Penetration Testing mailing list archives

Re: USB delivered attacks

From: Gadi Evron <ge () linuxbox org>
Date: Sat, 05 Jun 2004 01:14:46 +0200

Rob Shein wrote:

The driver for USB drives is not on the USB drive.  It's native to XP/2000,
and loads dynamically from the O/S.

Look at it this way; if the driver were needed to access files on the USB
drive, then how could the driver be stored on the device to be used to
access files?  If you could pull the driver off the USB drive, why would you
need the driver at all?

To further see what I  mean, put in your USB drive and wait for it to
connect.  Then look in Device Manager, and check the driver details.  Look
and see whose driver it is.  If you've got multiple drives from multiple
companies, try them one at a time, and look to see if the driver changes.
Bet you it doesn't. :)


I suppose you are right.

However, there is data on the USB drive itself.

The entry on the PC is the HUB. The USB device is the client. I canthink of a few ways the client can effect the HUB.

After re-examining the technology, I came up with the followingconclusions about possible threats:

1. Someone will put his/her own code inside a USB SDK, which will be
   catastrophic.
2. Some will find a buffer overflow in the Microsoft USB driver. That
   sounds quite plausible. It crashes under many circumstances.

A buffer overflow in the USB driver could possibly also effect verystrong cryptographic systems such as eToken, but as I didn't look intothat, I don't know if that particular technology is susceptible to suchan attack.

There is still the risk of somebody just copying stuff over, and thatcan be expanded accordingly. I can put a file on my digital camera, say,a .DOC file. Unless the memory card is removed and examined, I think Ican smuggle that file out pretty easily, even if my camera was to beexamined.

There is always the auto-run POC which did come out of all this, so Isuppose this thread wasn't a complete waste of bandwidth.


Thoughts?

        Gadi Evron.

--
Email: ge () linuxbox org.  Work: gadie () cbs gov il. Backup: ge () warp mx dk.
Phone: +972-50-428610 (Cell).

PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06

GPG key for encrypted email:http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc

ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450

Current thread:

RE: USB delivered attacks, (continued)
- RE: USB delivered attacks Steven A. Fletcher (Jun 01)
  - RE: USB delivered attacks Jerry Shenk (Jun 01)
- Re: USB delivered attacks H D Moore (Jun 02)
  - Re: USB delivered attacks PID4x (Jun 02)
- Re: USB delivered attacks Fred Gravel (Jun 02)
- Re: USB delivered attacks mak_pen (Jun 04)
  - Re: USB delivered attacks R. DuFresne (Jun 04)
    - RE: USB delivered attacks Brian Taylor (Jun 07)
- Re: USB delivered attacks randori _/_ (Jun 04)
  - RE: USB delivered attacks Rob Shein (Jun 04)
    - Re: USB delivered attacks Gadi Evron (Jun 07)
  - Re: USB delivered attacks Kurt Seifried (Jun 04)
- Re:USB delivered attacks Peter Harmsen (Jun 07)