from the CD drive. I've seen them before. Microsoft has a specialized one for XP.

The point is, while it's not always possible to gain root access remotely, it's pretty much always possible to gain root-access locally. I don't care if your case is made of titanium, I don't care if your case is boarded up with wood and the cables are nailed down.

Never underestimate your enemy...and remember, just because you're paranoid doesn't mean they're not after you.

Re:Tonight at 11:

[rthille]

What about I plug in my USB kernel hack, root your box, install a keystroke logger, record your key, decrypt your encrypted HD/files and then either come back later pick up your data or send it out over the net (if one's available and I'm not too worried about the traffic being detected).
You can have tripwire installed, but if I've rooted the kernel I control access to the filesystem so any files I've installed don't show up to your 'normal' access to the system.
Even rebooting won't help because I've modded your kernel. The only way you'd be able to detect it is to boot from an alternate media, or have a 'safe' bootloader (one you need to jumper to mod) which checks the kernel (md5 or otherwise) before booting it.

Re:Tonight at 11:

[Afrosheen]

And just about every PC case that's lockable ships with the exact same crappy key as your particle board computer desk does. Pick it in 5 seconds or less with a screwdriver or a paper clip.

Just face it, any computer which an intruder has physical access to should be considered compromised. It's been proven time and time again at Defcon and other venues.

Re:Tonight at 11:

[Bloater]

> You mentioned a boot loader and a kernel. It sounds like Linux to me unless you use Windows' piece of crap boot loader.

Windows has a boot loader and a kernel.

>Ctrl+S? Doesn't matter if the boot loader doesn't allow passing options to the kernel. It'll still work. Mac OS X included (trust me, I've tried it).

You can disable safe mode in Windows.

> Then again, even if you were talking about Windows XP/2000/NT,

Yes, I was. Win9x runs everything as root, so it doesn't matter about securing the boot sequence.

> You know, Safe Mode, log in as Administrator with no pass? It's pretty simple for any school or office administrator to neglect.

You don't even need safe mode to log in as administrator, Ctrl-Alt-Del will get you to a login where you can give Administrator as the username. The administrator will set a password on this account before permitting physical access.

> Also, you talked about BIOS loading orders.

No I didn't

> Any administrator in their right mind would make a floppy disk the first item to boot to.

Only if they don't grant physical access. If they grant physical access, they unlock the big hard box that they locked the computer in and reset the BIOS via jumpers on the mobo.

> The point is, while it's not always possible to gain root access remotely, it's pretty much always possible to gain root-access locally. I don't care if your case is made of titanium, I don't care if your case is boarded up with wood and the cables are nailed down.

Yes, but this is not made easier by granting physical access to the computer since the console can be locked down as hard as the network. You can always shoot the security guards and blow a hole in the building wall. I can grant you physical access to the computer and you still have to go through the same hoops as if I had not granted you *any* access.

Re:Tonight at 11:

[Doctor_Jest]

You can put decent locks on the case. Trouble is, it takes a bit more effort to do so.

The key here is, like a locked car, making it more difficult (not impossible) to get into. Unless this is a case of "movie-of-the-week" intrusion... most of the time people will look for something easier to compromise...

Or just make the lock on the door to the room the computer is in more secure. Lock it behind two doors. ;) Something that will test the determination of someone wanting to get to that computer.

Otherwise, what's the point of even locking the screen?

Re:Tonight at 11:

[default+luser]

Then again, you might be talking about Windows 98 or 95. Just hit Cancel at the password screen and BOOM!, you're in.

If you've ever worked with profiles, you would know that, along with user-based profiles, there is the "no-login" default profile.

Yes, people can log on, but it is possible to completely cripple the system to the point that they only have the ability to log off. No run, no program execution, no exploit. The only way to override this easily is by using poledit, which the interloper cannot run due to the restrictive policy. Otherwise, you have to reboot to DOS and muck around in policy files.

**NB:

Use care when crippling the default login case. You will make Safe Mode unusable in the process (no matter what you login as in Safe Mode in w95/98, you always get the "no login" policy applied), and could make the PC unrecoverable if you encounter a problem that prevents you from booting into normal mode.

Re:Tonight at 11:

[ZOverLord]

This concept of physical access required is insane at best. Done right, almost any device can be re-flashed, if a buffer-overflow is created by a payload, not only can the drivers be infected but the flash-memory itself can be infected. A good example is this: http://www.geocities.com/mamanzip/Articles/Low_Cos t_Embedded_x86_Teaching_Tool.html Note: this was done using the boot-from-lan option for testing, most devices can execute code at boot, no mater what the boot-from option is. As software becomes more patched, I would worry about legacy harware in the future. This is one of many exploits heading in that direction.

Re:Tonight at 11:

[Mike+McCune]

I could also break into the system by using a boot floppy or CD.

I could then reset the domain servers's root password.

Or I could simply pull out the hard drive and take it home.

Controlling physical access is an important and often neglected part of computer security.

Re:Tonight at 11:

[Aeiri]

Just face it, any computer which an intruder has physical access to should be considered compromised.

Why does EVERYONE seem to believe this?

They may be able to boot to their own OS, but there are ways you can prevent them from getting root access to YOUR OS, and screwing around with YOUR files.

Encrypt the root filesystem, and have the computer boot from USB. Then, without bruteforcing your encrypted partition, there is no way for them to mess with your stuff.

Re:Tonight at 11:

[Lost+Found]

I remember my high school days when they had computers in the library. Suppose a student pops in one of these USB devices; they've just broken the system's security. Of course, they could have also done so by removing the chassis cover and resetting the BIOS, to get around the configuration password, allowing them to boot off their own media, mount and modify the hard drive. But chances are they might just get noticed.

Re:Tonight at 11:

[suitepotato]

This is the first level. Hard drive is encrypted from the word go.

This is the second level. Everything on the hard drive from boot onwards is encrypted in software.

This is the third level. Everything you need to store in encrypted containers you can quite easily. You can also encrypt files and then store them in encrypted containers to add a fourth level.

Using all of these, no hack will open the system to unauthorized use. You need the physical and software keys and the password. Without them there's no chance of recovery in this lifetime with any computer technology now or forseen within the next century that will break all of it without the entire resources of the planet being turned to the job for a period slightly in excess of the sun's remaining lifespan.

You can also get hardware encrypted external drives as well and use multiple layers of software encryption on them.

To address the main post, like who didn't know the best way to gain access to a system was to physically pwn it? I mean, really...

(It's just that with prudent countermeasures and the machines not being left on and requiring all authentication for decryption from start to finish, that point is moot.)

Re:Tonight at 11:

[klui]

Or if you use something like PGP Disk, it has the option of automatically unmounting your encypted drives after a certain time has elapsed.

Re:Tonight at 11:

[hawk]

>Just about every PC case that I've ever seen has been lockable.

Thins may have changed, but those locks used to do nothing more than disable the keyboard . . .

hawk

Re:Tonight at 11:

[rew]

It depends on what tools you have, and what the target is.

I can imagine a bank having a computer under or on the desk where they advise clients (with the mortgage calculation program and things like that). Now wouldn't you feel bad if some crook could come in, and plant a program ON the bank's computer by just inserting something looking like an USB key into the computer for a couple of seconds?

It's easy to get the bank employee to go and fetch a coffee for a couple of quick seconds, it's difficult to start unscrewing the box. The Physical security of the bank employee not being gone for more than 3 minutes at a time is enough to prevent that kind of attack.

Re:Tonight at 11:

Encrypt the root filesystem, and have the computer boot from USB. Then, without bruteforcing your encrypted partition, there is no way for them to mess with your stuff.

What kind of encryption would you use to prevent me from "messing with" your stuff by applying a few whacks with a sledgehammer?

In most cases, backups are better security than encryption. Backups prevent losing. Encryption only prevents copying and modification.

Re:Tonight at 11:

[inc_x]

If it wasn't for the modified bootloader/kernel that, once you enter the password for your encrypted partition next time you use it, will mail the password to joe@hackersRus.com

Re:Tonight at 11:

And just about every PC case that's lockable ships with the exact same crappy key as your particle board computer desk does.

Dells perhaps. Both the HP on my desk, and the Coolermaster case I used for my home machine have a hole to put a real padlock through. I am sure that the lock is not the weak part of that setup.

Cutting the piece off that the lock goes through might be too easy though.

Re:Tonight at 11:

[Chris+Hodges]

Thins may have changed, but those locks used to do nothing more than disable the keyboard . . .

I've just chucked 4 (1994-96) old HPs with locks that prevented the cases from being (easily) opened. It took a few minutes with a screwdriver to trash the case enough to get in. Newer machines tend to have some way of fitting a padlock. This can also be used to chain the machine to the desk, but a big pair of cutters would go through the metal easily enough.

Re:Tonight at 11:

[Inkieminstrel]

Why not just put the computer in a locked cabinet under the desk (with proper ventilation) and run cables and external CD-ROM through a hole in the top of the desk? I'd much prefer a to lock up a standard Dell in an immovable cabinet than to have an immovable computer on my floor.

Re:Tonight at 11:

[Bloater]

That's exactly what I meant :)

Similar problems...

[JamesD_UK]

This is similar to an early security flaw in windows though I forget precisely which Windows versions it was, 95 and earlier I suspect. It was possible to write a program that would autorun from an inserted CD and copy the screen saver password file to a floppy from where it could be later cracked at leisure.

Re:Similar problems...

[jonadab]

> This is similar to an early security flaw in windows though I forget
> precisely which Windows versions it was, 95 and earlier I suspect. It was
> possible to write a program that would autorun from an inserted CD and copy
> the screen saver password file to a floppy from where it could be later
> cracked at leisure.

If you're physically at the computer, you can reboot it and hit escape at the login prompt (or any number of other possibilities). Windows XP makes this rather harder than it was in Win9x, because it has filesystem permissions, so that if you don't log in you may not be able to access various files -- unless you boot from a Knoppix CD or the equivalent, of course, but that can be disabled at the BIOS level. This is why the USB exploit is significant -- there are many situations in which an attacker might have physical access but not totally *unobserved* physical access, and so taking the cover off the case is problematic, but inserting a USB keychain fob is possible. With Windows 95 that wouldn't have even been significant, because there were much easier ways to get at things.

Re:Similar problems...

[JamesD_UK]

Except that someone might have noticed their Windows 95 system being rebooted... oh *wait* :-)

Re:Similar problems...

[pronobozo]

This is similar to an early security flaw in windows though I forget precisely which Windows versions it was, 95 and earlier I suspect. It was possible to write a program that would autorun from an inserted CD and copy the screen saver password file to a floppy from where it could be later cracked at leisure.

I had that one, but what it did was autorun a program that disabled the screensaver.

Re:Similar problems...

[jonadab]

> Except that someone might have noticed their Windows 95 system
> being rebooted... oh *wait* :-)

Exactly. They might notice, but nobody's going to bat an eye. Frankly, most folks wouldn't bat an eye if they saw WinXP being rebooted either, not because it's necessary nearly as often but because people do it constantly anyway, because they've been conditioned that way. About half the population instinctively reboots at the first sign of abnormality, e.g., if the website they're trying to visit doesn't resolve because they mistyped the URI. It's likely to take a very long time for this expectation to change.

Re:Similar problems...

[InvisiBill]

This is similar to an early security flaw in windows though I forget precisely which Windows versions it was, 95 and earlier I suspect. It was possible to write a program that would autorun from an inserted CD and copy the screen saver password file to a floppy from where it could be later cracked at leisure.

With Win9x, you can actually use autorun to disable the screensaver password in the registry (without removing the password), use a program to simulate mouse movement, then re-enable the password. You bypassed the password without having to crack anything or reset the password.

Re:Similar problems...

You can set most bioses to require a password on boot, not just on accessing the bios settings.

