OSNews: http://www.osnews.com/story/24501/Linux_Is_Vulnerable_to_Malicious_USB_Devices Exploring the Future of Computing en-us Copyright 2001-2013, David Adams adam+nospam@osnews.com Sun, 26 May 2013 09:01:51 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com Fix http://www.osnews.com/thread?465300 http://www.osnews.com/thread?465300 is there any fix coming? has this been fixed yet? Tue, 08 Mar 2011 18:21:00 GMT donotreply@osnews.com (diegoviola) Comments LOL http://www.osnews.com/thread?465301 http://www.osnews.com/thread?465301 USB device with an unusually long name (over 80 characters) who the f*** uses 80+ characters to name a usb drive? Tue, 08 Mar 2011 18:27:00 GMT donotreply@osnews.com (d.marcu) Comments RE: LOL http://www.osnews.com/thread?465303 http://www.osnews.com/thread?465303 The person attacking the computer. Tue, 08 Mar 2011 18:36:00 GMT donotreply@osnews.com (Soulbender) Comments RE: Fix http://www.osnews.com/thread?465304 http://www.osnews.com/thread?465304 Yes
http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git&a...

It was fixed on Feb. 14 2011 Tue, 08 Mar 2011 18:41:00 GMT donotreply@osnews.com (senshikaze) Comments Caiaq USB ? http://www.osnews.com/thread?465306 http://www.osnews.com/thread?465306 What is it ? Is it actually a widespread device ? Never heard of that. Tue, 08 Mar 2011 18:48:00 GMT donotreply@osnews.com (torturedutopian) Comments RE: LOL http://www.osnews.com/thread?465313 http://www.osnews.com/thread?465313 Let me spell it out for you: a malicious person. Tue, 08 Mar 2011 18:58:00 GMT donotreply@osnews.com (ivanzinho) Comments RE[2]: Fix http://www.osnews.com/thread?465317 http://www.osnews.com/thread?465317
Yes
http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git&a...

It was fixed on Feb. 14 2011


Heh, we have been fixing a ton of issues like that in Haiku recently - Coverity picks them up like a champ ;) Tue, 08 Mar 2011 19:12:00 GMT donotreply@osnews.com (umccullough) Comments RE[2]: LOL http://www.osnews.com/thread?465318 http://www.osnews.com/thread?465318 so this guy must have access to my pc and insert a 80+ characters named usb drive in order to exploit it? It's not like if i have a usb drive with a huge name my computer can be exploited by a hacker half way around the world. I'll restrict my usb drives to less characters, just in case. Tue, 08 Mar 2011 19:13:00 GMT donotreply@osnews.com (d.marcu) Comments Isn't the title misleading? http://www.osnews.com/thread?465320 http://www.osnews.com/thread?465320 The title promises a lot - it sounds like some rather general exploit on the Linux kernel, when it is nothing more than a buffer overflow bug in a particular driver.

I wouldn't be that surprised to see that on Slashdot - and then promptly tagged there with the "notnews" tag - but I don't think that it is really much of an event (I think, without having seen statistics about it, that dozens, if not hundreds, of such bugs are found and fixed each year.) - at least not enough of an event to warrant a place on OSNews. Tue, 08 Mar 2011 19:19:00 GMT donotreply@osnews.com (jhominal) Comments RE[3]: LOL http://www.osnews.com/thread?465321 http://www.osnews.com/thread?465321
so this guy must have access to my pc and insert a 80+ characters named usb drive in order to exploit it? It's not like if i have a usb drive with a huge name my computer can be exploited by a hacker half way around the world. I'll restrict my usb drives to less characters, just in case.


It may not affect you - but something like this is indeed bad. For example, what prevents a Kiosk running Linux from being pwned. Think: digital picture processing kiosk at the drug store.

It's even more disturbing after reading the recent report on what governments have been up to with HBGary:

http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgar... Tue, 08 Mar 2011 19:23:00 GMT donotreply@osnews.com (umccullough) Comments RE[4]: LOL http://www.osnews.com/thread?465328 http://www.osnews.com/thread?465328
It's even more disturbing after reading the recent report on what governments have been up to with HBGary:


On the other hand, considering how easily he got owned how good can he actually be and how much should we trust what he says he has done? Tue, 08 Mar 2011 19:56:00 GMT donotreply@osnews.com (Soulbender) Comments RE[5]: LOL http://www.osnews.com/thread?465330 http://www.osnews.com/thread?465330
"It's even more disturbing after reading the recent report on what governments have been up to with HBGary:


On the other hand, considering how easily he got owned how good can he actually be and how much should we trust what he says he has done? "

Well, if you follow the story, HBGary Federal was owned, HBGary was collateral damage. They apparently do have some decent technology, including unreleased 0day exploits...

But the important bit is: The U.S. government is knowingly hiring firms to exploit via hardware ports such as USB and PCMCIA. Tue, 08 Mar 2011 20:00:00 GMT donotreply@osnews.com (umccullough) Comments RE[4]: LOL http://www.osnews.com/thread?465331 http://www.osnews.com/thread?465331
http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgar...


