Linked by Thom Holwerda on Sat 23rd Jul 2005 16:54 UTC
Privacy, Security, Encryption Vulnerabilities in USB drivers for Windows could allow an attacker to take control of locked workstations using a specially programmed Universal Serial Bus device, according to an executive from SPI Dynamics, which discovered the security hole. However, SPI tested attacks on Windows systems, but any operating system that is USB-compliant is probably vulnerable.
Order by: Score:
Vulnerable
by Luke McCarthy on Sat 23rd Jul 2005 17:03 UTC
Luke McCarthy
Member since:
2005-07-06

How can other OSes be vulnerable because Windows' USB drivers have a buffer overflow bug in them? The article is light on details.

Reply Score: 5

RE: Vulnerable
by ryan on Sat 23rd Jul 2005 18:41 UTC in reply to "Vulnerable"
ryan Member since:
2005-07-06

As far as I can gather it, the implication is that if any bug can be found in any device driver, you can spoof the USB device type to exploit that device driver bug. Right now they tested it with the weak drivers in Windows XP, but theoretically any OS that has a single poorly written USB device driver will be vulnerable to this kind of spoofing.

Reply Score: 1

RE[2]: Vulnerable
by Anonymous on Sun 24th Jul 2005 12:28 UTC in reply to "RE: Vulnerable"
Anonymous Member since:
---

As far as I can gather it, the implication is that if any bug can be found in any device driver, you can spoof the USB device type to exploit that device driver bug. Right now they tested it with the weak drivers in Windows XP, but theoretically any OS that has a single poorly written USB device driver will be vulnerable to this kind of spoofing.
>
>
You *KNOW* this is total bullshit, don't you? But then I don't expect anything less from OSNews anyway.

Reply Score: 0

RE[3]: Vulnerable
by Anonymous on Sun 24th Jul 2005 13:09 UTC in reply to "RE[2]: Vulnerable"
Anonymous Member since:
---

> You *KNOW* this is total bullshit, don't you? But then
> I don't expect anything less from OSNews anyway.

Could you explain why? It sounds very reasonable - unless you know for sure that no driver has a vulnerability.

Reply Score: 0

Or ...
by Anonymous on Sat 23rd Jul 2005 17:03 UTC
Anonymous
Member since:
---

They coudl simply boot off a CD that supports NTFS and access the files that way. Of course, you can't take control over a PC like that, unless you could copy some file into the hard drive, put a shortcut to it in the Startup folder, and then remote control it.

Reply Score: 0

RE: Or ...
by renox on Sat 23rd Jul 2005 21:19 UTC in reply to "Or ..."
renox Member since:
2005-07-06

Only if the BIOS of the PC is configured to allow booting from a CD, and if the hospital is so paranoid about security, the BIOS is probably password protected, and the PC case are locked and the PC themselves are fixed (locked in place by a cable).

Granted as long as you have physical access to a PC, you can probably avoid those protection, but this is not so easy..

Reply Score: 1

v I said it before...
by ma_d on Sat 23rd Jul 2005 17:23 UTC
So...
by Anonymous on Sat 23rd Jul 2005 17:24 UTC
Anonymous
Member since:
---

So we've learnt that some 3rd party USB drivers are poorly written. Strangely enough that doesn't rate as the revelation of the decade.

USB drivers running in ring 0 in a monolithic kernel. Wow, who would have thought it?

Basically if you allow someone physical access to the machine you're screwed, end of story. With physical access and enough time everything from the BIOS password to an encrypted filesystem can be ripped apart.

USB vulnerability is forgiveable, the bluetooth vulnerability in mobiles wasn't.

Reply Score: 5

RE: So...
by Thom_Holwerda on Sat 23rd Jul 2005 17:36 UTC in reply to "So..."
Thom_Holwerda Member since:
2005-06-29

USB drivers running in ring 0 in a monolithic kernel. Wow, who would have thought it?

For the sake of correctness, Windows' kernel isn't monolithic. The NT kernel is a hybrid kernel (it started out as a pure microkernel btw, in the very, very early days), like the Mach kernel used by OS X.

