<div dir="ltr">On Sat, Mar 16, 2013 at 11:08 AM, Ron Frazier (ALE) <span dir="ltr"><<a href="mailto:atllinuxenthinfo@techstarship.com" target="_blank">atllinuxenthinfo@techstarship.com</a>></span> wrote:<br><div class="gmail_extra">
<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
They shared some interesting and scary info in the latest Security Now episode I thought I'd pass along.<br>
<br>
MS just patched a really nasty potential attack vector via USB. I haven't heard of this applying to Linux, but something like it theoretically could.<br>
<br>
<a href="http://news.cnet.com/8301-10805_3-57573972-75/microsofts-latest-patches-address-new-usb-hack/" target="_blank">http://news.cnet.com/8301-10805_3-57573972-75/microsofts-latest-patches-address-new-usb-hack/</a><br>
<br>
It does require physical access to the pc, but basically, you put a malicious USB stick into the machine, and you own the machine. This happens as long as the machine is powered on - PERIOD. It doesn't have to be logged on. It doesn't matter if autorun / autoplay is on. And your malicious code runs at the KERNEL level. It happens during the enumeration process for usb, before files or programs even come into play.<br>
<br>
So, if you deal with windows, of any type, patch it. Of course, we all know that many machines get patched only infrequently or never.<br>
<br></blockquote><div style>The TL;DR of the attack is that they weren't properly checking untrusted input. It's not clear from anything I've seen what the specific vulnerability is, but I'm guessing it's a buffer overflow if the descriptor is too long and/or lies about its length. Alternatively, it's possible they use some sort of offsets in the descriptor and specifying a large/negative/whatever offset allows you to cause the device enumeration code to jump outside of the device descriptor.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I would think that, at least conceptually, this type of attack might be possible in Linux unless the usb drivers are specifically hardened against it.<br>
<br></blockquote><div style>This "type of attack" is possible in any software that is written without properly checking untrusted input. "specifically hardened" means checking buffer lengths, which is something you should always do. This vulnerability, while serious, isn't particularly unusual. There's been exploitation of device drivers before, and there will be exploitation of device drivers again.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Steve gave an update on the UPNP hack that could make your router vulnerable to having it's ports manipulated without your knowledge from the outside. His port scanner application on his GRC server has now detected over 3000 routers of people who've tested their systems to be vulnerable to this attack. One listener had a trojan that had been installed in his router and one had ALL it's external ports open. If you haven't tested your external facing router, you may want to do so by going to the ShieldsUp service at <a href="http://grc.com" target="_blank">grc.com</a>.<br>
<br>
Sincerely,<br>
<br>
Ron<br>
<br>
<br>
<br>
--<br>
<br>
Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.<br>
Please excuse my potential brevity if I'm typing on the touch screen.<br>
<br>
(PS - If you email me and don't get a quick response, you might want to<br>
call on the phone. I get about 300 emails per day from alternate energy<br>
mailing lists and such. I don't always see new email messages very quickly.)<br>
<br>
Ron Frazier<br>
<a href="tel:770-205-9422" value="+17702059422">770-205-9422</a> (O) Leave a message.<br>
linuxdude AT <a href="http://techstarship.com" target="_blank">techstarship.com</a><br>
<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div></div>