October 25, 2014

Source code for BadUSB vulnerability posted on GitHub

usb-flash-drive(LiveHacking.Com) – Back in August, security researchers  Karsten Nohl and Jakob Lell demonstrated how a USB device can be reprogrammed and used to infect a computer without the user’s knowledge. Dubbed BadUSB, the pair published their findings during the Black Hat conference, however they did not publish the source code or the reversed engineered firmware needed to perform the attack. Nohl and Lell said they did not release code in order to give firms making USB-controller firmware time to work out how to combat the problem.

Now two other researchers, Adam Caudill and Brandon Wilson have done their own research on BadUSB and produced code that can be used to exploit it. The source-code can be found on Github. Unlike Nohl and Lell, Caudill and Wilson think it is in the public’s interest to release the source code for public consumption.

“We’re releasing everything we’ve done here, nothing is being held back,” said Mr Wilson during his presentation at DerbyCon. “We believe that this information should not be limited to a select few as others have treated it. It needs to be available to the public.”

The BBC contacted Karsten Nohl about the new release, he said that “full disclosure” can motivate USB device makers to improve the security on their devices. However he also noted that the problem with BadUSB is not one particular device but rather, “the standard itself is what enables the attack and no single vendor is in a position to change that.” He added that, “it is unclear who would feel pressured to improve their products by the recent release.”

According to the GitHub page for the new source-code the following devices can be reprogrammed and used as attack vectors:

  • Patriot 8GB Supersonic Xpress
  • Kingston DataTraveler 3.0 T111 8GB
  • Silicon power marvel M60 64GB
  • Toshiba TransMemory-MX™ Black 16 GB
  • Patriot Stellar 64 Gb Phison

Researchers at Black Hat conference demo USB’s fatal flaw

usb-flash-drive(LiveHacking.Com) – Security experts Karsten Nohl and Jakob Lell have demonstrated how any USB device can be reprogrammed and used to infect a computer without the user’s knowledge.

During a presentation at the Black Hat Security conference, and in a subsequent interview with the BBC, the duo have raised the question about the future security of USB devices.

As part of the demo, a normal looking smartphone was connected to a laptop, maybe something a friend or colleague might ask you to do so they can charge the device. But the smartphone was modified to present itself as a network card and not a USB media device. The result was that the malicious software on the phone was able to redirect traffic from legitimate web sites to shadow servers, which fake and the look and feel of the genuine sites, but are actually designed just to steal login credentials.

According to a blog entry posted by the pair, USB’s great versatility is also its Achilles heel. “Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing,” wrote the researchers.

The experts, who work for Security Research Labs in Germany, gave a presentation at the Black Hat conference called “BadUSB — On accessories that turn evil.” Every USB device has a micro-controller that isn’t visible to the user. It is responsible for talking with the host device (e.g. a PC) and interfacing with the actual hardware. The firmware for these microcontrollers is different on every USB device and what the micro-controller software does is different on every device. Webcams, keyboards, network interfaces, smartphones and flash drives all perform different tasks and the software is developed accordingly.

However, the team managed to reverse engineer and hack the firmware on different devices in under two months. As a result they can re-program the devices and get them to act as something they are not.

During their Black Hat presentation, a standard USB drive was inserted into a computer. Malicious code implanted on the stick tricked the PC into thinking a keyboard had been plugged in. The fake keyboard then began typing in commands – and forced the computer to download malware from the internet.

Defending against this type of attack includes tactics like code-signing of the micro-controller firmware updates or the disabling of firmware changes in hardware. However these must all be implemented by the USB device makers and isn’t something that end users can enforce.

You can download the slides from the presentation here: https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf

Windows 7 NTFS bug allows any user to get admin privileges

(LiveHacking.Com) – A pair of security researchers, Gynvael Coldwind and Mateusz “j00ru” Jurczyk, have found a low level bug in Windows 7 NTFS driver that allows anyone with physical access to a machine to escalate their privileges to Administrator. Like something out of a spy movie, the pair have crafted a specially formatted NTFS USB flash drive which, when Windows 7 mounts it, allows the local user to start a command prompt as Administrator.

The local elevation of privileges vulnerability is in ntfs.sys and is caused by a NULL pointer dereference. To explore the robust of the NTFS device driver, the pair used a bit-flipping fuzzer to see if they could reproduce any system crashes. After roughly 17 hours of fuzzing time on a single laptop they found the access violation.

From here Mateusz “j00ru” Jurczyk was able to exploit the bug and replace arbitrary kernel memory with arbitrary data. He then used a well known privilege escalation payload that is implemented using four official API functions to start a new command prompt as Administrator.

This exploit has two immediate consequences,

  1. Anybody with physical access to a Windows 7 machine can start a privileged  command prompt. Then all manner of actions can be taken including installing malware, keyloggers and network monitors or the Windows installation can be damaged. This means that all shared computers resources in libraries, schools, universities and even workplaces are vulnerable to this exploit.
  2. It also means that there are more bugs in the NTFS filesystem, which is complex and still largely unexplored. This could lead to new attack vectors for malware writers.
Microsoft was reportedly investigating a potential fix for “stability” purposes as it is considered a low level vulnerability due to the fact that physical access is need.

Technical details on the bug and exploit were available on both Coldwind’s and Jurczyk’s blogs. Also, you can see a video of the bug being exploited here: Windows 7 USB stick local+physical attack demo