Slashdot Mirror
System Exploitable With USB
Anonymous Coward writes "Vulnerabilities in USB drivers for Windows could allow an attacker to take control of locked workstations using a specially programmed Universal Serial Bus device." From the article: "The buffer-overflow flaw is in device drivers that Windows loads whenever USB devices are inserted into computers running Windows 32-bit operating systems, including Windows XP and Windows 2000, said Caleb Sima, chief technology officer and founder of SPI Dynamics."
Computers with physical access are susceptible to "unintended root-level access".
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
This is similar to an early security flaw in windows though I forget precisely which Windows versions it was, 95 and earlier I suspect. It was possible to write a program that would autorun from an inserted CD and copy the screen saver password file to a floppy from where it could be later cracked at leisure.
From the summary and the article:
Vulnerabilities in USB drivers for Windows...The buffer-overflow flaw is in device drivers that Windows loads...running Windows 32-bit operating systems, including Windows XP and Windows 2000...
The article then goes on to say:
However, the flaw is with USB, not Windows, said David Dewey, a research engineer at SPI.
Really, how serious a threat is this? If someone has unrestricted physical access to your machine then you're already in serious trouble. We all know how breakable the NTFS file encryption is, so if they really want to get at your files, they can just reboot into Fedora from a CD, or run any other tool that circumvents the encryption. If they just want to destroy data then you can put a hammer through the hard drive, and no OS can prevent that... So, I'm not saying that this vulnerability shouldn't be fixed, but maybe they should work on making NTFS a bit stronger first - if that's even possible.
Also, does anyone else think Slashdot should have a special section for buffer overflows? They seem to spawn more stories than several of the other sections...
apterous.org
I believe the key word is when. By that time USB may be obsolete :P
More realistically though, by the time it's released, USB will probably be taken out of Vista.
I'm here 'til Thursday, try the veal!
Let the commencement BEGINULATE!
'plug and play' hacking .....
Flaws found in device drivers shipped with Windows, Microsoft recommends upgrading to Vista!
"What would be funny is if Vista had this bug when it shipped..." Hey there, this is microsoft, in order for us to not get sued we need you to use "Windows" in cojuction with the word "Vista". So please kindly edit your post, you wouldnt want us to get sued, would you? darling? sweety?
Oddly enough, this isn't a particularly new idea. The Xbox Linux project considered the possibility of using a specially-designed USB device to run code on the Xbox, though I don't think they managed to find a suitable vunerability to exploit (unlike now). I wonder if this works for the Xbox, actually - it's Windows 2000 based IIRC...
Sadly enough it is not at all suprising that Slashdot immediately goes for the anti-Windows slant rather than actually reading and comprehending the article and exploit in question. Too few actual axploits in Windows as of late to get up to the required quota perhaps?
In a more direct comment about the "exploit" I don't consider it terribly important, hardware access leads to a lot of trivial expoits. This one can be made more user-friendly than most with appropriate hardware, but it is not really worse than just inserting a boot CD that copies the relevant data to a secure server or so. It can also of course easily be fixed by disallowing loading of USB drivers without confirmation from the user.
USB flash drives are already quite highly accepted amongst non-technical users; both my parents have bought pendrives, as have many of my friends. They're quite comfortable with just popping in the drive, waiting for the OS to see it, and grabbing files off it.
So, what if someone handed them a pendrive and asked them to grab some files from it, and it turns out that this pendrive would cause an attack like this? One could be switched by a black-hat, or planted, or mailed... put simply, the attacker wouldn't need physical access, just access to someone who does.
And tomorrow the stock exchange will be the human race
Ya, if you throw them hard enough XD
If you like what I've said here, and want to read more, go to http://www.krillrblog.com
BIOS? No problem, pop the reset jumper on the motherboard, and all the BIOS settings, including password and boot restrictions, are gone. When someone has physical access, they can get root/admin, if given the time. Our UNIX admin always maintains this philsophy, that anyone who has access to our servers can get root on them. So our security is not designed to make that impossible, but to make it hard enough and watched enough that we notice when someone tries it, and can go any confront them.
