Re: USB delivered attacks

From: Gadi Evron (ge@linuxbox.org)
Date: Fri Jun 04 2004 - 19:14:46 EDT

• Next message: Peter Harmsen: "Re:USB delivered attacks"
• Previous message: Theodoros Assimakopoulos: "Re: XML firewall/gateway needed"
• In reply to: Rob Shein: "RE: USB delivered attacks"
• Next in thread: Kurt Seifried: "Re: USB delivered attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Rob Shein wrote:

> The driver for USB drives is not on the USB drive. It's native to XP/2000,
> and loads dynamically from the O/S.
>
> Look at it this way; if the driver were needed to access files on the USB
> drive, then how could the driver be stored on the device to be used to
> access files? If you could pull the driver off the USB drive, why would you
> need the driver at all?
>
> To further see what I mean, put in your USB drive and wait for it to
> connect. Then look in Device Manager, and check the driver details. Look
> and see whose driver it is. If you've got multiple drives from multiple
> companies, try them one at a time, and look to see if the driver changes.
> Bet you it doesn't. :)

I suppose you are right.

However, there is data on the USB drive itself.

The entry on the PC is the HUB. The USB device is the client. I can
think of a few ways the client can effect the HUB.

After re-examining the technology, I came up with the following
conclusions about possible threats:
1. Someone will put his/her own code inside a USB SDK, which will be
    catastrophic.
2. Some will find a buffer overflow in the Microsoft USB driver. That
    sounds quite plausible. It crashes under many circumstances.

A buffer overflow in the USB driver could possibly also effect very
strong cryptographic systems such as eToken, but as I didn't look into
that, I don't know if that particular technology is susceptible to such
an attack.

There is still the risk of somebody just copying stuff over, and that
can be expanded accordingly. I can put a file on my digital camera, say,
a .DOC file. Unless the memory card is removed and examined, I think I
can smuggle that file out pretty easily, even if my camera was to be
examined.

There is always the auto-run POC which did come out of all this, so I
suppose this thread wasn't a complete waste of bandwidth.

Thoughts?

        Gadi Evron.

-- 
Email: ge@linuxbox.org.  Work: gadie@cbs.gov.il. Backup: ge@warp.mx.dk.
Phone: +972-50-428610 (Cell).
PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
GPG key for encrypted email: 
http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450

• Next message: Peter Harmsen: "Re:USB delivered attacks"
• Previous message: Theodoros Assimakopoulos: "Re: XML firewall/gateway needed"
• In reply to: Rob Shein: "RE: USB delivered attacks"
• Next in thread: Kurt Seifried: "Re: USB delivered attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT