Defcon 17 Rafael Vega Usb Attacks
-
Upload
david-rathan-prashanth-bandi -
Category
Documents
-
view
223 -
download
0
Transcript of Defcon 17 Rafael Vega Usb Attacks
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
1/38
USB Attacks:Fun with Plug and 0wn
Defcon 17
Rafael Dominguez Vega
2nd August 2009
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
2/38
A little about me ...
2
rafael.dominguez-vega[at]mwrinfosecurity[dot]com
http://labs.mwrinfosecurity.com
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
3/38
Main Objectives
Attacks & Impact
Bug Discovery
Driver Exploitation
3
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
4/38
What this talk will cover
USB for fun and profit
Fuzzing Techniques
Crash Debugging
Exploitation Hardware Implementation
A few demos here and there....4
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
5/38
Once upon a time ...
5
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
6/38
USB Attacks
AutoRun (Conficker...)
Mislaid or Planted Devices
Driver Bugs
6
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
7/38
USB Attacks (cont.)
AutoRun Disabled
Encrypted USB Pen Drives
USB Bus Disabled
7
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
8/38
How Pwnies at home became Research...
There was a problem target (a client)
Hardware/Software Testing
New Feature USB port implemented
8
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
9/38
USB Driver Testing
Black Box Testing
White Box Testing
9
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
10/38
And of course... Beer Based Testing!
10
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
11/38
USB Technical Background
USB Communication
Enumeration
Descriptors
Other protocols11
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
12/38
Enumeration
Device Identification
Automatic
Descriptors Sent
12
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
13/38
Descriptors
Device Descriptor
Configuration Descriptor
Interface Descriptor
Endpoint Descriptor
String Descriptor13
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
14/38
Device Descriptor
14
const USB_DEVICE_DESCRIPTOR DeviceDescriptor = {sizeof(USB_DEVICE_DESCRIPTOR), /* bLength */TYPE_DEVICE_DESCRIPTOR, /* bDescriptorType */0x0110, /* bcdUSB USB Version 1.1 */0, /* bDeviceClass */0, /* bDeviceSubclass */0, /* bDeviceProtocol */8, /* bMaxPacketSize 8 Bytes */0xBEEF, /* idVendor */0x1337, /* idProduct */
0x0000, /* bcdDevice */1, /* iManufacturer String Index */0, /* iProduct String Index */0, /* iSerialNumber String Index */1 /* bNumberConfigurations */
};
Refer. Microchip Technology Inc. Low Pin Count USB Development Kit Users Guide
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
15/38
String Descriptor
15
//Manufacturer string descriptorROM struct{BYTE bLength;BYTE bDscType;WORD string[12];}sd002={sizeof(sd002),USB_DESCRIPTOR_STRING,{'M','A','N','U','F','A','C','T','U','R','E','R'}};
//Product string descriptorROM struct{BYTE bLength;BYTE bDscType;WORD string[7];}sd003={sizeof(sd003),USB_DESCRIPTOR_STRING,
{'P','R','O','D','U','C','T'}};
Refer. Microchip Technology Inc. Low Pin Count USB Development Kit Users Guide
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
16/38
USB Driver Fuzzing
Real hardware (Expensive)
Virtualised (QEMU)
USB over IP (WCPGW)
Hardware Fuzzer (Its cool :-P)16
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
17/38
QEMU Testing
Open Source
Machine Emulator & Virtualiser
USB Emulation
17
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
18/38
QEMU Testing (cont.)
18
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
19/38
QEMU Testing (cont. II)
Advantages
Quick Start Up Low Resources Oops doesnt trash hardware.
Disadvantages Fuzzing Engine Re-compile
19
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
20/38
USB over IP Fuzzing
USB/IP
Encapsulate USB packets
IP Headers
20
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
21/38
USB over IP Fuzzing (cont.)
21
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
22/38
USB over IP Fuzzing (cont. II)
Advantages
Fuzzing Engine
Disadvantages Reliance on the software
22
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
23/38
Hardware Fuzzer
More Reliable
Much cooler!
Directly Fuzzing using Hardware
Man-in-the-middle
Longer Term Project23
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
24/38
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
25/38
Linux USB Driver Bug
25
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
26/38
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
27/38
Linux USB Driver Bug (cont. II)
Element of Device Structure
usb_string function
Overwrite other elements of structure
27
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
28/38
Kernel Crash Demo
28
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
29/38
Crash Analysis
GDB
Crash Utility
KGDB
29
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
30/38
KGDB (cont.)
30
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
31/38
Hardware Implementation
PIC18 Family Microcontroller
Malicious VegasGirl Device
Flash Microcontroller with Shellcode
Exploit Driver Bug31
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
32/38
PIC18F14K50
32
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
33/38
Crash Analysis & Exploit - Demo
33
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
34/38
Recommendations
Disable not required USB drivers
Security Test USB Drivers
Assess USB Risks
34
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
35/38
References & Further ReadingUSB Official Site
http://www.usb.org/
Linux USB
http://www.linux-usb.org/
Microchip Technology Inc.
http://www.microchip.com/
Microchip Technology Inc.
Low Pin Count USB Development Kit Users Guide PIC18F13K50/14K50 Data Sheet
Beyond Logic
http://www.beyondlogic.org/
USB Design by Example: A Practical Guide to Building I/ODevices (Intel University Press) by John Hyde
35
http://www.usb.org/http://www.linux-usb.org/http://www.microchip.com/http://www.beyondlogic.org/http://www.beyondlogic.org/http://www.microchip.com/http://www.linux-usb.org/http://www.usb.org/ -
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
36/38
References & Further Reading (cont.)QEMU
http://www.qemu.org/
USB/IP
http://usbip.sourceforge.net/
White Paper: Red Hat Crash Utility
http://people.redhat.com/anderson/crash_whitepaper/
KGDB: Linux Kernel Source Level Debugger
http://kgdb.linsyssoft.com/
Evaluating Security Aspects of the Universal Serial Bus
http://www.informatik.uni-hamburg.de/SVS/archiv/slides/09-01-13
-OS-Jodeit-Evaluating_Security_Aspects_of_USB.pdf
36
http://www.qemu.org/http://usbip.sourceforge.net/http://people.redhat.com/anderson/crash_whitepaper/http://kgdb.linsyssoft.com/http://www.informatik.uni-hamburg.de/SVS/archiv/slides/09-01-13-OS-Jodeit-Evaluating_Security_Aspects_of_USB.pdfhttp://www.informatik.uni-hamburg.de/SVS/archiv/slides/09-01-13-OS-Jodeit-Evaluating_Security_Aspects_of_USB.pdfhttp://www.informatik.uni-hamburg.de/SVS/archiv/slides/09-01-13-OS-Jodeit-Evaluating_Security_Aspects_of_USB.pdfhttp://www.informatik.uni-hamburg.de/SVS/archiv/slides/09-01-13-OS-Jodeit-Evaluating_Security_Aspects_of_USB.pdfhttp://kgdb.linsyssoft.com/http://people.redhat.com/anderson/crash_whitepaper/http://usbip.sourceforge.net/http://www.qemu.org/ -
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
37/38
37
http://labs.mwrinfosecurity.com
-
8/3/2019 Defcon 17 Rafael Vega Usb Attacks
38/38
Ill get by with a little help from my friends...
38