Thank you for sharing, that post is very interesting. Tue, 08 Mar 2011 20:00:00 GMT donotreply@osnews.com (Petur) Comments RE[6]: LOL http://www.osnews.com/thread?465332 http://www.osnews.com/thread?465332
But the important bit is: The U.S. government is knowingly hiring firms to exploit via hardware ports such as USB and PCMCIA.


Why hire someone to break in when you can just pay the coder to not lock the door? Tue, 08 Mar 2011 20:02:00 GMT donotreply@osnews.com (Petur) Comments RE[6]: LOL http://www.osnews.com/thread?465333 http://www.osnews.com/thread?465333
They apparently do have some decent technology, including unreleased 0day exploits...


Or so he says. To be honest, reading that article it feels like the wet daydreams of some loser who has watched too many spy movies. Like some cyber version of Jonathan Idema.

[The U.S. government is knowingly hiring firms to exploit via hardware ports such as USB and PCMCIA.


I would not expect anything less.Edited 2011-03-08 20:13 UTC Tue, 08 Mar 2011 20:11:00 GMT donotreply@osnews.com (Soulbender) Comments RE: Caiaq USB ? http://www.osnews.com/thread?465338 http://www.osnews.com/thread?465338 I looked into it, but the module is running on my install (Ubuntu 10.10). Not sure what hardware is it hooked to. Tue, 08 Mar 2011 20:36:00 GMT donotreply@osnews.com (senshikaze) Comments RE[2]: Caiaq USB ? http://www.osnews.com/thread?465339 http://www.osnews.com/thread?465339
I looked into it, but the module is running on my install (Ubuntu 10.10). Not sure what hardware is it hooked to.


CONFIG_SND_USB_CAIAQ=m
CONFIG_SND_USB_CAIAQ_INPUT=y

Sound card? Tue, 08 Mar 2011 20:50:00 GMT donotreply@osnews.com (nbensa) Comments RE[3]: Caiaq USB ? http://www.osnews.com/thread?465341 http://www.osnews.com/thread?465341 Looks like it ;)

http://caiaq.com/index_en.html

To date, serveral high-quality USB 2.0 audio interfaces, music production controllers and a WLAN based Multiroom Audio System have been delivered.



http://www.globalsecuritymag.com/Vigil-nce-Linux-kernel-buffer,2011...

DESCRIPTION OF THE VULNERABILITY

The sound/usb/caiaq directory implements the support of USB devices from the Native Instruments company.

The snd_usb_caiaq_audio_init() and snd_usb_caiaq_midi_init() functions copy the name of the USB device in a 80 bytes array. However, if the name provided by the USB device is longer, a buffer overflow occurs.

An attacker can therefore insert a USB device with a long name, in order to create an overflow in caiaq, leading to a denial of service or to code execution.


(Putting some memory regions on W and X access privileges at the same time... Them fool... DEP is not here for nothing !)Edited 2011-03-08 20:56 UTC Tue, 08 Mar 2011 20:53:00 GMT donotreply@osnews.com (Neolander) Comments grepping for strcat/strcpy http://www.osnews.com/thread?465346 http://www.osnews.com/thread?465346 I downloaded a recent kernel source bundle and did: grep -IR '\\|\' *|wc -l

This found 3558 lines. While many of them are in the form `strcpy(foo, "string literal");` I think usage of these functions should be generally forbidden. All these function calls should be replaced with strlcat/strlcpy.Edited 2011-03-08 21:20 UTC Tue, 08 Mar 2011 21:19:00 GMT donotreply@osnews.com (panzi) Comments Reminds me of this USB attack http://www.osnews.com/thread?465354 http://www.osnews.com/thread?465354 http://www.youtube.com/watch?v=ovfYBa1EHm4

Never been a fan of Nautilus. ;-) Tue, 08 Mar 2011 22:10:00 GMT donotreply@osnews.com (Lennie) Comments RE[2]: Fix http://www.osnews.com/thread?465362 http://www.osnews.com/thread?465362
Yes
http://git.kernel.org/?p=linux/kernel/git/tiwai/sound-2.6.git&a...

It was fixed on Feb. 14 2011


Nice, thanks. Tue, 08 Mar 2011 23:17:00 GMT donotreply@osnews.com (diegoviola) Comments RE: grepping for strcat/strcpy http://www.osnews.com/thread?465364 http://www.osnews.com/thread?465364 Well, Ulrich Drepper does not like strlcat/strlcpy so they won't be in glibc anytime soon. Wed, 09 Mar 2011 00:43:00 GMT donotreply@osnews.com (Soulbender) Comments RE[4]: LOL http://www.osnews.com/thread?465367 http://www.osnews.com/thread?465367 For example, what prevents a Kiosk running Linux from being pwned. Think: digital picture processing kiosk at the drug store.