Of course, requiring an admin every time you need to reboot your windows machine could get old pretty quickly, and it breaks lots of network administration. But that's how I have my home machine set up.

Re:Similar problems...

[rapsys]

If I remember a simple remove/replug of cmos battery is enough to clear the bios and beeing able to access all your computer...

Re:Similar problems...

[EndlessNameless]

:::Windows XP makes this rather harder than it was in Win9x, because it has filesystem permissions, so that if you don't log in you may not be able to access various files:::

One small detail: USB drivers currently run with system privileges, which is actually a small step up from administrator privileges on a Windows box. Anyone using the exploit described in the article would have no trouble whatsoever with file permissions on the local machine.

Accessing remote resources would be a different story, of course, although it shouldn't be too difficult to sniff some traffic once you compromised the first box.

Re:Similar problems...

[Frogbert]

Actually the exploit went more like:

Pop the cd in and have it autorun.

Autorun installs registry keys that share all the drives with a password of your choosing.

Re:Similar problems...

If your hand is small enough to remove the CMOS battery through the USB connector, you should see a doctor.

Noone is going to notice putting a USB-key in, unless you're in some kind of military grade security area, but even the guy surfing pr0n in the far corner of the room is likely to notice someone taking the computer apart.

Re:Similar problems...

[tinus]

Actually you can kill the screensaver from the ctrl-alt-del menu in Windows 95. This was fixed in Windows 98 though.

Re:Similar problems...

[jonadab]

> If I remember a simple remove/replug of cmos battery is enough to clear
> the bios and beeing able to access all your computer...

Depends on the computer. Frequently what you have to do is set a particular jumper on the motherboard, powerup once briefly, then put it back like it was. That requires taking the cover off the case, which in some kiosk-type scenerios is likely to get noticed.

Of course, some hardware makes this a bit easier, e.g., certain models of Dell all you have to do is unplug the power cable and hold the power button in for a few seconds. One wouldn't want to rely much on a BIOS password in that kind of scenerio. One supposes that if you're setting up systems where untrusted people will have physical access, you'd try to select hardware that makes the BIOS password harder to clear than that.

And, as noted above, if random people have *unobserved* physical access, then you've got bigger problems, because at that point they can remove the hard drive and walk off with it. You would absolutely not want to have any sensitive or important data on such a system under any circumstances, ever. As a correllary, you wouldn't want to join such a system to a Windows domain.

Yawn....

[Debian+Cabbit]

Not many people awake yet to read this?

Maybe their locked workstations have been compromised!

Uh wait a second, why am I getting popups for warez at http://127.0.0.1/?

Misleading first few paragraphs?

[gunpowda]

Who's actually to blame?

From the summary and the article:

Vulnerabilities in USB drivers for Windows...The buffer-overflow flaw is in device drivers that Windows loads...running Windows 32-bit operating systems, including Windows XP and Windows 2000...

The article then goes on to say:

However, the flaw is with USB, not Windows, said David Dewey, a research engineer at SPI.

Re:Misleading first few paragraphs?

[spydir31]

The fault in USB is that the device supplies it's own ID (which is reasonable),
if you RTFA you will see they say the problem is in the drivers
drivers often do not verify data correctly and always run with system level privileges,
meaning you just need to find one driver that is installed by default (or auto installed) to attack the system.

Re:Misleading first few paragraphs?

[l3v1]

Yeah, right, good ol' MS way: it's not the software's fault, it's not Windows's fault, it's USB's fault. We makes ze great softwere, you makes ze bad hardwere.

Re:Misleading first few paragraphs?

[silviuc]

However, the flaw is with USB, not Windows, said David Dewey, a research engineer at SPI. Standards developed by the USB Implementers Forum Inc., the nonprofit corporation that governs USB, don't consider security, he said. For example, an attacker who knows of a vulnerability in a USB device driver can program one USB devicesay a portable memory stickto pose as the kind of device that uses the vulnerable driver, then plug the device into the host system and trigger the exploit when the host system loads the flawed driver, said Darrin Barrall, another SPI researcher.

Yeah, an attacker that knows about a buffer overflow condition in apache can program a way to exploit it. Is this a flaw in apache or in the RFC?

C'mon , who is this guy trying to fool ?

Re:Misleading first few paragraphs?

[Andy_R]

Well there's an easy way to find out... try the exploit on OSX and Linux. I think it's quite significant that the article completely fails to mention any OS other than Windows.

In a way, I hope the identical problem is present in all of Win/Lin/OSX, as it would give us a very nice way to compare how good and quick the fixes are. I'm not too worried that Microsoft have a headstart on a fix :-)

Re:Misleading first few paragraphs?

[Teun]

And a little further into TFA:

Best of all, for attackers, the device drivers run with System-level privileges, giving an attacker full control of the host system once the exploit has been triggered. SPI tested attacks on Windows systems, but any operating system that is USB-compliant is probably vulnerable, he said.

Re:Misleading first few paragraphs?

[DaveCar]

I'm sure it can be determined by going and reading the source, but what is the pedigree of the USB code in the Linux/*BSD kernels?

I imagine both are written from scratch, but is there any chance there is any (perfectly legitimately copied, _if_ there is any) reference code in either?

Is there likely to be any similar exposure? What about OS X?

Re:Misleading first few paragraphs?

[Linus+Torvaalds]

If it's a buffer overflow, then it's a software bug, not a problem with USB per se.

If it's a vulnerability in a driver, then it doesn't matter if Microsoft didn't write the driver, if they ship it with Windows, they are responsible for it. There's no useful distinction between "Windows" and the drivers that ship as part of Windows.

Re:Misleading first few paragraphs?

[log2.0]

So that means that it DOES run on linux? yay!...err Sorry, had to be done :)

Re:Misleading first few paragraphs?

[ocelotbob]

The flaw is with drivers within windows, not the USB protocol. USB does its job, it says, "hey, I got this device on the server, its name is 8086:3429 and its a high speed device. Windows says, "okay, yeah, whatever" and starts accepting data. Unfortunately, drivers are an area where secure programming really hasn't caught on as well as it should, after all, their hardware never misbehaves and starts spewing out nonsense, right? ;3

Re:Misleading first few paragraphs?

How could any other OS be vulnerable to this flaw? The method of exploit is based on a specific and flawed driver that ships with Windows, not anything else. This so-called researcher is a Microsoft shill.

Re:Misleading first few paragraphs?

[Luke-Jr]

No, USB is a generic bus and supports a wide range of devices. Thus, anything plugged into USB has a large selection of potential drivers to use, possibly with security holes. Wait! That means PCI and ISA have had this problem, too! We need to start building computers without modulized components! (or just assume physical access = root)

Re:Misleading first few paragraphs?

[Whafro]

okay, linux fans always say stuff about bugs like "they're talking about the distribution, not the kernel! that's not Linux, that's the distribution!"

So let's come to a consensus. Does Windows/Linux include what's on the CD, or just the kernel and drivers included directly in the kernel?

I have a feeling that if there were a driver bug that was in a driver NOT included in the main kernel download, but was still shipped on distro CDs, /. readers would rally to say that this is not a Linux problem, but a driver problem.

Can't have it both ways...

Re:Misleading first few paragraphs?

[Whafro]

Oh, sorry, should I have started that post with "Well, I have karma to burn, so..." or ended it by apologizing with "I use linux, and am typing this from linux, so I'm clearly a supporter of the OS"?

Re:Misleading first few paragraphs?

[Dare+nMc]

> Does Windows/Linux include what's on the CD, or just the kernel and drivers included directly in the kernel?

personally I would consider it whatever cannot be removed from the OS by a typical user. So USB default drivers would definity qualify. now msft is still responsible for many applications they install

now linux is just a kernal, not much usefullness if you uninstall to that, so a majority non-geeks have associated linux with all distibutions, and all GPL'd software that could be installed on it.

Re:Misleading first few paragraphs?

[jurv!s]

you got a little something there on your post. there- on the lower right. it looks like a winky butt-face. you might want to have a doctor check that out. i hope it's not contagious. ;3 egads!

Re:Misleading first few paragraphs?

[Junior+J.+Junior+III]

If so, then we ought to be able to exploit OS X, Linux, and BSD in the same way. Can we? Let's see it.

Re:Misleading first few paragraphs?

Driver is a software piece... not hardware. The one to blame here is the driver creator. In my case, the creator is Microsoft, so if my driver has the flaw Microsoft is the one to blame.
You can view the driver creator in the device controller panel.

Re:Misleading first few paragraphs?

[Linus+Torvaalds]

Does Windows/Linux include what's on the CD, or just the kernel and drivers included directly in the kernel?

You are conflating two different issues - the responsibility of the distribution maker, and the distinction between the kernel and userspace.

Issue one: responsibility. If you get a distribution, and it has a bug in it, then it is a bug in that particular distribution. Even if the Linux kernel had an obvious, stupid bug, if that bug is present in the distribution you obtained, then it's the distribution's fault, because it's their job to catch upstream bugs.

Issue two: kernel vs userspace. If it's not a bug in the kernel, it's not a bug in Linux. Linux is just the kernel.

Now, if you are obtaining vanilla kernel sources and compiling them yourself, then it makes sense to talk about bugs in Linux. If a bug is found in the vanilla kernel sources that the majority of mainstream distributions didn't catch, then it makes sense to talk about a bug in Linux. Otherwise, it makes no sense to talk about bugs in Linux.

Does Windows/Linux include what's on the CD, or just the kernel and drivers included directly in the kernel?

You are comparing apples to oranges. Windows includes what's on the CD, because it's the whole product. Linux doesn't include what's on the CD, because it's just the kernel. It's the distribution that includes what's on the CD.

I have a feeling that if there were a driver bug that was in a driver NOT included in the main kernel download, but was still shipped on distro CDs, /. readers would rally to say that this is not a Linux problem, but a driver problem.

No, it would be a distribution problem. It was the distribution that shipped the buggy driver, whether or not they wrote the driver, they are ultimately responsibile for it. It wouldn't be a Linux problem, because Linux is the kernel, not whatever drivers distributions add in after they get the vanilla sources.

The same logic applies to Windows. It doesn't matter if Microsoft didn't write the driver, they are ultimately responsible for it.

Can't have it both ways...

You only see a double standard because you think Windows and Linux are comparable entities. They are not. Windows and a distribution are comparable entities.

Re:Misleading first few paragraphs?

[xenobyte]

...any operating system that is USB-compliant is probably vulnerable...

Well, my own box is safe because I never bothered to attach the USB cables to the motherboard (no use for USB on it) so the USB ports are completely dead and thus secure... ;)

So if you have no immediate need for USB on your servers just detach the cables from the motherboard and an intruder will need to physically open the case to gain access. Should you at a later date need to use USB, just reattach the one port you need.

An attacker will not know that the ports are dead and will probably waste a lot of time trying them one by one, or give up after the first failure.

Re:Misleading first few paragraphs?

[prefect42]

That would be sound advice, were it not for the fact that just about any motherboard you can buy today has 2 or 4 usb connectors soldered onto the back edge of the board...

Re:Misleading first few paragraphs?

[xenobyte]

That would be sound advice, were it not for the fact that just about any motherboard you can buy today has 2 or 4 usb connectors soldered onto the back edge of the board...

Mine didn't, but that doesn't really matter. Most onboard connectors are configurable through BIOS and I'd suggest to simply disable them that way.

Overflows are fun!

[mistersooreams]

Really, how serious a threat is this? If someone has unrestricted physical access to your machine then you're already in serious trouble. We all know how breakable the NTFS file encryption is, so if they really want to get at your files, they can just reboot into Fedora from a CD, or run any other tool that circumvents the encryption. If they just want to destroy data then you can put a hammer through the hard drive, and no OS can prevent that... So, I'm not saying that this vulnerability shouldn't be fixed, but maybe they should work on making NTFS a bit stronger first - if that's even possible.

Also, does anyone else think Slashdot should have a special section for buffer overflows? They seem to spawn more stories than several of the other sections...

Re:Overflows are fun!

[pe1chl]

When the system boots from a CD you don't need such complicated methods.
But of course a locked-down system won't boot from CD.

Re:Overflows are fun!

[ForestGrump]

Correction: There is ONE OS that can prevent you from gaining physical access to the machine. This os is HAL.

Grump

Re:Overflows are fun!

[Sycraft-fu]

ACtually I was under the impression that NTFS encryption was unbroken. I think it uses strong encryption, and stores the keys in your account, encrypted with your password. I could be wrong, but I believe it's quite secure. This hack is about unlocking a workstation, not about breaking the file security.

Re:Overflows are fun!

[MichaelSmith]

If someone has unrestricted physical access to your machine then you're already in serious trouble.

How about this: I lend my usb key to you so that you can transfer a file. While connected to your system the usb device cracks the security on your windows box and grabs the information I was looking for.

I don't need access to your system for that to work. I don't even have to know where it is. I have a usb key/mp3 player device which will let me reflash the firmware, so perhaps I could put the exploit in that way.

Re:Overflows are fun!

I think Dave would have something to say about that...

Daisy, Daisy, give me your answer true...

Re:Overflows are fun!

[Jarnis]

Correct. If NTFS is unencrypted, the computer is easy to compromise - you can just boot from a tool CD and modify/insert usernames/passwords.

However, if the system partition is actually encrypted, there is very little you can do without NSA-grade bruteforcing.

Re:Overflows are fun!

[wfberg]

Really, how serious a threat is this? If someone has unrestricted physical access to your machine then you're already in serious trouble.

Plugging in a USB device isn't unrestricted physical access. With USB memory sticks basically replacing floppy disks, this is a serious threat. Especially in places like universities that have fairly restricted workstations, messing around with a computer's case, or plugigng into ethernet would be immedeately obvious. Plugging in a USB device, getting administrator rights and spamming to your hearts content is a lot less obvious.

Re:Overflows are fun!

[deafff]

Incorrect. And please stop passing random bullshit as knowledge.

Re:Overflows are fun!

[DingerX]

Okay, how many of you are thinking of a modified USB device that in a ten-second transaction gains root access and installs some finely tuned malware (a keylogger, a packet sniffer, some "communications" software)?
You'd slip it in, take it out, and wait for it to "phone home"-- or have it collect data silently until you attached a USB collection device.
What are the vulnerabilities?
A) public computers: not just university computer labs and libraries, but kiosks in shopping malls, airports, you name it. Look around -- there are loads of places featuring "secured" installations of windows (or Linux, for that matter).
Now, think about some of these networks -- are they all going to be wired to keep the "secured, public boxes" away from more sensitive traffic? Is anybody going to be trained to notice a 10-second move as a hacking attempt?
B) even scarier are places like hospitals. I know I've sat waiting for a doctor to come in a room with a thin client running some flavor of windows on a password-secured system -- they leave you unsupervised for half an hour sometimes. I'd really rather not have someone poking around my medical data.
C. Industrial Espionage: Physical access doesn't require a hacker. You can have any number of low-paid, unskilled workers do the injection for you. Slip the janitor a USB key and some Franklins and you're in business.

Okay, I admit, I don't know what I'm talking about. But it's scary stuff, huh?

Re:Overflows are fun!

[Jarnis]

Please educate me.

Assume I have a system with one 40GB HD, containing one 40GB NTFS partition that is encrypted. I have no usernames nor passwords on hand.

How do I get (local) admin, assuming I have physical access to the computer? How about if I can't just pluck out the HDD and move it to another computer?

I know many tools to crack open admin access to an unencrypted Windows installation, but I have no idea how to do the same to an encrypted disk.

Re:Overflows are fun!

[value_added]

We all know how breakable the NTFS file encryption is ...

We do?

... so if they really want to get at your files, they can just reboot into Fedora from a CD, or run any other tool that circumvents the encryption ...

Circumvents the encryption? Dear Lord, and how would that be done? Without a recovery key the data remains encrypted.

does anyone else think Slashdot should have a special section for buffer overflows?

No, but a section for grossly-uniformed comments would seem in order.

Re:Overflows are fun!

[Bloater]

> If someone has unrestricted physical access to your machine then you're already in serious trouble.

That's true, but what about if someone has *restricted* physical access. So they can bring their own data to work on but other than that only run the programs that you set with the privileges that you set. For starters, these USB drivers should be moved to user space. Indeed FUSE should help here for Linux.

Re:Overflows are fun!

[ymgve]

Well, if a current user is already logged in (But the workstation is locked), the filesystem is already mounted. You could then with this USB exploit access the whole filesystem easily.

Re:Overflows are fun!

[Geekbot]

If I understand what they are saying they are not necessarily making the point of gaining admin access; they are referring to ability to access files that are encrypted by the Windows file system. When they mention the encrypted disk, they are only referring to files locked by the Windows OS or file system, which are not locked at all if you boot with Knoppix.

The easy way to do this is to download Knoppix, Burn the iso, Insert the CD, Reboot. If Windows doesn't load as the operating system, there will be nothing preventing Knoppix's file system from viewing the entire contents of the hard drive, including the My Documents folder which may have been (marginally) protected with Windows file encryption.

Re:Overflows are fun!

[Psycho+909NL]

please educate me too How on earth is a computer going to boot when all data including root fs (or c: in case of windows) is encrypted sounds to me like impossible since you need the key too boot the os (considered that the fact all data is encrypted the key is encrypted too)

Re:Overflows are fun!

[Hal_Porter]

Encrypted NTFS files are encrypted with an DESX or 3DES, with the decryption key in the (encrypted) user profile.

So booting into a different OS wouldn't let you access the unencrypted files, though you could get access to the encrypted data.

Of course, since the key is stored on the hard disk somewhere, it could in principle be extracted.

There's a utility called syskey.exe in XP which can move the keys onto a floppy though. In which case the only way to get the files back without the floppy would be to crack 3DES.

Re:Overflows are fun!

[deafff]

Ssshhh...he might actually realize how stupid he is.

Re:Overflows are fun!

[Hal_Porter]

Actually the USB device doesn't get root access.

Here's what happens.

You plug in the device, and Windows reads the device class and id. It looks in the registry to see if it has a driver for that class and then the device id in that order. E.g. for a USB mass storage device, it will always find the default windows driver. If it doesn't, the user can provide a driver, but the user needs to have local admin rights to do it.

Now if they have local admin rights, they can install whatever they want anyway, including a root kit.

With a sane network admin, people don't have local admin rights unless they are doing something techie like developing, in which case they handle their own problems without calling the support people. And there's a firewall, so root kits will be somewhat limited in what they can do. You can also fire people with admin rights who install malicious software.

Re:Overflows are fun!

[deafff]

> Without a recovery key the data remains encrypted. You sir, are Yet Another Fanboi passing random BS as knowledge.

Re:Overflows are fun!

[amliebsch]

they are referring to ability to access files that are encrypted by the Windows file system.

Then you are talking about "permissions," not "encryption." Permissions can be bypassed simply by using an OS that disregards them. Encryption cannot be. Please do not confuse the terminology.

Re:Overflows are fun!

[Jarnis]

You cant run syskey without access.

I still state that if the filesystem is ENCRYPTED, there is no way to access it. Unencrypted = no problem, plenty of bootable tools off CD that can 0wn the admin password (or insert few new admins). But if its' encrypted, its encrypted, and assuming no known users/passwords, even with local access you can't touch the data.

If you somehow can, please do educate me - I run into this issue at my work every few months (borked un-bootable windows on encrypted drive), and currently my answer in such case is "sucks to be you, learn what 'encrypted' means, and how you securely backup your encryption keys before using it again". And then the user gets to reformat without recovering any files.

Re:Overflows are fun!

[Jarnis]

Well, after some research it looks like one may be able to get into the OS via off-CD hacking tools, but all the encrypted user data is inaccessible.

" *

This is a utility to (re)set the password of any user that has a valid (local) account on your Windows NT/2000/XP/2003 system, by modifying the encrypted password in the registry's SAM file.
*

You do not need to know the old password to set a new one.
*

It works offline, that is, you have to shutdown your computer and boot off a floppy disk or CD. The boot-disk includes stuff to access NTFS partitions and scripts to glue the whole thing together.
*

Works with syskey (no need to turn it off, but you can if you have lost the key)
*

Will detect and offer to unlock locked or disabled out user accounts!

Caution: If used on users that have EFS encrypted files, and the system is XP or later service packs on W2K, all encrypted files for that user will be UNREADABLE! and cannot be recovered unless you remember the old password again!"

So, in such cases even if you could get somekinda OS up with access to it, the encrypted stuff would still be inaccessible.

Re:Overflows are fun!

[Hal_Porter]

Umm no that's not what I meant.

I meant Encrypted FS - secure against booting into Knoppix. Data is encrypted on disk, not just locked as the post I was replying to stated.

However, EFS could be cracked in theory if you had a util that could extract the keys from the profile. I don't know if this has been done, because I don't use it and have never had to get access to encrypted files.

Syskey is designed to be _more_ secure - the idea is that you move the keys to a floppy and then lock it in a safe. In which case, you can't get the keys off the hard disk - you need the floppy to get access to the files.

But you can't use syskey to crack an encrypted box because it requires that you can log on to. You can't even reset the password with a hacker tool, because that gets hashed into the encryption key. If you reset the password, the data is essentially gone.

Mind you if you have (local|domain) admin rights and can still boot there are ways around this

http://www.brienposey.com/kb/working_with_ntfs_enc ryption.asp
http://www.experts-exchange.com/Security/Win_Secur ity/Q_21446371.html

So if you were admin, you could repair the machine, making sure you don't do anything that will damage the user's profile, change their password with the NT tools, which won't cause the encryption keys to get screwed and get access that way.

What caused the machines to be borked to the point of unbootability BTW. That's some hard core borking.

Re:Overflows are fun!

[Psycho+909NL]

according to http://www.microsoft.com/technet/prodtechnol/winxp pro/support/dataprot.mspx

there is dra administrator or data recovery agent (not in xp sp2)
wich is automaticcaly created so go to ftp://ftp.kernel.org/pub/dist/planb/ and download plan b

start-off from cd reset admin account to *

reboot login and there you go

local admin rights + you can decrypt efs encrypted files(except for admins encrypted files)

doesn't look that hard too me

Re:Overflows are fun!

[Jarnis]

Situations like damaged HD or total spyware infestation... when the drive is not encrypted, it's usually trivial to rescue most/all of the important data.

If it's encrypted, things get way more difficult...

Re:Overflows are fun!

How about this: I lend my usb key to you so that you can transfer a file. While connected to your system the usb device cracks the security on your windows box and grabs the information I was looking for.

You didn't need this exploit to do that. Simply creating the appropriate autorun.inf file and having it execute some custom code invisibly to do what you want would have been enough, particularly since most Windows users run as Administrator.

The only potentially useful new attack vector this allows is the compromise of locked workstations, which while hardly trivial is by no means the herald of a coming apocalypse.

Re:Overflows are fun!

[DavidTC]

Encrypted files on NTFS are encrypted using a 3DES key that's encrypted using the user password. (And the admin password.) When the user logs in, they can get access to their key, and access the files. Until then, they cannot. If their password is reset (Outside of 'legit' Windows methods, which will re-encrypt their in-memory decoded keys.), they cannot ever access the files.

The 'root fs' is never encrypted.

You know, this is exactly the kind of stuff that makes us Linux advocates look like idiots. Just because Windows is shitty in general doesn't mean every part of it is. Their encryption is amazingly well thought out.