This reminds me of the vulnerabilities discovered in linux (and other systems) concerning firewire; Since Firewire devices can read and write directly to the computers memory, you can do some nasty stuff. The issues are documented on the website of the german CCC: http://www.ccc.de/congress/2004/fahrplan/event/14. de.html
Life is just nature's way of keeping meat fresh.
How come these things still happen? Lazy programmers? Crappy x86 archtecture? These self-created problems should still be around.
...and that is all I have to say about that.
http://jessta.id.au
A bios option to diable USB would be nice. especially in an enviroment that doesn't need USB for anything.
A lot of systems do not have the option.
Who run Barter Town?
"What would be funny is if Vista had this bug when it shipped..."
Hey there, this is microsoft, in order for us to not get sued we need you to use "Windows" in conjuction with the word "Vista". So please kindly edit your post, you wouldnt want us to get sued, would you? darling? sweety?
"SPI tested attacks on Windows systems, but any operating system that is USB-compliant is probably vulnerable, he said."
Luckily I still run DOS. Most secure system evah.
See pictures of tits
Given enough time and resources, I have physical access to anything. If your computer is in a locked case, is that physically secure? In a lab that is always staffed? Behind a locked door? With a guard?
For many situations, a computer with a locked case in a room that is staffed is considered "physically secure", as it's not likely that you'll break the physical security (lock on the case) without attracting the attention of the staff. Hell, even a computer in a staffed room in a case that has screws on it is fairly physically secure. The USB problem circumvents the physical security.
Security is all about deterrent. My apartment has a dead bolt lock on the door. Does this mean it's impossible to break into my apartment? Of course not - it just makes it harder.
Being able to break security on a locked computer with a USB drive is like leaving the key to your apartment under your door mat.
paintball
If the problem truly lies in the USB standard, wouldn't other operating systems that implement USB also be affected? "multi latform exploit" ... kinda makes you just wanna drop your other projects and get to coding that proof of concept doesn't it?
Really, how serious a threat is this? If someone has unrestricted physical access to your machine then you're already in serious trouble.
Surprise, it's just a little more sensationalism at eWeek. If this weren't somehow related to Microsoft Windows, then it might not have been given a front page reference here at Slashdot. Corporate espionage and cyberterrorism, oh my!
Perhaps it's intended to evoke an image of a man standing at a workstation and inserting a USB device that automatically captures all of the corporate trade secrets. It's only going to frighten those who are uninformed, as you've effectively described the entire problem. Unless the organization in charge has established an extremely secure physical environment, then their sensitive information will always be susceptible to physical espionage.
If their only layer of protection is provided by a locked Windows workstation, then a network-based attack might prove itself both less expensive and more effective, anyway.
Do you like German cars?
Are you being sarcastic?
From TFA:
So how can it be in all usb drivers?
http://michaelsmith.id.au
is part of http://www.igd.fhg.de/igd-a8/projects/coseda/index .html
So you could hack up USB device (e.g. a flash), send it to a company, and kaboom.
Or leave a few lying around at Starbucks (like the exploding toy-like objects the Soviets dropped on Afghanistan).
http://www.thebricktestament.com/the_law/when_to_
I really wouldn't give these guys the publicity at this point.
They haven't explained what the problem really is, to us, or even filed a report with Microsoft.
They also claim that any OS is vulnerable, though it's only been tested with Windows drivers.
The whole thing just stinks of someone wanting publicity or setting up to try to sell some protection software.
Ive known that most any system that can boot from usb was vulnerable for at least a year now. I keep DSL on my thumbdrive and need to get it onto my ipod shuffle now too.
Scott Swezey
So, in theory, a virus or a backdoor could be installed via hardware? Plug in your new USB mouse and your system is compromised... nice one.
Does it go on forever?
You don't sound very sincere.
The article does make an excellent point: any hot-pluggable device (USB, Firewire, PCMCIA, etc) is a potential attack vector if it is possible for a malicious device to expolit vulnerabilities in the host operating system's drivers. An attacker could exploit this weakness to extract data from a locked workstation without leaving any obvious evidence.
