Penetration Testing mailing list archives
Re: USB delivered attacks
From: Gadi Evron <ge () linuxbox org>
Date: Sat, 05 Jun 2004 01:14:46 +0200
Rob Shein wrote:
The driver for USB drives is not on the USB drive. It's native to XP/2000, and loads dynamically from the O/S. Look at it this way; if the driver were needed to access files on the USB drive, then how could the driver be stored on the device to be used to access files? If you could pull the driver off the USB drive, why would you need the driver at all? To further see what I mean, put in your USB drive and wait for it to connect. Then look in Device Manager, and check the driver details. Look and see whose driver it is. If you've got multiple drives from multiple companies, try them one at a time, and look to see if the driver changes. Bet you it doesn't. :)
I suppose you are right. However, there is data on the USB drive itself.The entry on the PC is the HUB. The USB device is the client. I can think of a few ways the client can effect the HUB.
After re-examining the technology, I came up with the following conclusions about possible threats:
1. Someone will put his/her own code inside a USB SDK, which will be catastrophic. 2. Some will find a buffer overflow in the Microsoft USB driver. That sounds quite plausible. It crashes under many circumstances.A buffer overflow in the USB driver could possibly also effect very strong cryptographic systems such as eToken, but as I didn't look into that, I don't know if that particular technology is susceptible to such an attack.
There is still the risk of somebody just copying stuff over, and that can be expanded accordingly. I can put a file on my digital camera, say, a .DOC file. Unless the memory card is removed and examined, I think I can smuggle that file out pretty easily, even if my camera was to be examined.
There is always the auto-run POC which did come out of all this, so I suppose this thread wasn't a complete waste of bandwidth.
Thoughts? Gadi Evron. -- Email: ge () linuxbox org. Work: gadie () cbs gov il. Backup: ge () warp mx dk. Phone: +972-50-428610 (Cell). PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450
Current thread:
- RE: USB delivered attacks, (continued)
- RE: USB delivered attacks Steven A. Fletcher (Jun 01)
- RE: USB delivered attacks Jerry Shenk (Jun 01)
- Re: USB delivered attacks H D Moore (Jun 02)
- Re: USB delivered attacks PID4x (Jun 02)
- Re: USB delivered attacks Fred Gravel (Jun 02)
- Re: USB delivered attacks mak_pen (Jun 04)
- Re: USB delivered attacks R. DuFresne (Jun 04)
- RE: USB delivered attacks Brian Taylor (Jun 07)
- Re: USB delivered attacks R. DuFresne (Jun 04)
- Re: USB delivered attacks randori _/_ (Jun 04)
- RE: USB delivered attacks Rob Shein (Jun 04)
- Re: USB delivered attacks Gadi Evron (Jun 07)
- Re: USB delivered attacks Kurt Seifried (Jun 04)
- RE: USB delivered attacks Rob Shein (Jun 04)
- Re:USB delivered attacks Peter Harmsen (Jun 07)
- RE: USB delivered attacks Steven A. Fletcher (Jun 01)