And, of course, completely pointless when someone can plug in a USB frob that runs a system level program grabs the decrypted user keys out of memory.

Which is why NTFS encryption is so funny. It's an impenetrable vault door bolted to a wooden barn.

Re:Overflows are fun!

[DavidTC]

There are USB drivers with buffer overflows. The device can identify itself in such a way that it gets its own code to execute, without any admin access on the local machine at all.

Basically, the device says 'I'm device number 4934:2949', and Windows goes, 'Okay, I've got a driver here, let me load it', and the driver says 'Okay, device, what's your status' and the device replies 'OK^^malicious code here', the driver happily sticks that in a four byte buffer, overwriting some code that gets executed later. With system privs.

No user interaction at all.

If one of these poorly coded drivers is for a storage device, it would be trivial to write a trojan you can slip onto any system in five seconds. If not, it would be more work, because you couldn't just say 'Run evil.exe off newly inserted device at system privs', but it's certainly doable.

Re:Overflows are fun!

Could RockBox with a few modifications (or maybe only the right plug-in) be used for this? :)

Re:Overflows are fun!

[Hal_Porter]

Ok, but you'd need to write a _kernel_mode_ trojan, and flash it into the device, in the code that handles the USB protocol. Most mass storage devices have the USB protocol handler in a masked rom - you can change the device ID and so on in a e2prom, but that's fixed length anyway. So you can do it with something like a CypressUSB board where you can hack the protocol, doing it on a cheap USB flash disk is likely impossible. Also, I think the size of data after an overflow will be quite small.

E.g. consider

http://www.beyondlogic.org/usbnutshell/usb4.htm#Co ntrol

Notice that the device is the one to signal the end of the transfer with a short packet.

Now when the device driver on the host asks reads, it passes a length, so it should be safe. But the problem is probably that most of this happens in hardware.

E.g. imagine I'm a device driver, and I want to read 160 bytes from a usb endpoint with fifo size 64. I ask the Windows USB stack to do it, and it programs the host controller to read 160 bytes. The host controller has to split the transfer into 64 byte chunks, so it will read like this on a good device.

I'm assuming that it knows too stop a transfer if too many bytes are transferred, but it can't stop in the middle of packet, for the purposes of this example. I don't know if this is a problem with any real USB host controllers, it's just an example.

Packet 0 - 64 bytes Total=64
Packet 1 - 64 bytes Total=128
Packet 2 - 32 bytes Total=160

On a bad or malicious device, this happens

Packet 0 - 64 bytes Total=64
Packet 1 - 64 bytes Total=128
Packet 2 - 64 bytes Total=192 ( 32 bytes extra ! )
****Host controller signals an overrun, USB stack issues a bus reset****

The fatal problem is that software only gets control after Packet 2 has been transferred, by which time the buffer has been overrun.

So, if I were designing a malicious device, I'd always send too much data. Somewhere in the USB stack there's probably a place where I'd burst a buffer - the secret in this case is to make sure your buffer has one fifo's worth of unused padding. In fact, that would be a good WHQL test - if the machine with the driver can survive a device that sends too much data. Still at least in the USB case the infrastructure is in place to handle this.

But the same applies to anything where the device controls the transfer length - e.g. bus master DMA . In general, hardware has de facto 'root acces' in this case, as it can always crash the system by writing too much. And most of the time writing drivers this is the sort of hardware bug you spend time working around, so it's not true that "USB drivers are written with very little data validation and security awareness". Security awareness comes naturally if not having it means a blue screen of death.

Also, if you read the article it seems a bit suspicious. No one has released details or told Microsoft, and yet they are already selling a product to protect people against this vulnerabilty.

Re:Overflows are fun!

[Geekbot]

My mistake. That's what I get for drinking and posting. Friends don't let friends post drunk.

Now this is what i call

[pH03n1X]

'plug and play' hacking .....

Re:Now this is what i call

[iive]

Plug and Pray

And at 11:30...

[Photo_Nut]

Flaws found in device drivers shipped with Windows, Microsoft recommends upgrading to Vista!

Be Careful!

[Neticulous]

"What would be funny is if Vista had this bug when it shipped..." Hey there, this is microsoft, in order for us to not get sued we need you to use "Windows" in cojuction with the word "Vista". So please kindly edit your post, you wouldnt want us to get sued, would you? darling? sweety?

Re:Be Careful!

[Biomechanical]

you wouldnt want us to get sued, would you? darling? sweety?

Hehe, Ab Fab meets /.

Not new idea

[makomk]

Oddly enough, this isn't a particularly new idea. The Xbox Linux project considered the possibility of using a specially-designed USB device to run code on the Xbox, though I don't think they managed to find a suitable vunerability to exploit (unlike now). I wonder if this works for the Xbox, actually - it's Windows 2000 based IIRC...

Re:Not new idea

[Prophetic_Truth]

Acutally, thats kind of what happened. Using a modded save file on a USB save device, the xbox was able to be hacked via a problem with certain games and thier load save function. This hack aloud you to flash the xbox bios with a modded bios.

Re:Not new idea

[assassinator42]

Actually, that is different from what the article is talking about. Sure, they both use buffer overflow, but the hacked saves are files, and exploit buffer overflows in file loading. The article is talking about just plugging in a usb device and executing code. That hasn't been done on the xbox.

Re:Not new idea

[Prophetic_Truth]

isnt that what i said? the load/save function of certain games are exploited, its not a usb driver on the xbox, hence my use of 'kind of'. sorry i didnt make myself clear

Re:Not new idea

It is NOT based on Windows 2000, you insufferable clod.

Re:Not new idea

It is, on the 2K kernel.

Re:Not new idea

[Geoffreyerffoeg]

Just being a buffer overflow that happens to enter via USB doesn't make it the exploit here. Xbox-Linux uses a file on the HD that exploits an overflow in a game's load file - it just so happens that most people bring the file in via a USB stick. What they're talking about here is having the USB device's driver itself be the exploit - when the OS tries to load the device's driver, then the OS buffer (not the game's application buffer) will overflow.

There are plenty of buffer overflows. Someone could make an overflow of the networking stack - send a bad packet to a System Link game and load Linux over the network. There's a couple of exploits that use an overflow in the Dashboard font files. Actually, unless you use a modchip or figure out the MS private key, I'm pretty sure the only way to run Linux is through a buffer overflow. The point in the article here is that the USB specification may have a buffer overflow, not that buffer overflows are dangerous (which we already knew).

Re:Not new idea

[makomk]

IIRC, Xbox Linux actually did consider using a buffer overflow in the USB stack itself (and this is what I was referring to in my original post). However, they couldn't find one at the time, so they used other approaches. In many ways, this would've been a good solution, but it didn't pan out.

It is not about "Windows"

[jiushao]

This is just a report about the general issue that all USB drivers have to be secure or a hardware device can be made to exploit the machine. It is in no way about Windows, but actually about any operating system than implements USB.

Sadly enough it is not at all suprising that Slashdot immediately goes for the anti-Windows slant rather than actually reading and comprehending the article and exploit in question. Too few actual axploits in Windows as of late to get up to the required quota perhaps?

In a more direct comment about the "exploit" I don't consider it terribly important, hardware access leads to a lot of trivial expoits. This one can be made more user-friendly than most with appropriate hardware, but it is not really worse than just inserting a boot CD that copies the relevant data to a secure server or so. It can also of course easily be fixed by disallowing loading of USB drivers without confirmation from the user.

Re:It is not about "Windows"

[jazzbo54]

exactly how do you do this?

> easily be fixed by disallowing loading of USB drivers without confirmation from the user.

Re:It is not about "Windows"

[strider44]

It is an article about an exploit in the Windows drivers for USB, the article itself is entitled "USB Devices Can Crack Windows". In fact I don't see any anti-windows slant in the slashdot summary other than a statement of the facts and a direct quotation of the article.

As to the lack of actual exploits in Windows, perhaps you should read the news. There's been *many* exploits that slashdot has simply ignored.

For your third paragraph, you're full of shit and don't understand the exploit in question. It says that you don't need actual access to the computer just USB access. Even if there's a USB mouse fed through a KVM terminal you could probably take it apart and connect the USB that way. You don't need to reboot the computer, and there's no way to lock it out. This is a serious exploit.

Re:It is not about "Windows"

I can see where people would get confused and start bashing windows, what with the article named "USB Devices Can Crack Windows", and then the Windows OS line mentioned a dozen or more times in correlation with the flaw.

And actually the only mention of other OSes was the "possibility" that they were susceptible, but at this time unconfirmed.

So unless you have data that says otherwise, get off it already.

Re:It is not about "Windows"

[GIL_Dude]

While I agree with most of your points, there is one way in which accessing the running OS in the way that an exploit based on this vulnerability could is different than the boot CD method you mentioned. For example, my notebook has PointSec installed (full drive encryption). With this, the boot CD is useless (it can format my drive, but can't get the data). However, the USB key vulnerability if properly exploited can get my data since the machine is already booted into the target OS and encryption keys have already been provided.

Re:It is not about "Windows"

...and this was modded insightful?

In a more direct comment about the "exploit" I don't consider it terribly important, hardware access leads to a lot of trivial expoits.

USB flash dev ices are being used to share lotsa things nowadays. I use them routinely as a floppy replacement (since most apps files are just too damned big for a floppy anymore).

So I do everything right; I run as a limited user, not as Admin, lock my machine down tight and some co worker comes up with a USB drive and says "Here, just grab a copy of the spreadsheet from this..." Pwned!

Too few actual axploits in Windows as of late to get up to the required quota perhaps?

No, there is no lack of those! Just take a look!
http://secunia.com/product/22/

Parent poster is a moron!

Re:It is not about "Windows"

[DavidTC]

I, personally, am waiting for a USB virus.

Wasn't there a 'dos directory' virus once, where just looking at a directory listing (under certain DOS versions) would infect you?

But there appear to be indications that you can't really reprogram a normal USB device to do this.

However, yes, it's a godsend for spies. It's like TV shows have always depicted!

Re:It is not about "Windows"

Here we go! Grandarent poster is still +5 insightful, parent post is 0!

Idiots! One can only that those who are entrusted with safeguarding personal data are more technically astute than moderators on /.

Morons!

In the end, it doesn't matter! Idiots will listen to moderation; those who truly consider security will take it as the threat it is!

Scary.

[oberondarksoul]

USB flash drives are already quite highly accepted amongst non-technical users; both my parents have bought pendrives, as have many of my friends. They're quite comfortable with just popping in the drive, waiting for the OS to see it, and grabbing files off it.

So, what if someone handed them a pendrive and asked them to grab some files from it, and it turns out that this pendrive would cause an attack like this? One could be switched by a black-hat, or planted, or mailed... put simply, the attacker wouldn't need physical access, just access to someone who does.

Re:Scary.

[putaro]

How about if someone just hands them a pen drive and says "Double-click on the Readme.exe file"? Seems like a lot less work to me.

Re:Scary.

[moonbender]

Not that I really disagree (I think this is all somewhat of a non-issue), but seeing how this is an error in a system software, exploiting a buffer overflow might lead to a security escalation, ie you might "get root". The user can only run an application within the context of his or her own account, barring other exploits anyway.

Re:Scary.

[kesuki]

seems like writing an autorun.inf would be easier to me.. and telling them if it doesn't work to 'double click readme' because you know extentions are turned off by the desktop.ini you wrote for the pendrive..

Re:Scary.

[Rich0]

Better still - nice envelope with a letter on authentic-looking stationary and a USB drive inside.

The letter says - dear information computing professional, MS would like you to test-drive our latest (insert name of fancy software package here). The enclosed demo will not interfere with any of your existing software, and as a thank-you for trying out our newest offering you can keep this handy 128MB USB drive. Feel free to pass along to your colleages as well.