That said, any buffer-overflow vulnerabilities in the USB/Firewire/PCMCIA/whatever drivers are problems with the operating system itself.
I can't wait to see a demonstration. Sounds kinda cool.
a usb dongle with a knoppix on it, a knoppix CD a linux boot floppy, dude, if I have physical access to your machine I dont care what the OS is doing, the data inside is fracking mine.
hell I have a linux laptop and a usb-IDE cable. I'll simply pry open the case, pop the cable off your drive, put it on the USB device and then dump the data off to my laptop if all other attacks fail.
the ONLY way to protect your data is to have it encrypted on the drive. those encryption sleds for hard drives are a good start but noboy uses them, just like encrypted filesystems.
people do not like to haveto enter passphrases after they login to access their data.
Do not look at laser with remaining good eye.
If you get close enough to plug in a USB device, you're close enough to boot it to a crack CD and a) wipe the system b) blank the admin password c) take all the data (and copy it to a USB device.
It probably will be...
The flaw isn't within Windows; it's within the device drivers. So it isn't a matter of Microsoft fixing it, it's a matter of every USB driver manufacturer fixing it.
What's more, this kind of issue will apply to any OS with shoddy drivers.
This is but one of the many reasons why device drivers should never run in kernel mode - that goes for everyone!
-- Dramatisation - May Not Have Happened
This is not true unless you let users install drivers themselves. Any reasonable administrator have allready blocked this in their default windows installation!
now i can convince my wife she can be a hacker too
me: "yes honey....just plug this device over here.....yup..u just hacked the system...congrats"
she: "this is l33t"
The lunatic is in my head
It seems obvious that this can affect any OS, and is due to the poor design of USB- If a device posts a number, then the system assumes it's such-and-such, and loads the driver. Which probably has bugs. So, how do We (that is Open Source system developers) deal with this?
Of course 1. is to make sure that all drivers in our trees have no overflow bugs. Or any others, or course. This takes work, but we now know that it is needed. You cannot trust any info that a USB device gives us. Shoulda known.
Of course, some painful hardware vendors will _insist_ on providing only binary drivers. Am I alone in thinking that running these as root, melding thrse with no less than the system kernel, is unacceptable? So a fast, secure universal usb interface is needed. I know I have ugen in FreeBSD, and I hope it's secure, but is it fast enough for pedantic hardware vendors? What's the linux situation look like? As you are the ones that have been provided with binary USB drivers, what do these look like?
And, no, i do not like the idea of running any binary only code. But at least we need to sandbox it off, and reduce it's permissions.
So, what does everyone think can be done?
Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
wow if you have physical access to the computer there are many ways to get into it... like boot CD's and password changers for windows. Yes i know about bios and you can change that and then lock bios but all you have to do is pop the bios battery or reset the bios what is usually the red jumper and u then are good to go... but if u are on a mac u can plug into a other computer boot the computer as a firewire device and it is full access (are they going to inform us all about this now and take credit for it?) but now tell me if you are at the work station that would be more of an issue with you forgetting to lock the damn door more than evil hacker getting into your computer by the wonderful world wide web...
(yes i know i suck at spelling fell free to correct my grammar and/or spellin i dont care, im still not going to change
Considering an operating system can be exploited using bugs in the operating system, I'm curious what other exploits exist in other drivers. Possibly network interface card or firewire drivers.
Lets see... You have physcial access to the machine and you can exploit it.. Wow. thats really news. *yawn*
---- Booth was a patriot ----
Original URL:
http://www.theregister.co.uk/2005/05/27/device_dri ver_flaws/ Device drivers filled with flaws
By Robert Lemos, SecurityFocus (tips at securityfocus.com)
Published Friday 27th May 2005 13:48 GMT
The uneven skills of driver programmers have left a legion of holes in software that ships with Windows and Linux, security experts say.
Operating system vendors and hardware makers should commit more resources toward systematically auditing Windows and Linux device-driver code for flaws, security researchers say.
