September 20, 2014

Researchers at Black Hat conference demo USB’s fatal flaw

usb-flash-drive(LiveHacking.Com) – Security experts Karsten Nohl and Jakob Lell have demonstrated how any USB device can be reprogrammed and used to infect a computer without the user’s knowledge.

During a presentation at the Black Hat Security conference, and in a subsequent interview with the BBC, the duo have raised the question about the future security of USB devices.

As part of the demo, a normal looking smartphone was connected to a laptop, maybe something a friend or colleague might ask you to do so they can charge the device. But the smartphone was modified to present itself as a network card and not a USB media device. The result was that the malicious software on the phone was able to redirect traffic from legitimate web sites to shadow servers, which fake and the look and feel of the genuine sites, but are actually designed just to steal login credentials.

According to a blog entry posted by the pair, USB’s great versatility is also its Achilles heel. “Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing,” wrote the researchers.

The experts, who work for Security Research Labs in Germany, gave a presentation at the Black Hat conference called “BadUSB — On accessories that turn evil.” Every USB device has a micro-controller that isn’t visible to the user. It is responsible for talking with the host device (e.g. a PC) and interfacing with the actual hardware. The firmware for these microcontrollers is different on every USB device and what the micro-controller software does is different on every device. Webcams, keyboards, network interfaces, smartphones and flash drives all perform different tasks and the software is developed accordingly.

However, the team managed to reverse engineer and hack the firmware on different devices in under two months. As a result they can re-program the devices and get them to act as something they are not.

During their Black Hat presentation, a standard USB drive was inserted into a computer. Malicious code implanted on the stick tricked the PC into thinking a keyboard had been plugged in. The fake keyboard then began typing in commands – and forced the computer to download malware from the internet.

Defending against this type of attack includes tactics like code-signing of the micro-controller firmware updates or the disabling of firmware changes in hardware. However these must all be implemented by the USB device makers and isn’t something that end users can enforce.

You can download the slides from the presentation here:

Windows 7 NTFS bug allows any user to get admin privileges

(LiveHacking.Com) – A pair of security researchers, Gynvael Coldwind and Mateusz “j00ru” Jurczyk, have found a low level bug in Windows 7 NTFS driver that allows anyone with physical access to a machine to escalate their privileges to Administrator. Like something out of a spy movie, the pair have crafted a specially formatted NTFS USB flash drive which, when Windows 7 mounts it, allows the local user to start a command prompt as Administrator.

The local elevation of privileges vulnerability is in ntfs.sys and is caused by a NULL pointer dereference. To explore the robust of the NTFS device driver, the pair used a bit-flipping fuzzer to see if they could reproduce any system crashes. After roughly 17 hours of fuzzing time on a single laptop they found the access violation.

From here Mateusz “j00ru” Jurczyk was able to exploit the bug and replace arbitrary kernel memory with arbitrary data. He then used a well known privilege escalation payload that is implemented using four official API functions to start a new command prompt as Administrator.

This exploit has two immediate consequences,

  1. Anybody with physical access to a Windows 7 machine can start a privileged  command prompt. Then all manner of actions can be taken including installing malware, keyloggers and network monitors or the Windows installation can be damaged. This means that all shared computers resources in libraries, schools, universities and even workplaces are vulnerable to this exploit.
  2. It also means that there are more bugs in the NTFS filesystem, which is complex and still largely unexplored. This could lead to new attack vectors for malware writers.
Microsoft was reportedly investigating a potential fix for “stability” purposes as it is considered a low level vulnerability due to the fact that physical access is need.

Technical details on the bug and exploit were available on both Coldwind’s and Jurczyk’s blogs. Also, you can see a video of the bug being exploited here: Windows 7 USB stick local+physical attack demo