I have seen one of the picture processing kiosk at a local drug store and the kiosk if I remember correctly was from Kodak or Fuji film. They were actually running Windows. And with the help of my humble memory some of articles or comments on this site was saying those kiosk commonly running Windows instead of Linux. Since this is Linux bug I doubt it would affect many of those kiosk. Wed, 09 Mar 2011 01:27:00 GMT donotreply@osnews.com (t3RRa) Comments RE[5]: LOL http://www.osnews.com/thread?465371 http://www.osnews.com/thread?465371
I have seen one of the picture processing kiosk at a local drug store and the kiosk if I remember correctly was from Kodak or Fuji film. They were actually running Windows. And with the help of my humble memory some of articles or comments on this site was saying those kiosk commonly running Windows instead of Linux. Since this is Linux bug I doubt it would affect many of those kiosk.


Sure, maybe now - but with shit like this:

http://it.slashdot.org/story/10/07/06/0019234/Photo-Kiosks-Infectin...

How long before they realize Windows is the wrong solution? Wed, 09 Mar 2011 01:52:00 GMT donotreply@osnews.com (umccullough) Comments For anyone who has not updated kernel http://www.osnews.com/thread?465387 http://www.osnews.com/thread?465387 This is Linux of course black list the driver,

http://www.cyberciti.biz/tips/avoid-linux-kernel-module-driver-auto...

Problem solved. Insert infected device as much as like after that is done its worthless.

Yes the hotfix to the issue. Wed, 09 Mar 2011 03:45:00 GMT donotreply@osnews.com (oiaohm) Comments RE[2]: grepping for strcat/strcpy http://www.osnews.com/thread?465396 http://www.osnews.com/thread?465396 The kernel can just use its own implementations of strl{cat,copy} until they are standardized, no? Wed, 09 Mar 2011 04:25:00 GMT donotreply@osnews.com (Hypnos) Comments RE[3]: grepping for strcat/strcpy http://www.osnews.com/thread?465404 http://www.osnews.com/thread?465404
The kernel can just use its own implementations of strl{cat,copy} until they are standardized, no?


Nice in theory. Linux kernel does have strncat and strncpy and problem back in history they leaked a little memory. So to avoid that problem some drivers changed over to strcpy so leading us todays problem.

Historic chain of failure. Hopefully this is close to the last bit of it. Wed, 09 Mar 2011 06:37:00 GMT donotreply@osnews.com (oiaohm) Comments RE[6]: LOL http://www.osnews.com/thread?465408 http://www.osnews.com/thread?465408 Can we just stick to the subject of this article? Wed, 09 Mar 2011 08:20:00 GMT donotreply@osnews.com (t3RRa) Comments RE[6]: LOL http://www.osnews.com/thread?465409 http://www.osnews.com/thread?465409
Sure, maybe now - but with shit like this:

http://it.slashdot.org/story/10/07/06/0019234/Photo-Kiosks-Infectin...

How long before they realize Windows is the wrong solution?


Ummm, never?

They don't *WANT* a great solution. They want something that they don;t feel they have to reinvent the wheel err... compile from source and insert kernel modules... etc.

Yeah, I know. I've had Linux Kiosks running for a Coffee House Locally for almost 4 years. Worst thing that happened is some person's web e-mail tried to write to C:\Windows\something\something\blahblahblah

Plus running from an Optical Drive is nice. Wed, 09 Mar 2011 08:32:00 GMT donotreply@osnews.com (gfolkert) Comments RE[3]: grepping for strcat/strcpy http://www.osnews.com/thread?465430 http://www.osnews.com/thread?465430 These functions will never be standardized. c1x - the next C standard - will include the IMHO inferior but good enough(certainly better than str* and strn*) str*_s by Microsoft.

This has little relevance though, given that the Linux kernel doesn't use glibc and it *does* include strlcat and strlcpy.

So do glib, KDE and Samba, for example. Basically everyone but that Drepper guy has got them. Wed, 09 Mar 2011 12:49:00 GMT donotreply@osnews.com (sakeniwefu) Comments RE[4]: LOL http://www.osnews.com/thread?465448 http://www.osnews.com/thread?465448
Think: digital picture processing kiosk at the drug store.

What's funny is that just the other day, I walked in front of one of those things in Walgreen's. It was prominently displaying the Blue Screen of Death on its screen. It's not the first time--I've seen them display standard Windows errors (including crashes) and BSODs more times than I care to remember...

At this rate, I think that as long as those things are running Windows and are inoperable a large portion of the time as a result, people are "relatively" safe from digital picture kiosks. LOL. Wed, 09 Mar 2011 16:07:00 GMT donotreply@osnews.com (UltraZelda64) Comments RE[7]: LOL http://www.osnews.com/thread?465467 http://www.osnews.com/thread?465467
Can we just stick to the subject of this article?


Sure, because sticking a USB stick into a kiosk running a vulnerable operating system is soooo off topic eh? Wed, 09 Mar 2011 19:57:00 GMT donotreply@osnews.com (umccullough) Comments