While buffer overflows, a type of memory flaw that can lead to serious vulnerabilities, are quickly being eradicated in critical applications, the flaws are still easily found in device drivers, said David Maynor, a research engineer for Internet Security Systems' X-Force vulnerability analysis group.
"If you look through the device driver code, there are a lot of problems," he said in a recent interview. "The state of the code's security is not strong." During a few hours on a recent plane flight, for example, Maynor found more than a dozen glitches in several Windows XP drivers.
Windows is not the only operating system at risk. A survey of the Linux 2.6.9 kernel code performed by automated-code-checking software maker Coverity found that, while the overall quality of the code had increased significantly, more than 50 per cent of flaws appeared in device drivers. Many of those flaws may not affect system security, but the ratio is generally indicative of the quality of the code, said Seth Hallem, CEO of Coverity.
"The people writing the device drivers are not generally the core programmers," he said. "It is not the operating-system implementers themselves - the Linux programmers or Windows developers - it is generally the vendors."
The warnings come as operating-system developers have placed security higher on their to-do lists. While the Windows and Linux operating systems have both undergone significant audits in the past several years, many device drivers - especially those created by third-party hardware providers - have seemingly escaped rigorous testing.
Microsoft acknowledged the threat but stated that the company's developers had already started checking drivers that have been shipped with Windows for flaws.
"Microsoft is aware of a scenario by which an attacker could attack an existing software vulnerability in a device driver (and) could compromise a user's system," the software giant said in a statement to SecurityFocus. "It's important to note that Microsoft's software development processes do cover instances where third party code included with the operating system may be reviewed before the code ships with Windows to help ensure that customers are not at risk from this type of threat."
Microsoft has also moved forward with development efforts to harden device drivers, according to sources familiar with the initiative. However, the company remained closed-lipped about the details of the effort.
Device driver flaws can be more dangerous than other application vulnerabilities because device drivers are, in most cases, part of the kernel itself and subverting the critical software gives an attacker direct access to the kernel. Moreover, drivers that have direct memory access (DMA) - such as USB drivers, CardBus drivers, graphics drivers and sound drivers - could be used to overwrite system memory and exploit the system.
Some security experts argue that such issues are a well-known problem, and one with which device-driver programmers should have already dealt. The problem has been known for a decade or more, said Crispin Cowan, director of software engineering for Novell, which distributes the SuSE Linux distribution. He acknowledged, however, that not everyone may have made auditing driver code a priority.
"If you can crash your kernel with an application that is
Uh, so USB can act like any other device. Is there a problem with that? I have a feeling it's designed to work that way (for flexibility, you know).
If you've got a security hole in some random driver and physical access to the system, you can exploit it either via USB or via its native connection.
Besides, what makes the actual exploitation the "specifics" and the mere tunnel the problem?
Luke-Jr
On the other hand, I would quite mad if I had to confirm that my new keyboard and mouse should, in fact, be used. (Catch 22, hey?) Only allow plug-and-pray of anything but a very limited set of devices (user configurable?) from anything but Administrator. That would solve most of it.
I wonder when people will start poking more at Nvidia's and ATI's OpenGL drivers on all platforms. That should prove interesting, especially since the binary drivers may actually contain the same flaws on several platforms.
OT: did you pay your taxes? I'm sure you must have, one way or another. Step out of the society if you really care about these issues.
I'll do the stupid thing first and then you shy people follow...
Sort of like escape artists who used to specialize is getting out of safes-- they were never meant to keep somthing inside from getting out, but from someone outside from getting in.
First and foremost, the guy says he has NOT notified Microsoft, but then goes on later to say:
"I was really looking to them to address this issue, but Microsoft feels that this is a hardware issue and doesn't see it as a problem," he said.
Which one is it, you told them or you didnt?
Then he goes really REALLY far out of his way not to mention which driver is supposedly exploitable... is it a driver HE wrote?!
I'm giving this 95% that its a driver HE wrote and installed to exploit ring 0 access, not an exploit in the existing usb stack components, which makes the whole article a self serving lie.
The joke is in the subject so I won't repeat.
