Scribd Logo
Upload

Welcome to Scribd!

  • Defcon 17 Rafael Vega Usb Attacks

    Uploaded by

    David Rathan Prashanth Bandi
    50 views38 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    50 views38 pages

    Defcon 17 Rafael Vega Usb Attacks

    Uploaded by

    David Rathan Prashanth Bandi

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 38

    USBAttacks: FunwithPlugand0wn Defcon17 RafaelDominguezVega

    2nd August 2009

    Alittleaboutme...

    rafael.dominguezvega[at]mwrinfosecurity[dot]com http://labs.mwrinfosecurity.com

    MainObjectives

    Attacks&Impact BugDiscovery DriverExploitation


    3

    Whatthistalkwillcover

    USBforfunandprofit FuzzingTechniques CrashDebugging Exploitation HardwareImplementation


    4

    Afewdemoshereandthere....

    Onceuponatime...

    USBAttacks

    AutoRun(Conficker...) MislaidorPlantedDevices DriverBugs


    6

    USBAttacks(cont.)

    AutoRunDisabled EncryptedUSBPenDrives USBBusDisabled


    7

    HowPwniesathomebecameResearch...

    Therewasaproblemtarget(aclient) Hardware/SoftwareTesting NewFeatureUSBportimplemented


    8

    USBDriverTesting

    BlackBoxTesting

    WhiteBoxTesting
    9

    Andofcourse...BeerBasedTesting!

    10

    USBTechnicalBackground

    USBCommunication Enumeration Descriptors


    11

    Otherprotocols

    Enumeration

    DeviceIdentification Automatic DescriptorsSent


    12

    Descriptors

    DeviceDescriptor ConfigurationDescriptor InterfaceDescriptor EndpointDescriptor


    13

    StringDescriptor

    DeviceDescriptor
    const USB_DEVICE_DESCRIPTOR DeviceDescriptor = { sizeof(USB_DEVICE_DESCRIPTOR), /* bLength */ TYPE_DEVICE_DESCRIPTOR, /* bDescriptorType */ 0x0110, /* bcdUSB USB Version 1.1 */ 0, /* bDeviceClass */ 0, /* bDeviceSubclass */ 0, /* bDeviceProtocol */ 8, /* bMaxPacketSize 8 Bytes */ 0xBEEF, /* idVendor */ 0x1337, /* idProduct */ 0x0000, /* bcdDevice */ 1, /* iManufacturer String Index */ 0, /* iProduct String Index */ 0, /* iSerialNumber String Index */ 1 /* bNumberConfigurations */ };
    14 Refer.MicrochipTechnologyInc.LowPinCountUSBDevelopmentKitUsersGuide

    StringDescriptor
    //Manufacturer string descriptor ROM struct{BYTE bLength;BYTE bDscType;WORD string[12];} sd002={sizeof(sd002),USB_DESCRIPTOR_STRING, { 'M','A','N','U','F','A','C','T','U','R','E','R' }}; //Product string descriptor ROM struct{BYTE bLength;BYTE bDscType;WORD string[7];} sd003={sizeof(sd003),USB_DESCRIPTOR_STRING, { 'P','R','O','D','U','C','T' }};
    Refer.MicrochipTechnologyInc.LowPinCountUSBDevelopmentKitUsersGuide 15

    USBDriverFuzzing

    Realhardware(Expensive) Virtualised(QEMU) USBoverIP(WCPGW)


    16

    HardwareFuzzer(Itscool:P)

    QEMUTesting

    OpenSource MachineEmulator&Virtualiser USBEmulation


    17

    QEMUTesting(cont.)

    18

    QEMUTesting(cont.II)

    Advantages

    QuickStartUp LowResources Oopsdoesnttrashhardware.

    Disadvantages
    19

    FuzzingEngine Recompile

    USBoverIPFuzzing

    USB/IP EncapsulateUSBpackets IPHeaders


    20

    USBoverIPFuzzing(cont.)

    21

    USBoverIPFuzzing(cont.II)

    Advantages

    FuzzingEngine

    Disadvantages

    Relianceonthesoftware

    22

    HardwareFuzzer

    MoreReliable Muchcooler! DirectlyFuzzingusingHardware Maninthemiddle


    23

    LongerTermProject

    24

    LinuxUSBDriverBug

    25

    LinuxUSBDriverBug(cont.)

    vegasgirl.c BufferOverflow tom_dick_and_harryfunction EnumerationPhase


    26

    StringDescriptor

    LinuxUSBDriverBug(cont.II)

    ElementofDeviceStructure usb_stringfunction Overwriteotherelementsofstructure


    27

    KernelCrashDemo

    28

    CrashAnalysis

    GDB CrashUtility KGDB


    29

    KGDB(cont.)

    30

    HardwareImplementation

    PIC18FamilyMicrocontroller MaliciousVegasGirlDevice FlashMicrocontrollerwithShellcode


    31

    ExploitDriverBug

    PIC18F14K50

    32

    CrashAnalysis&ExploitDemo

    33

    Recommendations

    DisablenotrequiredUSBdrivers SecurityTestUSBDrivers AssessUSBRisks


    34

    References&FurtherReading
    USBOfficialSite http://www.usb.org/ LinuxUSB http://www.linuxusb.org/ MicrochipTechnologyInc. http://www.microchip.com/ MicrochipTechnologyInc. LowPinCountUSBDevelopmentKitUsersGuide PIC18F13K50/14K50DataSheet BeyondLogic http://www.beyondlogic.org/
    35

    USBDesignbyExample:APracticalGuidetoBuildingI/O Devices(IntelUniversityPress)byJohnHyde

    References&FurtherReading(cont.)
    QEMU http://www.qemu.org/ USB/IP http://usbip.sourceforge.net/ WhitePaper:RedHatCrashUtility http://people.redhat.com/anderson/crash_whitepaper/ KGDB:LinuxKernelSourceLevelDebugger http://kgdb.linsyssoft.com/ EvaluatingSecurityAspectsoftheUniversalSerialBus http://www.informatik.unihamburg.de/SVS/archiv/slides/090113 OSJodeitEvaluating_Security_Aspects_of_USB.pdf
    36

    37

    http://labs.mwrinfosecurity.com

    Illgetbywithalittlehelpfrommyfriends...

    38

    You might also like