Linux is monolithic.

Reply Score: 5

RE[2]: So...
by Luke McCarthy on Sat 23rd Jul 2005 17:58 UTC in reply to "RE: So..."
Luke McCarthy Member since:
2005-07-06

But your point is irrelevant since drivers in Windows NT still run within the kernel with the system privilege level, even if they are loaded as modules.

Reply Score: 1

RE[3]: So...
by Thom_Holwerda on Sat 23rd Jul 2005 18:30 UTC in reply to "RE[2]: So..."
Thom_Holwerda Member since:
2005-06-29

But your point is irrelevant since drivers in Windows NT still run within the kernel with the system privilege level, even if they are loaded as modules.

I wasn't contradicting your point, just correcting you.

Reply Score: 5

RE[4]: So...
by Luke McCarthy on Sun 24th Jul 2005 19:13 UTC in reply to "RE[3]: So..."
Luke McCarthy Member since:
2005-07-06

I wasn't contradicting your point, just correcting you.

Twasn't me who posted the original post ;-)

Reply Score: 1

I don't get this...
by 1c3d0g on Sat 23rd Jul 2005 17:24 UTC
1c3d0g
Member since:
2005-07-06

"Standards developed by the USB Implementers Forum Inc., the nonprofit corporation that governs USB, don't consider security, he said."

What the hell?! Why not? In this day and age, I find it very hard to believe that nobody at the USB Implementers Forum thought about the possibility of buffer overflows and the like being exploited, which could be used maliciously by some people out there. This really is a sad state of affairs and it needs to be seriously addressed by the forum.

Reply Score: 3

Re: I don't get this...
by smitty_one_each on Sat 23rd Jul 2005 17:39 UTC
smitty_one_each
Member since:
2005-07-07

To paraphrase a /.-ism:
1. Profit!!!
2. ???
3. Security.

Reply Score: 1

Anonymous
Member since:
---

2. USB Devices can destroy your motherbord....

Reply Score: 0

USB Devices Can Crack Operating Systems
by Anonymous on Sat 23rd Jul 2005 18:27 UTC
Anonymous
Member since:
---

You know what else can crack operating systems? Floppy disks. Oh and cdroms. The USB device is not unique in this situation.

Reply Score: 0

RE[4]: So...
by Anonymous on Sat 23rd Jul 2005 18:38 UTC
Anonymous
Member since:
---

Besides, MS long dumped their "hybrid" design because it didn't perform. NT and later is now a monolithic kernel in traditional sense.

Reply Score: 0

RE[5]: So... (kernel design)
by Anonymous on Sat 23rd Jul 2005 20:50 UTC in reply to "RE[4]: So..."
Anonymous Member since:
---

Actually the NT/XP/Vista/....

Are based on the NT 4.x kernel series of course which in turn was designed by a former VMS kernel designer. It is (by design) a micokernel however due to the way utlizes the various drivers and their supporting libraries, it is more like a hybrid between a monolithic and microkernel.

Irrespective of it's exact design intent, it's still a single-user POS that doesn't belong anywhere near a business or home PC.


Just my 2 cents,


Nick

Reply Score: 0

RE[6]: So... (kernel design)
by n4cer on Sat 23rd Jul 2005 23:20 UTC in reply to "RE[5]: So... (kernel design) "
n4cer Member since:
2005-07-06

NT is multi-user.
Vista moves a lot of stuff back to user mode.

Reply Score: 1

RE[7]: So... (kernel design)
by Anonymous on Sun 24th Jul 2005 01:39 UTC in reply to "RE[6]: So... (kernel design) "
Anonymous Member since:
---

Ahh no. There is currently no Microsoft OS that is multi-user. Microsoft themselves will tell you that.

Multi-usability must be emulated via profiles and virtual desktop emulation ala citrix etc.

The kernel is NOT multi-user.

Trust me or don't (I'm a kernel guy by the way) and feel free to ask around, or google my name "Nicholas Donovan"

Or, ask on the kernel lists adn they will confirm what I've told you.