While there is obviously an issue in that drivers, (particularly automatically loadeded ones such as Firewire and USB), have not undergone the security scrutiny that network software has, this is most certainly a PR article. There isn't a link to a technical description of the problem anyway, but the second half of the article is dedicated to vendor solutions. This article was instigated by a PR firm, not by normal media services. I wish I was going to blackhad though. After SANS I could only get work to pay for DEFCON. Especially since they know what CISSP training will cost.
I do security
A lot of people use encryption software. See TrueCrypt's forum. Or, for instance, this article http://en.wikipedia.org/wiki/Keydrive, it's a story about USB disks, but there's a section that describes encryption software such as TrueCrypt or Private Disk.
:-)
IMHO this attracts plenty of attention, because everyone thinks wikipedia rocks. A couple of days ago my dad told me to "check this cool site out" (and gave me a link to wikipedia)
A couple of months ago I was working on a project, and a lot of reading material was needed... I searched thru Answers.com and Wikipedia, and then I've read my colleagues' projects -> they were all copy/pasted from either the first or the second site.
Wikipedia is a trend-setter, if encryption is mentioned there - then people will follow.
people do not like to haveto enter passphrases after they login to access their data.
Man, have you heard of 'multifactor authentication'? There are point-and-click tools that do that, so even grandmas can use them. Example
The saddest poem
This reminds me of when I bought a new MIDI controller with USB, and plugged it into my Windows 2000 machine and it just simply BSOD'd...
I couldn't believe it, just like that, BANG reset. Found it was a "known problem", so I followed the instructions on the M-Audio website, to the letter. Tried it again, still BSOD'd. To this day I can't use my USB MIDI controller in Windows 2000. Fortunately I use it mostly in Linux, where it works just fine.
(For the record, it does work under Windows XP)
I'm not part of US "society"-- tell me how I can cease paying taxes, exactly?
Luke-Jr
Blaming USB for a privilege escalation is like blaming Ethernet for someone 0wning your box.
you had me at #!
This would be even more effective than the jpg exploit. And how many of those vulnerable web cams use USB? Talk about hacking the planet.
However, the flaw is with USB, not Windows, said David Dewey, a research engineer at SPI. any operating system that is USB-compliant is probably vulnerable
1. I had to move my sound card to a different PCI slot because it was causing problems with sharing an IRQ with my video card. Because of different card sizes, I had to rearrange other cards, too.
a. New sound card found, do you have the drivers? Ah, yes, but... Great, give it the drivers again. Reboot.
b. New TV card (multimedia device found) do you have the drivers? Why, yes, but they were already instaLled. No matter... Reboot.
Two driver reinstallations and two Reboots.
2. Put my gamepad in a different USB port: Windows has found new hardware but you need to be an admin to install it. WHAT??? At least Windows didn't require me to reboot.
Linux. No driver reinstallations, no reboots, no need to be admin to use my fricking gamepad in a different port.
THIS IS RETARTED, BILLY BOY!!!! ze software is not so f888ing great!
A lot of you are missing the point. A "locked down" machine may not have physical access. There are circumstances where the machine itself IS locked down, by virtue of security cameras, monitoring equipment, or simply not having the physical box in the viscinity.
However, this USB exploit lets anybody defeat all that with just plugging in a USB device. This should be fixed. It is serious IN SOME CIRCUMSTANCES.
Buy a small island (possibly with some libertarian buddies) off some third-world nation, establish it as a country and live there. No taxes.
I quit!
Just stick your usb into my infected computer and get your key infected too. This worked fine in pre-internet days with diskettes, so we'll see some new worms with this capability -- quite dangerous, because there are many networks that cannot upgrade their windows for various reasons like running legacy software but firewalled or simply disconnected from the internet.
How did this get modded insightful? Obviously you AND the mods did not read the article and have absolutely no idea what's going on here.
First of all there is only one USB subsystem driver for Windows. That's not actually technically correct since there are drivers for the various USB control architectures (such as UHCI, OHCI, EHCI), but they use are a small part of a larger unified USB subsystem driver.
I suspect you mistakenly thought the article was talking about the individual usb device drivers (for things like gamepads, cameras, printers, etc).
