Vulnerabilities in USB drivers for Windows could allow an attacker to take control of locked workstations using a specially programmed Universal Serial Bus device, according to an executive from SPI Dynamics, which discovered the security hole. However, SPI tested attacks on Windows systems, but any operating system that is USB-compliant is probably vulnerable.
USB Devices Can Crack Operating Systems
47 Comments
2005-07-24 1:24 am
-
2005-07-24 4:07 am
2005-07-24 2:27 am
Anonymous
I use FreeBSD…
Well, yes, perhaps connecting an usb thingy (my stupid near-usb compliant nokia cell phone, for example) may crash this machine, I don’t think anyone can go any farther than that. Oh and by the way, if they’ve got physical access to my machine the least I’ll be worrying is usb buffer overflows…. or maybe not. Nobody knows FreeBSD around here 
2005-07-24 6:34 am
2005-07-24 8:01 am
2005-07-24 11:05 am
2005-07-24 11:18 am
2005-07-24 5:26 pm
2005-07-24 5:37 pm
2005-07-25 2:18 pm
How can other OSes be vulnerable because Windows’ USB drivers have a buffer overflow bug in them? The article is light on details.
As far as I can gather it, the implication is that if any bug can be found in any device driver, you can spoof the USB device type to exploit that device driver bug. Right now they tested it with the weak drivers in Windows XP, but theoretically any OS that has a single poorly written USB device driver will be vulnerable to this kind of spoofing.
As far as I can gather it, the implication is that if any bug can be found in any device driver, you can spoof the USB device type to exploit that device driver bug. Right now they tested it with the weak drivers in Windows XP, but theoretically any OS that has a single poorly written USB device driver will be vulnerable to this kind of spoofing.
>
>
You *KNOW* this is total bullshit, don’t you? But then I don’t expect anything less from OSNews anyway.
> You *KNOW* this is total bullshit, don’t you? But then
> I don’t expect anything less from OSNews anyway.
Could you explain why? It sounds very reasonable – unless you know for sure that no driver has a vulnerability.
They coudl simply boot off a CD that supports NTFS and access the files that way. Of course, you can’t take control over a PC like that, unless you could copy some file into the hard drive, put a shortcut to it in the Startup folder, and then remote control it.
Only if the BIOS of the PC is configured to allow booting from a CD, and if the hospital is so paranoid about security, the BIOS is probably password protected, and the PC case are locked and the PC themselves are fixed (locked in place by a cable).
Granted as long as you have physical access to a PC, you can probably avoid those protection, but this is not so easy..
USB is cheap crap.
So we’ve learnt that some 3rd party USB drivers are poorly written. Strangely enough that doesn’t rate as the revelation of the decade.
USB drivers running in ring 0 in a monolithic kernel. Wow, who would have thought it?
Basically if you allow someone physical access to the machine you’re screwed, end of story. With physical access and enough time everything from the BIOS password to an encrypted filesystem can be ripped apart.
USB vulnerability is forgiveable, the bluetooth vulnerability in mobiles wasn’t.
USB drivers running in ring 0 in a monolithic kernel. Wow, who would have thought it?
For the sake of correctness, Windows’ kernel isn’t monolithic. The NT kernel is a hybrid kernel (it started out as a pure microkernel btw, in the very, very early days), like the Mach kernel used by OS X.
Linux is monolithic.
But your point is irrelevant since drivers in Windows NT still run within the kernel with the system privilege level, even if they are loaded as modules.
But your point is irrelevant since drivers in Windows NT still run within the kernel with the system privilege level, even if they are loaded as modules.
I wasn’t contradicting your point, just correcting you.
I wasn’t contradicting your point, just correcting you.
Twasn’t me who posted the original post 😉
“Standards developed by the USB Implementers Forum Inc., the nonprofit corporation that governs USB, don’t consider security, he said.”
What the hell?! Why not? In this day and age, I find it very hard to believe that nobody at the USB Implementers Forum thought about the possibility of buffer overflows and the like being exploited, which could be used maliciously by some people out there. This really is a sad state of affairs and it needs to be seriously addressed by the forum.