Cheers,

Nick

Reply Score: 0

RE[8]: So... (kernel design)
by Anonymous on Sun 24th Jul 2005 01:48 UTC in reply to "RE[7]: So... (kernel design) "
Anonymous Member since:
---

Ok, I'm going to be harsh here:
Great, you post anonymously on a security related thread, throw a name around and expect us to believe you?
At least PGP signing your post with a verifiable key might be a begining of trust.
Don't take it personnaly, I'm no authority when it comes to security or kernel topics, but it seems obvious to me that you have to back up your claims somehow.

Reply Score: 0

RE[9]: So... (kernel design)
by Anonymous on Sun 24th Jul 2005 01:52 UTC in reply to "RE[8]: So... (kernel design) "
Anonymous Member since:
---

Well ok I was really harsh, and after reading your post again, you don't make it so authoritative as I'm implying in my previous post. Still, your name doesn't bring anything to your arguing without being certified somehow.

Reply Score: 0

RE[10]: So... (kernel design)
by Anonymous on Sun 24th Jul 2005 02:36 UTC in reply to "RE[9]: So... (kernel design) "
Anonymous Member since:
---

Feel free to view my multiple threads at LinuxToday or you can view my name as one of the main contributors to the John Kirch 'Unix vs. WindowNT" website.

I've written for CIO Magazine, and have several articles online. (If you google you'll find a few of them I'm sure)

I'm currently the CEO of Ioni Systems and give regular talks at the large Dallas Unix/Linux Users Group in Irving (Las Colinas).

My specialty was originally real-time OS however my companies focus now is Unix and services for Unix.

Now you know who I am. Hi!

Now back to eating dinner before my wife yells at me to get off the computer! ;-)


Cheers,

Nick

Reply Score: 0

v RE[11]: So... (kernel design)
by CrazyDude0 on Sun 24th Jul 2005 08:14 UTC in reply to "RE[10]: So... (kernel design) "
RE[11]: So... (kernel design)
by Anonymous on Sun 24th Jul 2005 09:16 UTC in reply to "RE[10]: So... (kernel design) "
Anonymous Member since:
---

> Feel free to view my multiple threads at LinuxToday
> or you can view my name as one of the main
> contributors to the John Kirch 'Unix vs. WindowNT" website.

John Kirch's website no longer exists, and in any case you were not listed as a main contributor in Kirch's (rather old) paper, but in the last batch of acknowledgments... the one for minor contributors.

> I've written for CIO Magazine, and have several articles
> online. (If you google you'll find a few of them I'm sure)

Googling for Nicholas Donovan only produces a handful of results, all of them just user comments to some other people articles.

> I'm currently the CEO of Ioni Systems and give regular
> talks at the large Dallas Unix/Linux Users Group in
> Irving (Las Colinas).

The amount of Google hits on "Ioni Systems" from Dallas is even smaller than those referring to you.

> My specialty was originally real-time OS however my
> companies focus now is Unix and services for Unix.
>
> Now you know who I am. Hi!

Someone rather pompous.

> Cheers,

Cheers

Reply Score: 0

RE[11]: So... (kernel design)
by Anonymous on Sun 24th Jul 2005 13:28 UTC in reply to "RE[10]: So... (kernel design) "
Anonymous Member since:
---

"Now you know who I am." No we don't. The whole point is that you could be someone claiming to be Nick Donovan. Even assuming Nick Donovan is an authority, that doesn't mean *you* are since we don't know who you are. "Still, your name doesn't bring anything to your arguing without being certified somehow" seems pretty straightforward..

Reply Score: 0

RE[11]: So... (kernel design)
by sbergman27 on Mon 25th Jul 2005 14:57 UTC in reply to "RE[10]: So... (kernel design) "
sbergman27 Member since:
2005-07-24

Hey Nick,

This is off-topic for here and I appologize for that. But many of us old Linuxtoday readers moved to Dave Whitinger's current Linux site at http://www.lxer.com back when LT started pushing MS's "Get The Facts" campaign .

I don't think I've seen you there. I think you would enjoy it and I'm sure you would be very welcome.