At work we get demo CDs all the time for various expensive software applications. If you want to do some real industrial espionage send google a USB drive with the latest open source code-profiling tool, or Pfizer a flashy-looking clinical data analysis tool, or whatever.

Do the whole thing in flash so that it looks like something as high-tech as what you'd see in star trek (it isn't like you actually have to write the algorithm - just an animation). It will get passed all over the place to countless managers. And in most companies you can't give a worker-bee access to a system without giving it to their manager, so you have countless management drones with access to systems they never even look at, but your newly-introduced worm can poke around freely...

Re:Scary.

[Leebert]

The letter says - dear information computing professional, MS would like you to test-drive our latest (insert name of fancy software package here). The enclosed demo will not interfere with any of your existing software, and as a thank-you for trying out our newest offering you can keep this handy 128MB USB drive. Feel free to pass along to your colleages as well.

...or you could save yourself a few bucks and ship them a trojanized binary on CD, if they're going to be running your code anyhow.

Re:Scary.

[YU+Nicks+NE+Way]

Not exactly. The "readme.exe" attack can be mitigated by not running as root or Administrator. The USB attack grabs a driver, and so already has full kernel access.

Re:Scary.

[pilkul]

So, what if someone handed them a pendrive and asked them to grab some files from it, and it turns out that this pendrive would cause an attack like this? One could be switched by a black-hat, or planted, or mailed... put simply, the attacker wouldn't need physical access, just access to someone who does.

So the attacker would lose a 50$ pendrive for this stunt, not to mention the victim has seen his face and can report him to the police. Unless the stakes are really high (corporate espionage, bank robbery) nobody's going to attempt this.

Re:Scary.

On the other hand, the USB attack is a lot sneakier, and it works even if the recipient knows not to run random executables on their machine. The attack works even if the recipient of the pen drive is paranoid about never running anything they haven't received from a trusted source...

Re:Scary.

[T-Ranger]

Well, there is that small portion of users who have some kind of virus scanning system in place. Trojaned executables on the CD or USB stick it would pick up... A evil USB stick itself, not so much....

Re:Scary.

[Rich0]

True, although the USB key would work on a PC with non-admin rights.

Re:Scary.

Wow. Scary idea. But please tell me again, why do you need a USB device to do it?

Re:Scary.

[DavidTC]

And you can always provide signed Microsoft binaries. Straight off their website. Good as gold.

Or, hell, a fricking web page. Or text file.

Even extremely paranoid people like me wouldn't suspect the drive. We have autorun off, we show extensions, we have a virus scanner and, hell, we'll even run it manually on the drive, and we'll see it's a few perfectly innocent signed demos of MS software.

And even then we might not trust those binaries, and download them from MS's site.

But, regardless, we got infected the second we inserted the drive. With autorun off, a lot of us have gotten unparanoid about that, we assume we can look at the files and make sane choices.

Re:Scary.

[DavidTC]

50 dollar? Where the hell have you been? You can get them for like 8 dollars.

And the point is that no one would ever know. You insert the drive, grab a few files, and you're owned.

Honestly, people. Pretend you're in a place with public computers with your laptop. Someone walks up and says 'I can't seem to read files off this drive on the machines here, something about permissions, and I really need one of them. Can you read it, and if so, can you copy important.doc to this floppy for me?'. So you stick it in, you grab a perfectly innocent .doc and copy it to the floppy, being careful not to run anything off the drive or even open anything. (And like all sensible people, you have autorun off.)

And you just got owned. At the system level.

I not only would have done it before this article, I have done it before.

In response to actual article title...

[Punboy]

Ya, if you throw them hard enough XD

Locked down how?

[Sycraft-fu]

BIOS? No problem, pop the reset jumper on the motherboard, and all the BIOS settings, including password and boot restrictions, are gone. When someone has physical access, they can get root/admin, if given the time. Our UNIX admin always maintains this philsophy, that anyone who has access to our servers can get root on them. So our security is not designed to make that impossible, but to make it hard enough and watched enough that we notice when someone tries it, and can go any confront them.

Re:Locked down how?

[pe1chl]

Same with workstations: when someone opens the case and/or resets the BIOS settings you will get an alert and can go after it.
Usually the problem is not that someone can get access to the system. You only want to protect against doing that without being detected.

Re:Locked down how?

So you get an alert, big deal. That is what the claymores the attacker planted near the doors are for. Remember, there is no security that can't be bypassed with sufficient explosives.

Firewire and Linux

[wertarbyte]

This reminds me of the vulnerabilities discovered in linux (and other systems) concerning firewire; Since Firewire devices can read and write directly to the computers memory, you can do some nasty stuff. The issues are documented on the website of the german CCC: http://www.ccc.de/congress/2004/fahrplan/event/14. de.html

Re:Firewire and Linux

Mod parent up, this is on-topic and very interesting!

Buffer Overflows

[Jessta]

How come these things still happen? Lazy programmers? Crappy x86 archtecture? These self-created problems should still be around.

Re:Buffer Overflows

[Jessta]

*shouldn't still be around. ah, I see the issue.

Re:Buffer Overflows

[KillShill]

it's a problem with the usb arch.

and since even apple is switching, that must mean x86 is even more crappy than usual.

amd64 cpus outperform equivalent g5's by 25% or more but that's because x86 is crappy.

economies of scale take care of the crappiness by a large margin.

the early 90's desire your attempt at poor humor not-front.

Re:Buffer Overflows

It can be extremely difficult to deal efficiently with an uknown ammount of data. I've seen weird things happen. Oh such wonderful weird things from buffer overflows. One must predict the ammount of space needed. Reguardless of any precautions that prediction will, sooner or later, be exceeded.

It is inevitable Mr. Anderson.

BIos option

[ObitMan]

A bios option to diable USB would be nice. especially in an enviroment that doesn't need USB for anything.
A lot of systems do not have the option.

Re:BIos option

[Jarnis]

Actually, every motherboard BIOS I've seen have the option to disable USB.

And to just disable the 'front panel' easy access USBs, just yank the cables out of the motherboard :)

Re:BIos option

Never forget the manual option. It's easy to disable a USB port by epoxy ;)

Re:BIos option

[cnettel]

In addition to this, I don't see the problem in disabling the whole USB controller from an administrator account. What I wonder is if the Windows group policies for hardware setup could be used to stop this.

Re:BIos option

[ObitMan]

Bah, my post would have made more sense if the "/sarcasm" thingy i did worked when i posted.

Q: Will this flaw affect Windows Vista?

A: No. Of course not. Well... okay sorta. If you buy Microsoft DRM [t.m.] Technology Approved USB Devices you'll be just fine. Oh and by the way, Microsoft DRM [t.m.] Technology Approved USB Devices will be required for all USB usage under Windows Vista. It's for the benefit of You, The Customer [t.m.]specifically. Honest. No attempting to lock you out of moving your content elsewhere, no sir.

From TFA

[myukew]

"SPI tested attacks on Windows systems, but any operating system that is USB-compliant is probably vulnerable, he said."
Luckily I still run DOS. Most secure system evah.

Re:From TFA

I heard about a vulnerability in Interlink recently...

What's physical access?

[raehl]

Given enough time and resources, I have physical access to anything. If your computer is in a locked case, is that physically secure? In a lab that is always staffed? Behind a locked door? With a guard?

For many situations, a computer with a locked case in a room that is staffed is considered "physically secure", as it's not likely that you'll break the physical security (lock on the case) without attracting the attention of the staff. Hell, even a computer in a staffed room in a case that has screws on it is fairly physically secure. The USB problem circumvents the physical security.

Security is all about deterrent. My apartment has a dead bolt lock on the door. Does this mean it's impossible to break into my apartment? Of course not - it just makes it harder.

Being able to break security on a locked computer with a USB drive is like leaving the key to your apartment under your door mat.

Re:What's physical access?

[Minupla]

Security is all about deterrent.

Actually, security in this case is about doing a calculation of the worth of what it is you're protecting against the cost (be it a cost in terms of cash for access controls, or a cost in terms of user convience and system functionality) of the security. I've seen financial instituations who had all their workstations in a central computer room and just ran KVM terminals to each desk. The server room looked more like a vault. It was important to them to keep the workstations secure. On the other hand if you're a library and your only trying to keep them secure so that you don't have to reinstalls every week because some 12 yr old types cat /dev/random > /dev/hda & well then a locked box is probably all you need.

It's just like insurence really, you sit down and calculate how much your information is worth. After you do that, you put into place access controls equal or greater then the value.

Min

Re:What's physical access?

[Stocktonian]

My apartment has a dead bolt lock on the door. Does this mean it's impossible to break into my apartment? Of course not - it just makes it harder.
Being able to break security on a locked computer with a USB drive is like leaving the key to your apartment under your door mat.

Taking the analogy further it's actually more like buying an apartment with a deadlock from a disreputable source (No, not just Microsoft) who always leave a key under the mat without telling you. 1 savvy burglar and the whole building is at risk.

Re:What's physical access?

[Firethorn]

Nah, not quite that easy. It'd be more like those bike locks(~$50) that turned out to be openable by a ball point pen.

Temporary solution: Disable the USB ports.

Re:What's physical access?

cat /dev/random > /dev/hda

With the size of modern hard drives, that could literally take centuries to complete. The little punk would be much smarter to use /dev/urandom.

Re:What's physical access?

[ebuck]

No, your analogy doesn't hold.

You have to place that key under the mat. You're actively thwarting your security for conveinence. If you feel that security needs tightening, you'll have the option of removing that key and not providing the conveinence anymore.

Some labs that care about USB security don't hook up the USB ports to the motherboard. That's a good simple solution, until you require a USB device. It used to be that you could get along without USB devices very easily, but with the (thank goodness) removal of legacy ports and protocols, it's getting harder to use this simple-minded solution. For example, my laptop doesn't even come with a PS/2 port, so it's a USB mouse and keyboard for me. Same goes for most printers these days too.

Now if I hacked my keyboard cable, there's not a method to unlock the system, unless my keyboard is a USB keyboard? That's making the same system less secure, but because of phyisical security considerations, you're arguing that it doesn't really matter?

Re:What's physical access?

[Kagenin]

I'd say it's more like there being an inherent flaw in the design of the deadbolt itself - it just so happens that anyone can make a special "skeleton" key and unlock this deadbolt with relative ease.

It wouldn't even take a savvy burglar.

Re:What's physical access?

[call+-151]

I have seen in internet cafes "locked down" computers in cabinetry with only the USB ports accessible through cutouts. That is a nice convenience at such cafes that don't have Wifi and are nervous about letting me using an Ethernet cable since I can still move outgoing mail from my laptop to a keychain drive and then take two minutes to upload and download mail to catch up on offline. I hope that USB keychain exploits don't result in cafes closing up that last hole...

Re:What's physical access?

[TelJanin]

Other way around, I think. urandom will block when it runs out of entropy, while random will use a PRNG.

Re:What's physical access?

Nope. Look it up: man urandom

Re:What's physical access?

[Hurricane78]

> If the internet routes around failure, why does "www.microsoft.com" resolve? - me On my local DNS microsoft.*, aol.*, hotmail.* and msn.* directed straigt to goatse.cx for asl ong as it existed. now it directs to a local goatse mirror with even more perverse fotos (involving real goats). *grin*

Re:What's physical access?

[Minupla]

irrelivent really, wipe the partition table and you're probably quicker off to just reghost the thing then try and unrandomize the partition table, I'm sure there's enough entropy left in your average library workstation to do that :)

Problem is with USB?

[Spoukie]

If the problem truly lies in the USB standard, wouldn't other operating systems that implement USB also be affected? "multi latform exploit" ... kinda makes you just wanna drop your other projects and get to coding that proof of concept doesn't it?

Re:Problem is with USB?

Well, the article does say that "any operating system that is USB-compliant is probably vulnerable".