To paraphrase a /.-ism:
1. Profit!!!
2. ???
3. Security.
2. USB Devices can destroy your motherbord….
You know what else can crack operating systems? Floppy disks. Oh and cdroms. The USB device is not unique in this situation.
Besides, MS long dumped their “hybrid” design because it didn’t perform. NT and later is now a monolithic kernel in traditional sense.
Actually the NT/XP/Vista/….
Are based on the NT 4.x kernel series of course which in turn was designed by a former VMS kernel designer. It is (by design) a micokernel however due to the way utlizes the various drivers and their supporting libraries, it is more like a hybrid between a monolithic and microkernel.
Irrespective of it’s exact design intent, it’s still a single-user POS that doesn’t belong anywhere near a business or home PC.
Just my 2 cents,
Nick
NT is multi-user.
Vista moves a lot of stuff back to user mode.
Ahh no. There is currently no Microsoft OS that is multi-user. Microsoft themselves will tell you that.
Multi-usability must be emulated via profiles and virtual desktop emulation ala citrix etc.
The kernel is NOT multi-user.
Trust me or don’t (I’m a kernel guy by the way) and feel free to ask around, or google my name “Nicholas Donovan”
Or, ask on the kernel lists adn they will confirm what I’ve told you.
Cheers,
Nick
Ok, I’m going to be harsh here:
Great, you post anonymously on a security related thread, throw a name around and expect us to believe you?
At least PGP signing your post with a verifiable key might be a begining of trust.
Don’t take it personnaly, I’m no authority when it comes to security or kernel topics, but it seems obvious to me that you have to back up your claims somehow.
Well ok I was really harsh, and after reading your post again, you don’t make it so authoritative as I’m implying in my previous post. Still, your name doesn’t bring anything to your arguing without being certified somehow.
Feel free to view my multiple threads at LinuxToday or you can view my name as one of the main contributors to the John Kirch ‘Unix vs. WindowNT” website.
I’ve written for CIO Magazine, and have several articles online. (If you google you’ll find a few of them I’m sure)
I’m currently the CEO of Ioni Systems and give regular talks at the large Dallas Unix/Linux Users Group in Irving (Las Colinas).
My specialty was originally real-time OS however my companies focus now is Unix and services for Unix.
Now you know who I am. Hi!
Now back to eating dinner before my wife yells at me to get off the computer! 😉
Cheers,
Nick
Oh yea and you say Windows is not multiuser? Please enlighten me then how can multiple different users login on Windows 2003 at the same time?
How can i run sshd on my windows XP box and ssh from different account?
You obviously have no knowledge about windows and you are simply trolling. Go back, study something and come back with a better troll next time.
Ehm, no, sorry, you’re the one who should go study some kernel design. The fact that multiple users can be logged in at the same time doesn’t make a kernel multi-user.
The way Windows does multiple users is an extra emulation layer on top of the kernel, i.e. the kernel has no knowledge of who is whom. In Linux, for instance, there are access restrictions for syscalls so you won’t be able to fopen /dev/hda for writing without being root, for instance.
Newer versions of Windows will also complain if you try to do something like that in a program, but it’s not due to the kernel as much as the overlying layer of security mechanisms.
– Simon
> Feel free to view my multiple threads at LinuxToday
> or you can view my name as one of the main
> contributors to the John Kirch ‘Unix vs. WindowNT” website.
John Kirch’s website no longer exists, and in any case you were not listed as a main contributor in Kirch’s (rather old) paper, but in the last batch of acknowledgments… the one for minor contributors.
> I’ve written for CIO Magazine, and have several articles
> online. (If you google you’ll find a few of them I’m sure)
Googling for Nicholas Donovan only produces a handful of results, all of them just user comments to some other people articles.
> I’m currently the CEO of Ioni Systems and give regular
> talks at the large Dallas Unix/Linux Users Group in
> Irving (Las Colinas).
The amount of Google hits on “Ioni Systems” from Dallas is even smaller than those referring to you.
> My specialty was originally real-time OS however my
> companies focus now is Unix and services for Unix.