This is not what's happening at all. This is a Windows vulnerability, and actually has absolutely nothing to do with USB, other than it affects the USB subystem of the Windows (and only Windows) operating system.
There's a buffer overflow in the USB system, which allows any properly designed device to be plugged into a locked Windows computer, and execute arbitrary code (ie unlock the machine, etc).
You may think this isn't a big deal, but this is a huge deal. You can pick up USB dev kits for a couple hundred bucks that come with an FPGA, flash rom, and more. Basically for the price of one of these devices you could theoretically walk into any place where you can gain physical access to a Windows machine, and pwn it.
Mail? Put "slashdot" in the subject to pass the spam filters.
Given Microsoft's track record, they probably consider your office chair as part of Windows. But a driver problem is a driver problem, whether it's part of a monolithic kernel or loaded on demand from a separate medium. The OS problem would be the default inclusion of the buggy driver in a distro. Therefore, there are two problems to consider. Not that that would stop Microsoft from blaming the hardware...
Mail? Put "slashdot" in the subject to pass the spam filters.
No, you are wrong. Specific USB device drivers is what the article is all about.
They even mention this:
The problem is that we do not have a modern operating system architecture that is fast enough to allow for drivers to run in another privilege level. Seen the wonderful server performance of OSX? That's what happens when you put drivers at a different privilege level than the kernel. The real issue is twofold. Firstly, context switches are extremely slow, even on modern processors. In the IA-32 architecture, which has three privilege levels, most microkernels have put kernel code at ring 0 (most privileged), drivers at ring 1, and user code in ring 2. But what you end up with is every system call going from user -> driver -> kernel -> driver -> user. This greatly slows down the system, especially in a uniprocessor multitasking operating system. Things get even more complicated when you're trying to write a portable operating system (Linux/*BSD/NT Kernel), since most other chip architectures only offer two privilege levels (user & supervisor).
I guess my point is simply that we've tried this isolation you speak of, but it truly offers horrendous performance, especially graphics subsystems. Take a look at some of the research on Mach, why no one uses it (well, except Apple). Check out Jochen Leudtke's research on the L4Ka microkernel, and how they've gotten near monolithic type speed out of a microkernel by caching calls between privilege levels to minimize context switching.
OS Development is fun! It also allows you to look at the common (and not so common) operating systems in a whole new light. And don't get me started on the Linux kernel. Until the 2.4 series, I could have done better with 6 months and an unlimited supply of pizza and Sun Drop (and no, I can't get the good Sun Drop where I live!!)
So in short, every modern operating system (sans OSX) runs drivers in Kernel mode. It's a necessary evil. Maybe one day, the speed decline will be negligible, but as long as context switches take over 1,000 cycles, and as long as you can trigger tens of thousands of context switches relatively easily in user/driver/system interactions, with very few user-level instructions (i.e. libc), we'll always have this problem.
But I decided to respond...
Use a very long passphrase and you got pretty good security, but with time it is crackable.
How many millions of years do you have?
The article is a little misleading. If you know more about the Windows USB subsystem (I've created hardware USB devices, and written Windows drivers for them) you'd know how the architecture works.
You're right that the article is talking about individual drivers that interact with the host USB subsystem, although this is a greater symptom of the USB subsystem itself. It IS a Windows vulnerability, and actually has nothing to do with the individual drivers themselves. The proper fix for this is not to patch the drivers, but to patch the USB subsystem that the drivers interact with.
If the underlying Windows USB subsystem wasn't flawed it wouldn't allow buffer overflows in device drivers to compromise the system.
As someone who's done USB device and driver development I can say that the Windows USB implementation is absolutely terrible. It comes as no suprise to me that a vulnerability was found.
This is just a report about the general issue that all USB drivers have to be secure or a hardware device can be made to exploit the machine.
There's many specifications (IPV4 springs to mind) that weren't designed with security in mind. It's the responsibility of the OS writers to design their OS to handle such insecurities. There's nothing in the USB specs that say that the OS must run the USB driver at ring 0.
It is in no way about Windows, but actually about any operating system than implements USB.