What I don't get is why they say "the flaw is with USB, not Windows" when they then admit it's caused by "flawed drivers". Doesn't flawed drivers included on the Windows-CD count as flaws in Windows, regarless of the origin?

And surely it's Microsoft's choice to run the drivers with "system-level priviledges", it's not something the USB standard forces them to do.

eWeek Sensationalism

[Scoria]

Really, how serious a threat is this? If someone has unrestricted physical access to your machine then you're already in serious trouble.

Surprise, it's just a little more sensationalism at eWeek. If this weren't somehow related to Microsoft Windows, then it might not have been given a front page reference here at Slashdot. Corporate espionage and cyberterrorism, oh my!

Perhaps it's intended to evoke an image of a man standing at a workstation and inserting a USB device that automatically captures all of the corporate trade secrets. It's only going to frighten those who are uninformed, as you've effectively described the entire problem. Unless the organization in charge has established an extremely secure physical environment, then their sensitive information will always be susceptible to physical espionage.

If their only layer of protection is provided by a locked Windows workstation, then a network-based attack might prove itself both less expensive and more effective, anyway.

2000 and XP?

[qurk]

I'm pretty sure they only mean XP, considering that Windows 2000 won't be able to use the brand new l33t IE7. With security enhancements that are only possible using the Windows XP operating system! ALSO user of IE 7 may not be able to view half the websites on the internet, but at least they are secure, unless they have a usb device!!! :)

Reminds me of that Win98 blunder

[vchoy]

See it here"
In this case:
TheGeek: I'm going to plug in this USB device.

TheGeek (take aback): Woooooaoooooo!!!
Bill: Urmm..hehee, yes...that's the single sign on feature we have.

Re:Reminds me of that Win98 blunder

source code to a webpage ? cos thats all i can see (firefox 1.06)

Re:Reminds me of that Win98 blunder

Tell your web server to send "Content-Type: text/html" with HTML files, not "Content-Type: text/plain". Also, the file seems to start with "fff", which makes no sense.

Re:no way!

[woah]

Are you being sarcastic?

That doesn't happen

[alewar]

in Windows NT!! :)

protection exists

[collin.m]

is part of http://www.igd.fhg.de/igd-a8/projects/coseda/index .html

Trojan Flash

[putko]

So you could hack up USB device (e.g. a flash), send it to a company, and kaboom.

Or leave a few lying around at Starbucks (like the exploding toy-like objects the Soviets dropped on Afghanistan).

Re:Trojan Flash

[KillShill]

or the food ration-like land mines that the US leaves behind in countries populated with brown people.

Seems Fishy...

[verbatim_verbose]

I really wouldn't give these guys the publicity at this point.

They haven't explained what the problem really is, to us, or even filed a report with Microsoft.

They also claim that any OS is vulnerable, though it's only been tested with Windows drivers.

The whole thing just stinks of someone wanting publicity or setting up to try to sell some protection software.

Re:Seems Fishy...

they don't sell anything related to this issue. this appears to have been a "tangent" research problem.

Nothing new...

[Scott+Swezey]

Ive known that most any system that can boot from usb was vulnerable for at least a year now. I keep DSL on my thumbdrive and need to get it onto my ipod shuffle now too.

Backdoor/Virus distributed by hardware

[scum-e-bag]

So, in theory, a virus or a backdoor could be installed via hardware? Plug in your new USB mouse and your system is compromised... nice one.

Re:no way!

[wheany]

You don't sound very sincere.

This is not just a Windows problem

[Ann+Elk]

The article does make an excellent point: any hot-pluggable device (USB, Firewire, PCMCIA, etc) is a potential attack vector if it is possible for a malicious device to expolit vulnerabilities in the host operating system's drivers. An attacker could exploit this weakness to extract data from a locked workstation without leaving any obvious evidence.

That said, any buffer-overflow vulnerabilities in the USB/Firewire/PCMCIA/whatever drivers are problems with the operating system itself.

I can't wait to see a demonstration. Sounds kinda cool.

Re:This is not just a Windows problem

[cnettel]

And, of course, any interface that allows unrestricted DMA (PCI/Cardbus, possibly Firewire) will be impossible to guard against, no matter what OS is in use.

Re:This is not just a Windows problem

[KillShill]

attacks are NEVER cool.

one person's problem will eventually come back to bite you in the ass too.

no one lives in a vacuum.

kids nowadays...

Re:This is not just a Windows problem

[Ann+Elk]

attacks are NEVER cool.

Attacks are not, but exploits can be, and this one is very creative.

kids nowadays...

I'm 41 and I've been in the software industry for 23 years, so I'm hardly a kid.

DUH.

[Lumpy]

a usb dongle with a knoppix on it, a knoppix CD a linux boot floppy, dude, if I have physical access to your machine I dont care what the OS is doing, the data inside is fracking mine.

hell I have a linux laptop and a usb-IDE cable. I'll simply pry open the case, pop the cable off your drive, put it on the USB device and then dump the data off to my laptop if all other attacks fail.

the ONLY way to protect your data is to have it encrypted on the drive. those encryption sleds for hard drives are a good start but noboy uses them, just like encrypted filesystems.

people do not like to haveto enter passphrases after they login to access their data.

ummm.

[jav1231]

If you get close enough to plug in a USB device, you're close enough to boot it to a crack CD and a) wipe the system b) blank the admin password c) take all the data (and copy it to a USB device.

Re:ummm.

[Q2Serpent]

Unless the system doesn't boot from CD by default (like all the computers where I work) and you need a BIOS password to change the option (like all the computers where I work) and the case is locked so it isn't easy to reset the bios (like all the computeres where I work).

So, how would you boot from CD now?

Re:ummm.

[cdcarter]

What if you need to access data in a propriatery format? Such as some database program that the company uses for sales records that was designed by the IT person there, and saves it in non-text format. You would need the internal program and quite probably the network.

Re:ummm.

[rthille]

Not necessarily. If you have a lab you might have the CPU boxes secured and just have the keyboards accessible. Also, being able to exploit a box without a reboot and without doing more than just handling the keyboard to plug in a USB keyfob is a lot more stealthy than ripping the drive out and attaching it to your linux laptop.

Well which is it?

So...

The buffer-overflow flaw is in device drivers that Windows loads whenever USB devices are inserted into computers running Windows 32-bit operating systems, including Windows XP and Windows 2000, said Caleb Sima, chief technology officer and founder of SPI Dynamics.

or

However, the flaw is with USB, not Windows, said David Dewey, a research engineer at SPI. Standards developed by the USB Implementers Forum Inc., the nonprofit corporation that governs USB, don't consider security, he said.

Perhaps you guys want to confer with each other and decide which story you want to go with... we'll wait here for your answer?

Re:Well which is it?

[Caleb+Sima]

The topic of the interview was what our blackhat presentation was going to be. We explained that we are going to demonstrate how a buffer overflow in a usb device driver can cause cause code to execute even though the workstation is locked. We would also demonstrate how you can spoof any usb device by sending the right identification numbers this allows a usb drive to imitate itself as a cd-rom or mouse for instance. We are also going to talk about the hardware based device that was created to fuzz USB protocol. We explained that during this research we identied several good areas of attack and are currently researching some overflows in a win32 default driver. We were working on determining if the flaws we have found are exploitable in which case we will be working with microsoft to solve those issues. I also clearly explained that these issues are void because we will not be demonstrating these issues during our talk. David Dewey's quote on the flaw being with USB is based on the issue of being able to imitate any usb device by sending that USB code. That quote had no relevance to the buffer overflow problem. Our goal at this presentation is to present the concept and demonstrate the reality of how easy it is and to just have fun with it. It's a shame that our main points did not seem to come across in the article. Just to note - Our company in no way sells or promotes any USB security product or token. This presentation was done strictly because it was fun :)

This is NOT true

[fluor2]

This is not true unless you let users install drivers themselves. Any reasonable administrator have allready blocked this in their default windows installation!

Re:This is NOT true

[AnthonyFielding]

The drivers are already present in the operating system, they installed with the os :P

excellent

[floydman]

now i can convince my wife she can be a hacker too

me: "yes honey....just plug this device over here.....yup..u just hacked the system...congrats"
she: "this is l33t"

So how do _we_ deal with this?

[robbak]

It seems obvious that this can affect any OS, and is due to the poor design of USB- If a device posts a number, then the system assumes it's such-and-such, and loads the driver. Which probably has bugs. So, how do We (that is Open Source system developers) deal with this?
Of course 1. is to make sure that all drivers in our trees have no overflow bugs. Or any others, or course. This takes work, but we now know that it is needed. You cannot trust any info that a USB device gives us. Shoulda known.
Of course, some painful hardware vendors will _insist_ on providing only binary drivers. Am I alone in thinking that running these as root, melding thrse with no less than the system kernel, is unacceptable? So a fast, secure universal usb interface is needed. I know I have ugen in FreeBSD, and I hope it's secure, but is it fast enough for pedantic hardware vendors? What's the linux situation look like? As you are the ones that have been provided with binary USB drivers, what do these look like?
And, no, i do not like the idea of running any binary only code. But at least we need to sandbox it off, and reduce it's permissions.

So, what does everyone think can be done?

Re:So how do _we_ deal with this?

Yes, you're alone. You're always alone. It's a curse you have to live with.

Re:So how do _we_ deal with this?

[jumpingfred]

I am not sure what is wrong with USB here? You can't have plug and play without the thing being plugged in telling you what it is.

Re:So how do _we_ deal with this?

[Luke-Jr]

I think sandboxed drivers might be possible with HURD, given its microkernel nature.

Finally!

[Trejkaz]

It's good to see that we FINALLY have a way to autorun from USB. We've only been asking for this feature since Windows 98.

umm what about mac?

[crashelite]

wow if you have physical access to the computer there are many ways to get into it... like boot CD's and password changers for windows. Yes i know about bios and you can change that and then lock bios but all you have to do is pop the bios battery or reset the bios what is usually the red jumper and u then are good to go... but if u are on a mac u can plug into a other computer boot the computer as a firewire device and it is full access (are they going to inform us all about this now and take credit for it?) but now tell me if you are at the work station that would be more of an issue with you forgetting to lock the damn door more than evil hacker getting into your computer by the wonderful world wide web...

Re:umm what about mac?

[Mechcozmo]

You can enable an Open Firmware password which will not allow the computer to start up off of any other drive then set when the password was unless you enter the password.

It works quite well. A box with a lock symbol appears and you just type the password into the box. Then you are able to enter FireWire target disk mode, choose a boot device, etc.

http://www.apple.com/support/downloads/openfirmwar epassword.html

USB Driver Exploit

[demon_2k]

Considering an operating system can be exploited using bugs in the operating system, I'm curious what other exploits exist in other drivers. Possibly network interface card or firewire drivers.

Go Figure

[nurb432]

Lets see... You have physcial access to the machine and you can exploit it.. Wow. thats really news. *yawn*

Article:Device Drivers filled with flaws

[scupper]

Original URL:
http://www.theregister.co.uk/2005/05/27/device_dri ver_flaws/ Device drivers filled with flaws
By Robert Lemos, SecurityFocus (tips at securityfocus.com)
Published Friday 27th May 2005 13:48 GMT

The uneven skills of driver programmers have left a legion of holes in software that ships with Windows and Linux, security experts say.

Operating system vendors and hardware makers should commit more resources toward systematically auditing Windows and Linux device-driver code for flaws, security researchers say.

While buffer overflows, a type of memory flaw that can lead to serious vulnerabilities, are quickly being eradicated in critical applications, the flaws are still easily found in device drivers, said David Maynor, a research engineer for Internet Security Systems' X-Force vulnerability analysis group.

"If you look through the device driver code, there are a lot of problems," he said in a recent interview. "The state of the code's security is not strong." During a few hours on a recent plane flight, for example, Maynor found more than a dozen glitches in several Windows XP drivers.

