August 06, 2005

USB Devices Crack Windows

Vulnerabilities in USB drivers for Windows could allow an attacker to take control of locked workstations using a specially programmed Universal Serial Bus device, according to an executive from SPI Dynamics, which discovered the security hole.

The buffer-overflow vulnerabilities could enable an attacker to circumvent Windows security and gain administrative access to a user's machine.

This is just the latest example of a growing danger posed by peripheral devices that use USB (Universal Serial Bus), FireWire and wireless networking connections, which are often overlooked in the search for remotely exploitable security holes, experts say.

The buffer-overflow flaw is in device drivers that Windows loads whenever USB devices are inserted into computers running Windows 32-bit operating systems, including Windows XP and Windows 2000, said Caleb Sima, chief technology officer and founder of SPI Dynamics.

SPI is still testing the hole, and hasn't informed Microsoft Corp. about the problem. The company will be demonstrating the vulnerability at this week's Black Hat Briefings hacker conference in Las Vegas, but will not release details of the security hole, Sima said.

A spokesperson for Microsoft's Security Response Center confirmed that the company has not received a vulnerability report from SPI. The company strongly encouraged any researcher to contact the MSRC if they have a vulnerability to report.

However, the flaw is with USB, not Windows, said David Dewey, a research engineer at SPI. Standards developed by the USB Implementers Forum Inc., the nonprofit corporation that governs USB, don't consider security, he said.

For example, an attacker who knows of a vulnerability in a USB device driver can program one USB devicesay a portable memory stickto pose as the kind of device that uses the vulnerable driver, then plug the device into the host system and trigger the exploit when the host system loads the flawed driver, said Darrin Barrall, another SPI researcher.

Flaws in standard USB drivers aren't hard to find, either, Dewey and Barrall said. "Like many hardware drivers, USB drivers are written with very little data validation and security awareness. They're bare-bones drivers that focus on [speed]," Dewey said.

Best of all, for attackers, the device drivers run with System-level privileges, giving an attacker full control of the host system once the exploit has been triggered. SPI tested attacks on Windows systems, but any operating system that is USB-compliant is probably vulnerable, he said.

Read more

Posted by keefner at August 6, 2005 02:52 AM