The article gives two specific cases:
1. The ability to unlock locked systems (say, while the user is at lunch). This gives far more than just owning a system physically. You now have access to all of their network priviledges and everything else that relies on their single-sign on accounts. This is meaningless to Joe home user or most small businesses, but vastly significant to enterprise level situations. With physical access to my work Windows desktop, you could gain access to some e-mail and word processing. With access to my system logged in as me on the Active Directory, you would have access to my AD OU, networked drives, SSO enabled applications, etc. See the difference?
2. A USB drive that automagically copies the last used files onto a flash drive. The ability to subtly plug a drive in and retrieve it later opens all kinds of espionage capabilities.
it is not really worse than just inserting a boot CD that copies the relevant data to a secure server or so.
Beyond the statements I made above, rebooting a system in a secured environment can easily trigger monitoring systems' alerting capability.
It can also of course easily be fixed by disallowing loading of USB drivers without confirmation from the user.
For anyone interested, here's instuctions on how to (theoretically) disable USB entirely under Windows. Note that I've not tried the above process described, so it may or may not work. And another one discussing how to disable USB storage devices, although that may not be enough to prevent the exploit in question from working.
USB devices, bootable CD-ROMs, etc are all means to the same end. This is why physical security is so damned important!
Microsoft's 10 Immutable Law's of Security
"On a scale from 1 to 10, people are stupid"
Everyone seems to be forgetting the real big security issue with this.
Accessing physical data on the system's hdd (whether encrypted or not) is not the major issue - accessing currently running programs is.
Example - John Q Sysadmin has a few open ssh sessions to some of his favourite boxes - locks his workstation so he can wander off somewhere. Anyone exploiting this to unlock his workstation now has access to his logged-in ssh terminals.
Yes, there are other ways to achieve this, including keyloggers, trojans, etc, but this makes it stupidly easy to walk past a random workstation, and potentially 10 seconds later have root access on any number of other boxes the user happened to be logged in as.
Remember guys - better be shutting down your ssh terms before you go to lunch!
Maybe a wireless KVM switch could be used with the computer locked in a safe somewhere. :-)
Wireless KVM
USB was created by the government to monitor data and to attempt to spy, control, and spy on peoples lives.
I believe all operating systems which have device drivers are vulnerable exploition if the device drivers are written incorrectly.
If the underlying Windows USB subsystem wasn't flawed it wouldn't allow buffer overflows in device drivers to compromise the system.
Please remember that windows XP SP2/2003 and x64 and Itanium editions of Windows have built in protection against buffer overflows in software. Its not 100% perfect but is their any widely used operating system with guranteed protection against buffer overflows?
... and buffer overflows are not the only way to exploit a flaws in software anyhow!!
As someone who's done USB device and driver development I can say that the Windows USB implementation is absolutely terrible. It comes as no suprise to me that a vulnerability was found.
I haven't seen any greater problems with the windows USB implementation as compared to for example Linux. From the users point (the user is the point afterall) of view USB inmplementation on windows is pretty dammed seamless. Linux USB on the other hand is as well, troublesome...
BTW - your websites certificates are nearly 6 months out of date...
Know of any groups interested in this?
Luke-Jr
No, speed does NOT necessitate that drivers run in the kernel. A GOOD microkernel architecture like QNX Neutrino is a perfect example. QNX powers Cisco's CRS-1 Carrier Routing System - a router which Guinness World Records has certified as the highest capacity internet router ever developed. It can handle up to 92 terabits/sec total throughput.
Also, the Mac OS X kernel, XNU, contains code which is based on Mach, but it isn't Mach - I.E. it's not a true microkernel.
The bits on the bus go on and off... on and off... on and off...
To the people whining about how "this vulnerability exists in Linux, OSX"... etc... clearly. All the article claims is that some bad USB firmware writer makes his device pose as device(x), which on Windows has a known buggy driver. So what ? Windows is buggy. Move along citizen... nothing to see here.
Every now and then a group of slashdotters would try to do this. Half would die from not getting their porn fix when they realize that the Internet haven't come to their island. The other half would start religious wars over various topics and wipe each other out. After that, it's game over.