Good to hear from you again!

-Steve Bergman

Reply Score: 1

RE[8]: So... (kernel design)
by n4cer on Sun 24th Jul 2005 05:18 UTC in reply to "RE[7]: So... (kernel design) "
n4cer Member since:
2005-07-06

You are right for the most part. The technology, multi-user kernel extensions, was integrated into the kernel for Windows 2000 Server. I'm not sure exactly what changes (if any) were made to the multi-user model but there were overhead reductions. I've found almost no info on the extensions online. SFU on Windows uses the UNIX model.

Reply Score: 1

Shitty OS with endless vulnerabilities
by Anonymous on Sat 23rd Jul 2005 20:42 UTC
Anonymous
Member since:
---

IMO it should be illegal to use Windows.

Reply Score: 0

CrazyDude0 Member since:
2005-07-10

Please enlighten how does this make windows shitty? I have access to Linux physical box, i can screw it in equal number of ways ;)

Reply Score: 1

Anonymous
Member since:
---

"..any operating system that is USB-compliant is probably vulnerable."
I'm very curious about all those operating systems that could be in danger like that. Maybe all using Windows USB drivers? Wow, unbelievable. What windows-anti-discrimination tendencies are we facing now? I read: Sorry guys, we found some vulnerability, please forgive us, yes it's only Windows again, but let's assume that no other OS is safe anyway.

Reply Score: 0

Re: Re: So
by l3v1 on Sat 23rd Jul 2005 21:20 UTC
l3v1
Member since:
2005-07-06

it started out as a pure microkernel btw

Right, so how does it matter ? Even the at the NT4 series has lost its "microkernelism", and later "improvements" just got them farther away. The whole point being in fact, well, pointless.

Anyway, as others have stated above, if your security is that high that anyone can walk up to the machine you're trying to protect so hard and stick things in it, you're screwed anyway. Nothing on this planet can save you from that point on.

Reply Score: 1

USB devices include cpu too
by transputer_guy on Sat 23rd Jul 2005 22:26 UTC
transputer_guy
Member since:
2005-07-08

Many USB devices include a hardware controller that might include an 8051 or other low cost cpu or a state machine.

If a engineer were to recode the firmware then its possible (likely to be very dificult since it would be in ROM) the USB spec could be violated and maybe that would be enough to induce the host side buffer overflow on any OS.

Then again you could do the same thing with any hardware device thay plugs into a PCI or IDE port but thats getting ridiculous.

A simple screwdriver is more than enough to get at the goods.

As for janitors, in the old days when PCs were wimpy and workstations had the muscle, you would hear stories of whole departments having their DIMMs stolen.

Reply Score: 1

This "Vulnerability" is Lame...
by Anonymous on Sun 24th Jul 2005 00:46 UTC
Anonymous
Member since:
---

Requiring physical access to the machine. If somebody has that, they already 0wn you. Doesn't matter what OS you're using. As long as somebody can boot from some device, you're toast.

Reply Score: 0

Anonymous
Member since:
---

You're woefully behind the times.

Windows Vista implements a large number of changes to its driver model to address concerns with kernel mode drivers.

http://www.activewin.com/longhorn/thestateoflonghorn.shtml

Find a new axe to grind.

Reply Score: 0

Physical Security.
by Anonymous on Sun 24th Jul 2005 01:24 UTC
Anonymous
Member since:
---

Hmmm, interesting, but as Microsoft, or anyone with a bit of security knowledge can tell you, the first layer of security is PHYSICAL security.

If you have physical access to the machine (and how are you going to plug in a USB device if you don't?) you can break ANY security running on it. Either by rebooting it from a different media, opening the case and removing drives etc.

Still, it's an interesting story, but not really earth-shattering.

Reply Score: 0

RE: Physical Security.
by Deletomn on Sun 24th Jul 2005 04:07 UTC in reply to "Physical Security."
Deletomn Member since:
2005-07-06

Actually... The issue is a little bigger than it sounds like.

First of all... Some people do a pretty darn good job of securing their computers, covering almost every angle, but leave the USB ports accessible.