Windows is not the only operating system at risk. A survey of the Linux 2.6.9 kernel code performed by automated-code-checking software maker Coverity found that, while the overall quality of the code had increased significantly, more than 50 per cent of flaws appeared in device drivers. Many of those flaws may not affect system security, but the ratio is generally indicative of the quality of the code, said Seth Hallem, CEO of Coverity.

"The people writing the device drivers are not generally the core programmers," he said. "It is not the operating-system implementers themselves - the Linux programmers or Windows developers - it is generally the vendors."

The warnings come as operating-system developers have placed security higher on their to-do lists. While the Windows and Linux operating systems have both undergone significant audits in the past several years, many device drivers - especially those created by third-party hardware providers - have seemingly escaped rigorous testing.

Microsoft acknowledged the threat but stated that the company's developers had already started checking drivers that have been shipped with Windows for flaws.

"Microsoft is aware of a scenario by which an attacker could attack an existing software vulnerability in a device driver (and) could compromise a user's system," the software giant said in a statement to SecurityFocus. "It's important to note that Microsoft's software development processes do cover instances where third party code included with the operating system may be reviewed before the code ships with Windows to help ensure that customers are not at risk from this type of threat."

Microsoft has also moved forward with development efforts to harden device drivers, according to sources familiar with the initiative. However, the company remained closed-lipped about the details of the effort.

Device driver flaws can be more dangerous than other application vulnerabilities because device drivers are, in most cases, part of the kernel itself and subverting the critical software gives an attacker direct access to the kernel. Moreover, drivers that have direct memory access (DMA) - such as USB drivers, CardBus drivers, graphics drivers and sound drivers - could be used to overwrite system memory and exploit the system.

Some security experts argue that such issues are a well-known problem, and one with which device-driver programmers should have already dealt. The problem has been known for a decade or more, said Crispin Cowan, director of software engineering for Novell, which distributes the SuSE Linux distribution. He acknowledged, however, that not everyone may have made auditing driver code a priority.

"If you can crash your kernel with an application that is

Re:Article:Device Drivers filled with flaws

[ArtStone]

>> ...holes in software that ships with Windows and Linux,...
[...]
Windows is not the only operating system at risk. A survey of the Linux 2.6.9 kernel code performed by automated-code-checking software maker Coverity found that, while the overall quality of the code had increased significantly, more than 50 per cent of flaws appeared in device drivers
[...]
So much for today's Microsoft bashing...

Not to worry - Redhat will have patches out for Redhat 7.2 any day now...

Data Execution Prevention (DEP) feature in SP2

[scupper]

From Microsoft.......
A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003
Article ID: 875352

Last Review: May 10, 2005
http://support.microsoft.com/kb/875352

SUMMARY
Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.

The primary benefit of DEP is to help prevent code execution from data pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling mechanisms in Windows.

Controlling block storage devices on USB buses

[scupper]

from Microsoft.......
Controlling block storage devices on USB buses What does controlling block storage devices on USB buses do?
http://www.microsoft.com/technet/prodtechnol/winxp pro/maintain/sp2otech.mspx#EDAA

This feature provides the ability to set a registry key that will prevent write operations to USB block storage devices, such as memory sticks. When this registry key is enabled, the devices function only as read-only devices. You can implement this setting as part of a security strategy to prevent users from transporting data using these devices. Who does this feature apply to? Users who do not want data to be written from their computer to a USB storage device. IT professionals who want to implement organization controls over the use of USB block storage devices

What settings are added or changed in Windows XP Service Pack 2 Setting name Location Default value Possible values WriteProtect HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control \StorageDevicePolicies DWORD=0 0 - Disabled 1 - Enabled

Re:Controlling block storage devices on USB buses

[jdp816]

About the first thing a USB exploit would do is change this key to R/W. False security.

No big deal-- Physical Access == Compromise

[iamatlas]

If someone has physical access to a computer, the actual exploit used is negligible. Any person dedicated to the task will find a way. It comes down to the fundamental purpose of a computer: To be used. Not to be prevented from use.

Sort of like escape artists who used to specialize is getting out of safes-- they were never meant to keep somthing inside from getting out, but from someone outside from getting in.

Re:No big deal-- Physical Access == Compromise

[tomstdenis]

Generally yes, but it lowers the cost/risk of an attack significantly.

If I walk past your computer in the office I could sit down and rip the drive out or boot up in single mode or whatever...

But that takes time and I risk getting caught.

If I can just insert a usb dongle and then run a quick command I can now be up and going quicker [plus I can logout and leave the box like you left it].

This is just "yet another thing" MSFT got wrong further lending credence to the fact their "reports", er... "press releases" are just FUD.

Tom

Re:No big deal-- Physical Access == Compromise

[iamatlas]

Well, in rebuttal to your reply to my posting, I should inform you that this is actually a Feature for the forgetful who lose/forget passwords. MSFT must make these features known quite often, since shortly after they do so, someone comes along demanding a "patch" that uninstalls the Feature.

This is setting off my BS detector.

First and foremost, the guy says he has NOT notified Microsoft, but then goes on later to say:

"I was really looking to them to address this issue, but Microsoft feels that this is a hardware issue and doesn't see it as a problem," he said.

Which one is it, you told them or you didnt?

Then he goes really REALLY far out of his way not to mention which driver is supposedly exploitable... is it a driver HE wrote?!

I'm giving this 95% that its a driver HE wrote and installed to exploit ring 0 access, not an exploit in the existing usb stack components, which makes the whole article a self serving lie.

Re:This is setting off my BS detector.

[jascat]

Those were two different guys. The one that looked to Microsoft was from Baptist Healthcare.

Ohh yeah...that's why they call it a USB key!

[ghislain_leblanc]

The joke is in the subject so I won't repeat.

PR article

[Gyorg_Lavode]

While there is obviously an issue in that drivers, (particularly automatically loadeded ones such as Firewire and USB), have not undergone the security scrutiny that network software has, this is most certainly a PR article. There isn't a link to a technical description of the problem anyway, but the second half of the article is dedicated to vendor solutions. This article was instigated by a PR firm, not by normal media services. I wish I was going to blackhad though. After SANS I could only get work to pay for DEFCON. Especially since they know what CISSP training will cost.

Not true

[gr8dude]

A lot of people use encryption software. See TrueCrypt's forum. Or, for instance, this article http://en.wikipedia.org/wiki/Keydrive, it's a story about USB disks, but there's a section that describes encryption software such as TrueCrypt or Private Disk.

IMHO this attracts plenty of attention, because everyone thinks wikipedia rocks. A couple of days ago my dad told me to "check this cool site out" (and gave me a link to wikipedia) :-)

A couple of months ago I was working on a project, and a lot of reading material was needed... I searched thru Answers.com and Wikipedia, and then I've read my colleagues' projects -> they were all copy/pasted from either the first or the second site.

Wikipedia is a trend-setter, if encryption is mentioned there - then people will follow.

people do not like to haveto enter passphrases after they login to access their data.
Man, have you heard of 'multifactor authentication'? There are point-and-click tools that do that, so even grandmas can use them. Example

USB BSOD

[radarsat1]

This reminds me of when I bought a new MIDI controller with USB, and plugged it into my Windows 2000 machine and it just simply BSOD'd...

I couldn't believe it, just like that, BANG reset. Found it was a "known problem", so I followed the instructions on the M-Audio website, to the letter. Tried it again, still BSOD'd. To this day I can't use my USB MIDI controller in Windows 2000. Fortunately I use it mostly in Linux, where it works just fine.

(For the record, it does work under Windows XP)

Re:USB BSOD

[Lehk228]

be glad it didn't toast the boot partition, i have seen three windows XP machines eat their own boot partition due to adding or removing USB devices while starting or shutting down, in three different locaitons, two different counties and three different owners.

cannot be USB

[toby]

However, the flaw is with USB, not Windows,

Blaming USB for a privilege escalation is like blaming Ethernet for someone 0wning your box.

Root kit delivery system

[Gary+Destruction]

This would be even more effective than the jpg exploit. And how many of those vulnerable web cams use USB? Talk about hacking the planet.

As usual, Slashdot leaves out a few facts

[TechniMyoko]

However, the flaw is with USB, not Windows, said David Dewey, a research engineer at SPI. any operating system that is USB-compliant is probably vulnerable

In Related News...

I can insert a floppy disk into the Windows machine, clear the Administrator password, and have full access to the computer in a matter of minutes.

What's worse?

...another press release masquerading as serious journalism from eweek, or another security researcher trying to make big news ahead of a conference?

Somewhat Off-topic Windows Rant

[rajafarian]

1. I had to move my sound card to a different PCI slot because it was causing problems with sharing an IRQ with my video card. Because of different card sizes, I had to rearrange other cards, too.

a. New sound card found, do you have the drivers? Ah, yes, but... Great, give it the drivers again. Reboot.
b. New TV card (multimedia device found) do you have the drivers? Why, yes, but they were already instaLled. No matter... Reboot.

Two driver reinstallations and two Reboots.

2. Put my gamepad in a different USB port: Windows has found new hardware but you need to be an admin to install it. WHAT??? At least Windows didn't require me to reboot.

Linux. No driver reinstallations, no reboots, no need to be admin to use my fricking gamepad in a different port.

THIS IS RETARTED, BILLY BOY!!!! ze software is not so f888ing great!

Re:Somewhat Off-topic Windows Rant

Not that i like OT /. posts but windows does really annoy me sometimes. I have 2 almost identicle computers one running Windows and the other Slackware. Slackware has an IMAP server on it so that i can dump some emails out of outlook. Windows has outlook with an IMAP client so that i can copy the files. Which computer do you think is going really slowly and is the bottle neck ? The (windows) client or the (slackware) server ? The windows one of course.

Missing the point

[wasabii]

A lot of you are missing the point. A "locked down" machine may not have physical access. There are circumstances where the machine itself IS locked down, by virtue of security cameras, monitoring equipment, or simply not having the physical box in the viscinity.

However, this USB exploit lets anybody defeat all that with just plugging in a USB device. This should be fixed. It is serious IN SOME CIRCUMSTANCES.

You don't have to LEND

[burbilog]

Just stick your usb into my infected computer and get your key infected too. This worked fine in pre-internet days with diskettes, so we'll see some new worms with this capability -- quite dangerous, because there are many networks that cannot upgrade their windows for various reasons like running legacy software but firewalled or simply disconnected from the internet.

Re:You don't have to LEND

[PurpleFloyd]

Interesting idea, but it probably wouldn't work - first of all, most of the commodity USB keychain drives have ROM firmware. Try flashing that! Second, even among devices with flashable firmware (mostly flash MP3 players), every device's firmware is different. Considering the massive number of flash MP3 players on the market, and the fact that it would be a large effort to set up even 10 or 15 "infectious" firmwares, it's unlikely we'll see worms spreading this way, just like we don't see worms flashing themselves into a motherboard BIOS.

That said, this is still a large security hole. After all, even the most locked down public (and private) computers usually have USB ports open; flash drives have almost completely replaced floppies for most users. Either you are forced to severely restrict functionality, or you are opening yourself to attack. This puts sysadmins in a very sticky situation, unless their users are already used to draconian security measures.

Mitigating physical access

[87C751]

On the other hand if you're a library and your only trying to keep them secure so that you don't have to reinstalls every week because some 12 yr old types cat /dev/random > /dev/hda & well then a locked box is probably all you need.

Reinstall every week? Better to reinstall for every user, like Laptop Lane does. After each rental user logs off, the machine is reimaged from a hidden location (probably an image on a local server, though it happens after the renter leaves the cubicle, so I couldn't watch it first-hand). What nefarious activity that isn't handled by the image's lockdown (and they're locked pretty tightly anyway) is confined to a single instance. Plus, it handles persistent cookie problems (cough*t-mobile mail*cough) and streamlines those update rollouts.