One point would be to get away from sexual perversions and abuse of women such as porn.
Luke-Jr
I understand that. That's why I pointed out L4Ka. The problem is with early microkernels and the original Mach design in particular. Without specifically taking the context switching into account, performance is terrible. Embedded realtime operating systems such as QNX are not a good example. They are designed in such a way that they can guarantee realtime performance up to a specific system load, which must not be exceeded for the system to function properly. Remember though, that as of yet QNX is not a general purpose operating system. Further, I suggest you check out the recent performance issues of XNU as compared to Linux for common server applications such as Apache, MySQL, etc. Speed is most certainly an issue, and until a general purpose operating system is designed in such a way as to minimize context switching across system calls, it always will be an issue with separating drivers from kernel and user space.
I'd posted the DEP info above and this sp2 Controlling block storage devices on USB buses(which also got an off topic mod, probably the same modder)to counter the posts being made that attack M$ as not having addressed USB and driver security at all. MS bashing is always "on topic" here.
Right and Given physical access, its possible to root most Linux boxes in 4 keystrokes.
Yes I know people will say, "my server/box is locked down". That's not the point, most, you can also lock down the USB exploit by disabling USB in the bios and using a bios password.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
Just unplug the box and take it home.
I would imagine the problem being that the usb devices can be reliably conected while the computer is on and the driver loaded without user interaction. Unlike printers ports or serial conections, there really isn't a way of doing this without rebooting the computer or running some program that searches for the devices.
Aslo, physical access to the computer might not be much more then a casual walk by were you drop a pen on the floor and insert your device while picking it up. This is somethign that wouldn't be as noticable as if someone had the computer case open or had failed logon attemps loged wich might open more eyes.
One of ther bigest concernce is that windows comes with alot of these exploitable drivers preinstalled. That might be the only reason it is of concern to them. Who's fault would it be if i used some usb device to crack into your computer because of a faulty device driver that was preinstalled for some device that you don't even use. Who's fault would it be if i was able to gather all your customers personal data including creditcard numbers used for payment, maybe even medical records and such by doing somehtign like this.
I'm not sure drivers should stop being supplied with windows but there should be some more user control over it. USB is great for people who don't knwo anythign about computers and even better for those who do and don't have time to fuck with it.
It depends on how hard you can throw a USB device agaist a window!
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
This should be an update to the article.
Comment removed based on user account deletion
Both articles are off-topic because those mechanisms cannot prevent the attack being discussed here. DEP is irrelevant to this attack because it only affects user-space code. The StorageDevicePolicies key can also easily be bypassed (or reset) by code running at kernel level.
(I'm not the modder who originally marked the articles off-topic.)
Kiss my faq, you fat-loving retard!
Anyone recall the exploit where you pop in an autorun CD into Windows 9x to circumvent protected screensavers? Yep, it's back!
And don't get me started on the Linux kernel. Until the 2.4 series, I could have done better with 6 months and an unlimited supply of pizza and Sun Drop.
But instead you're posting on slashdot.
Malike Bamiyi wanted my assistance.
I saw a talk by a guy named David Maynor back in May. Here's the USB vulnerability presentation which includes the details of the vulnerability.
it's fairly similar to the firewire problem.
I'd be more concerned if there was an exploit to inject code into a PC with a wireless USB mouse.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
There's only so many hours per day to do kernel development! And where better to discuss actual issues with kernels rather than religious zealotry between Linux and Windows? Oh wait... nevermind. That's what alt.os.development is for...
Nobody is going to fall for your forced and falacious authority empiricism, forget about it. The article is very clear about specific devices and their drivers.
And if you really knew anything about development you would have noticed that the specific drivers are the ones responsible for data manipulation (therefore allow buffer overflows), while the USB subsystem is mainly a high-level management system. If this guy were talking about a bug in the whole subsystem, we would not have needed to be specific about device impersonation (meaning: you need to fake a specific device, with its specific device driver).
I don't see how it's abuse when it's legal (i.e. not kiddie porn), especially when they're being paid.