And second... There are converters that allow USB devices to work over the network, I've never worked with one myself, but I have to wonder what effect this has on security when you combine it with this information.

(For example, you could try plugging a modified USB device into a converter that's already setup or find a jack into the network and setup your own converter along with a modified USB device)

Reply Score: 1

Well...
by Anonymous on Sun 24th Jul 2005 02:27 UTC
Anonymous
Member since:
---

I use FreeBSD...
Well, yes, perhaps connecting an usb thingy (my stupid near-usb compliant nokia cell phone, for example) may crash this machine, I don't think anyone can go any farther than that. Oh and by the way, if they've got physical access to my machine the least I'll be worrying is usb buffer overflows.... or maybe not. Nobody knows FreeBSD around here ;)

Reply Score: 0

This is nonsense
by Anonymous on Sun 24th Jul 2005 06:34 UTC
Anonymous
Member since:
---

How many regular users actually have a password for their BIOS? Because if you don't protect BIOS with a password, anyone with physical access to your computer is able to clean your drives without much effort. In fact, even that's not enough, because the "burglar" could just open the computer case and reset the BIOS settings. So you'll have to lock your computer, AND use a good BIOS password in order to be safe. No USB required. Just Knoppix.

Reply Score: 0

Physical access
by CrazyDude0 on Sun 24th Jul 2005 08:01 UTC
CrazyDude0
Member since:
2005-07-10

Geez you need physical access for this exploit. If you got physical access to a computer you can do much more. Boot of a CD, replace explorer.exe with a trojan explorer.exe and yes you have all the access you want.

I agree there might be a bug in the stack but a bug which requires physical access and special device is not a big threat.

Reply Score: 1

Their claim...
by Anonymous on Sun 24th Jul 2005 11:05 UTC
Anonymous
Member since:
---

Their claim that "Any operating system that is USB-compliant is probably vulnerable" is explained in the article:

On any operating system, there are probably a lot of USB drivers installed (though personally I only compile the ones I need into my linux kernel, but granted Jack Linux User probably doesn't). In all likelyhood, one of those drivers will have a buffer overflow problem. That's reasonable to believe.

Now their problem with the `USB architecture' is that: an attacker who knows of a vulnerability in a USB device driver can program one USB device—say a portable memory stick—to pose as the kind of device that uses the vulnerable driver, then plug the device into the host system and trigger the exploit when the host system loads the flawed driver, said Darrin Barrall, another SPI researcher.

So even if you don't have a `Device Foo', you can hack it to act as Device Foo and exploit the buffer overflow for Device Foo (which you don't physically have).

In other words: they have a slight point, and blow it up to make pompous claims.

I checked out the website of "SPI Dynamics", expecting them to offer some commercial solution to this `problem'. Surprisingly, they don't seem to.

Reply Score: 0

v Nothing to see here
by Anonymous on Sun 24th Jul 2005 11:18 UTC
RE[9]: So... (kernel design)
by Jedd on Sun 24th Jul 2005 17:26 UTC
Jedd
Member since:
2005-07-06

If you are "Nicholas Donovan" why a Anonymous comment? _^

Reply Score: 1

USB Devices Can Crack Operating Systems
by Anonymous on Sun 24th Jul 2005 17:37 UTC
Anonymous
Member since:
---

COOL

Reply Score: 0

READ THE ARTICLE PEOPLE
by deathshadow on Mon 25th Jul 2005 14:18 UTC
deathshadow
Member since:
2005-07-12

>>However, the flaw is with USB, not Windows, said David Dewey, a research engineer at SPI. Standards developed by the USB Implementers Forum Inc., the nonprofit corporation that governs USB, don't consider security, he said.

This pretty much means the security flaw is NOT in the OS, but in the USB specification itself... If the flaw is in the device specification any driver that complies with the specs is likely to have the vulnerability...

At least that's how I read it. Considering this involves someone walking up and physically plugging in a device, this is no different than floppy, zip or CD vulnerabilities... In other words no threat unless you are a total idiot.

Reply Score: 1