Semantic gaming

[87C751]

Given Microsoft's track record, they probably consider your office chair as part of Windows. But a driver problem is a driver problem, whether it's part of a monolithic kernel or loaded on demand from a separate medium. The OS problem would be the default inclusion of the buggy driver in a distro. Therefore, there are two problems to consider. Not that that would stop Microsoft from blaming the hardware...

Alone? I'm a solipsist

therefore he IS not

And I actually had mod points...

[Vryl]

But I decided to respond...

Use a very long passphrase and you got pretty good security, but with time it is crackable.

How many millions of years do you have?

Re:And I actually had mod points...

Just as an example... the password to my encrypted partition is a mere 18 digits long.

26 lower case letters
26 upper case letters
10 numbers
26 puncuation

88 possible characters (We're assuming that that's all that would be used.)

88^18 = 1.00158566165018e+35 possible passwords

Plus you still need the lock file which I keep on my USB flash drive which is with me most of the time...

Re:And I actually had mod points...

[twiddlingbits]

It depends, using Grid computing to run a cracking algorithm and/or some things you may know about the person to get some ideas about the passphrase it could take less than millions of years. Then again, you could always use tortue or maybe blackmail ;)

Re:And I actually had mod points...

[Vryl]

The Grid Computing argument is a furphy. As Bruce Schneier says, in Applied Cryptography, p158:

"One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)

Given that k =1.38*10-16 erg/Kelvin, and that the ambient temperature of the universe is 3.2K, an ideal computer running at 3.2K would consume 4.4*10-16 ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.

Now, the annual energy output of our sun is about 1.21*1041 ergs. This is enough to power about 2.7*1056 single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all of its energy for 32 years, without any loss, we could power a computer to count up to 2192. Of course, it wouldn't have the energy left over to perform any useful calculations with this counter.

But that's just one star, and a measly one at that. A typical supernova releases something like 1051 ergs. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.

These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

[ERRATA; The section on "Thermodynamic Limitations" is not quite correct. It requires kT energy to set or clear a single bit because these are irreversible operations. However, complementing a bit is reversible and hence has no minimum required energy. It turns out that it is theoretically possible to do any computation in a reversible manner except for copying out the answer. At this theoretical level, energy requirements for exhaustive cryptanalysis are therefore linear in the key length, not exponential.]"

Your idea about getting some ideas about the passphrase is very valid tho, and can cut down the attack time considerably.

However, a properly constructed passphrase should be uncrackable, assuming the crypto algorithm has no other weaknesses (ie, the best attack is brute force).

Re:And I actually had mod points...

[twiddlingbits]

Not to doubt your math but all the computer and other devices running in the world today must consume a HELL of a lot of energy. Plus all the bits of information that are stored now used energy. Just look at the billions of computers in use today doing things from running the washing machine to the Space Shuttle and flipping those bits all the time, billions of trillions of operations a second using kT energy. While the math and physics seem right, this one does not pass the common sense test. I also assume you are using a brute force attach which no one in their right mind would try unless as a last resort. A 219 bit counter can only count to 2**219 -1 which isn't that big of a number, I'm pretty sure we know prime numbers bigger than that. The Errata section makes more sense.

Re:And I actually had mod points...

[Phleg]

Doubt you'll check back to read this reply, but for some reason he seems to have neglected to use exponentiation signs. I'll rewrite the whole passage using them.

"One of the consequences of the second law of thermodynamics is that a certain amount of energy is necessary to represent information. To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. (Stick with me; the physics lesson is almost over.)

Given that k =1.38*10^(-16) erg/Kelvin, and that the ambient temperature of the universe is 3.2K, an ideal computer running at 3.2K would consume 4.4*10^(-16) ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.

Now, the annual energy output of our sun is about 1.21*10^41 ergs. This is enough to power about 2.7*10^56 single bit changes on our ideal computer; enough state changes to put a 187-bit counter through all its values. If we built a Dyson sphere around the sun and captured all of its energy for 32 years, without any loss, we could power a computer to count up to 2^192. Of course, it wouldn't have the energy left over to perform any useful calculations with this counter.

But that's just one star, and a measly one at that. A typical supernova releases something like 10^51 ergs. (About a hundred times as much energy would be released in the form of neutrinos, but let them go for now.) If all of this energy could be channeled into a single orgy of computation, a 219-bit counter could be cycled through all of its states.

These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

[ERRATA; The section on "Thermodynamic Limitations" is not quite correct. It requires kT energy to set or clear a single bit because these are irreversible operations. However, complementing a bit is reversible and hence has no minimum required energy. It turns out that it is theoretically possible to do any computation in a reversible manner except for copying out the answer. At this theoretical level, energy requirements for exhaustive cryptanalysis are therefore linear in the key length, not exponential.]"

Also, you claim we know prime numbers bigger than 2^219 - 1, which is true. However, what you fail to realize is that in none of these cases have we ever counted up to that prime number sequentially. Mersenne primes are studied specifically because they can be represented as 2^n - 1, which takes n bit-flip operations in the worst case scenario to represent. Additionally, the Lucas-Lehmer test is an extraordinarily simple (as far as primality checking is concerned) algorithm for determining whether or not a number of this form is prime.

Schneier's argument is indeed correct, in that we will likely never surpass the energy requirements to count all the way up to a number near 2^219 - 1. We can certainly represent that number, but we cannot start at zero and eventually reach it.

Re:And I actually had mod points...

[twiddlingbits]

Excellent analysis! I still wonder though if all the information we DO have represented in the form of ones and zeros(anyone have any clue as to that?) what the energy that was used would be?

There are many more vulnerabilities

Older Logitech mouse drivers could be forced to BSODs with perfectly legal HID function calls.
Now that Logitech drivers are widespread it allowed a denial of service attack on many computers.

Hey Asshat

I don't live in the U.S. and never have.

Fuck you nerds!

Go outside for once!

This is all about Windows

[jschottm]

This is just a report about the general issue that all USB drivers have to be secure or a hardware device can be made to exploit the machine.

There's many specifications (IPV4 springs to mind) that weren't designed with security in mind. It's the responsibility of the OS writers to design their OS to handle such insecurities. There's nothing in the USB specs that say that the OS must run the USB driver at ring 0.

It is in no way about Windows, but actually about any operating system than implements USB.

The article gives two specific cases:

1. The ability to unlock locked systems (say, while the user is at lunch). This gives far more than just owning a system physically. You now have access to all of their network priviledges and everything else that relies on their single-sign on accounts. This is meaningless to Joe home user or most small businesses, but vastly significant to enterprise level situations. With physical access to my work Windows desktop, you could gain access to some e-mail and word processing. With access to my system logged in as me on the Active Directory, you would have access to my AD OU, networked drives, SSO enabled applications, etc. See the difference?

2. A USB drive that automagically copies the last used files onto a flash drive. The ability to subtly plug a drive in and retrieve it later opens all kinds of espionage capabilities.

it is not really worse than just inserting a boot CD that copies the relevant data to a secure server or so.

Beyond the statements I made above, rebooting a system in a secured environment can easily trigger monitoring systems' alerting capability.

It can also of course easily be fixed by disallowing loading of USB drivers without confirmation from the user.

For anyone interested, here's instuctions on how to (theoretically) disable USB entirely under Windows. Note that I've not tried the above process described, so it may or may not work. And another one discussing how to disable USB storage devices, although that may not be enough to prevent the exploit in question from working.

10 Immutable Laws of Security

[BobSutan]

Straight from the horse's mouth:

If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

USB devices, bootable CD-ROMs, etc are all means to the same end. This is why physical security is so damned important!

Microsoft's 10 Immutable Law's of Security

Unlocking terminals

[Britersen]

Everyone seems to be forgetting the real big security issue with this.

Accessing physical data on the system's hdd (whether encrypted or not) is not the major issue - accessing currently running programs is.

Example - John Q Sysadmin has a few open ssh sessions to some of his favourite boxes - locks his workstation so he can wander off somewhere. Anyone exploiting this to unlock his workstation now has access to his logged-in ssh terminals.

Yes, there are other ways to achieve this, including keyloggers, trojans, etc, but this makes it stupidly easy to walk past a random workstation, and potentially 10 seconds later have root access on any number of other boxes the user happened to be logged in as.

Remember guys - better be shutting down your ssh terms before you go to lunch!

Wireless KVM

[Fragmented_Datagram]

Maybe a wireless KVM switch could be used with the computer locked in a safe somewhere. :-)

Wireless KVM

The Government

[exes]

USB was created by the government to monitor data and to attempt to spy, control, and spy on peoples lives.

pointing out the obvious

funny how its always companies with something to gain that point out the massively obvious.

It didnt take Caleb to find this, any 12 year old can and probably did.

World shocked USB has exploit that seemingly only world class co spy dynamics can find!

next thing you know, Symantec will report mutated lab viruses in the wild!.

re

[Joh_Fredersen]

To the people whining about how "this vulnerability exists in Linux, OSX"... etc... clearly. All the article claims is that some bad USB firmware writer makes his device pose as device(x), which on Windows has a known buggy driver. So what ? Windows is buggy. Move along citizen... nothing to see here.

Cool, where can I get one?

Everytime I go into my university's engineering computer lab, half of the workstations are locked with nobody sitting at them. I've stayed for hours and nobody has come back to them. Some people are so inconsiderate. If I could plug a little device into the USB port and delete all of their files and send a few nasty emails from their account, maybe this problem would stop.

why is parent offtopic?

This is a perfect use for DEP, available on Celeron D (J models), P4 5xx (J models), P4 6xx, Pentium D, Athlon 64 and Sempron (Socket 754 models) CPUs. DEP blocks buffer overflow attacks.

Re:why is parent offtopic?

[scupper]

I'd posted the DEP info above and this sp2 Controlling block storage devices on USB buses(which also got an off topic mod, probably the same modder)to counter the posts being made that attack M$ as not having addressed USB and driver security at all. MS bashing is always "on topic" here.

Re:why is parent offtopic?

[DavidHopwood]

Both articles are off-topic because those mechanisms cannot prevent the attack being discussed here. DEP is irrelevant to this attack because it only affects user-space code. The StorageDevicePolicies key can also easily be bypassed (or reset) by code running at kernel level.

(I'm not the modder who originally marked the articles off-topic.)

So?

[Fujisawa+Sensei]

Right and Given physical access, its possible to root most Linux boxes in 4 keystrokes.

Yes I know people will say, "my server/box is locked down". That's not the point, most, you can also lock down the USB exploit by disabling USB in the bios and using a bios password.

Forget exploiting through USB

[dtfinch]

Just unplug the box and take it home.

it doesn't have, among other things...

Virtual memory.

It has a multitasking kernel. It borrows from other MS kernels. But it's not based upon a kernel used in any shipping MS PC product.

USB Devices Can Crack Windows

[VincenzoRomano]

It depends on how hard you can throw a USB device agaist a window!

Mod parent up (n/t)

[ejhuff]

This should be an update to the article.

Comment removed

[account_deleted]

Comment removed based on user account deletion

This has happened before

[mmxsaro]

Anyone recall the exploit where you pop in an autorun CD into Windows 9x to circumvent protected screensavers? Yep, it's back!

Re:This has happened before

Nope. Autorun is irrelevant.
I will assimilate you.

See you Wednesday.

yeah whatever, this is old, TECHNICAL DETAILS HERE

[Sean]

I saw a talk by a guy named David Maynor back in May. Here's the USB vulnerability presentation which includes the details of the vulnerability.

it's fairly similar to the firewire problem.

Wireless USB devices

[HTH+NE1]

I'd be more concerned if there was an exploit to inject code into a PC with a wireless USB mouse.