>
> Now you know who I am. Hi!
Someone rather pompous.
> Cheers,
Cheers
“Now you know who I am.” No we don’t. The whole point is that you could be someone claiming to be Nick Donovan. Even assuming Nick Donovan is an authority, that doesn’t mean *you* are since we don’t know who you are. “Still, your name doesn’t bring anything to your arguing without being certified somehow” seems pretty straightforward..
Not to beat a dead horse son, but as the poster in the previous post has written, as I did earlier, Windows is not multi-user.
Don’t take my word for it. ANY kernel developer will tell you it’s not a true multi-user OS. Go on the Linux or FreeBSD kernel list and try to tell them Windows is multi-user. You’ll get the same thing I told you in my first post:
“Windows emulates multi-usability via profiling support and via emulation of RDP or other Citrix type mechanisms” to put it very simply without getting into resource forking or other OS permutations that are beyond the scope of this discussion.
You don’t have to believe that I’m ‘me’. and I really don’t care son, however you stated that Windows was multi-user and I corrected that misinformation that Microsoft won’t even put on their website but they allow to persist.
As far as being ‘certified’, I’m sure my wife will say I am. However you’re posting anonymously on this board telling me what I must do? *laughing*
At least I put my name on my posts. I’m not here to impress you son, just state the facts and make observations as others have done.
If you don’t like being corrected I’m sorry. My best guess is you might like to speak to a professor at your local university that specializes in operating system design and ask him questions.
Anyway, back to family for breakfast. (I’m always mentioning food here on this board…. hmmmm…..) My oldest two kids are only going to be around for a few more years before they get into college so I might as well enjoy the summer with them.
Take Care,
Nick
Hey Nick,
This is off-topic for here and I appologize for that. But many of us old Linuxtoday readers moved to Dave Whitinger’s current Linux site at http://www.lxer.com back when LT started pushing MS’s “Get The Facts” campaign .
I don’t think I’ve seen you there. I think you would enjoy it and I’m sure you would be very welcome.
Good to hear from you again!
-Steve Bergman
You are right for the most part. The technology, multi-user kernel extensions, was integrated into the kernel for Windows 2000 Server. I’m not sure exactly what changes (if any) were made to the multi-user model but there were overhead reductions. I’ve found almost no info on the extensions online. SFU on Windows uses the UNIX model.
IMO it should be illegal to use Windows.
Please enlighten how does this make windows shitty? I have access to Linux physical box, i can screw it in equal number of ways
“..any operating system that is USB-compliant is probably vulnerable.”
I’m very curious about all those operating systems that could be in danger like that. Maybe all using Windows USB drivers? Wow, unbelievable. What windows-anti-discrimination tendencies are we facing now? I read: Sorry guys, we found some vulnerability, please forgive us, yes it’s only Windows again, but let’s assume that no other OS is safe anyway.
it started out as a pure microkernel btw
Right, so how does it matter ? Even the at the NT4 series has lost its “microkernelism”, and later “improvements” just got them farther away. The whole point being in fact, well, pointless.
Anyway, as others have stated above, if your security is that high that anyone can walk up to the machine you’re trying to protect so hard and stick things in it, you’re screwed anyway. Nothing on this planet can save you from that point on.
Many USB devices include a hardware controller that might include an 8051 or other low cost cpu or a state machine.
If a engineer were to recode the firmware then its possible (likely to be very dificult since it would be in ROM) the USB spec could be violated and maybe that would be enough to induce the host side buffer overflow on any OS.
Then again you could do the same thing with any hardware device thay plugs into a PCI or IDE port but thats getting ridiculous.
A simple screwdriver is more than enough to get at the goods.
As for janitors, in the old days when PCs were wimpy and workstations had the muscle, you would hear stories of whole departments having their DIMMs stolen.
Requiring physical access to the machine. If somebody has that, they already 0wn you. Doesn’t matter what OS you’re using. As long as somebody can boot from some device, you’re toast.
You’re woefully behind the times.
Windows Vista implements a large number of changes to its driver model to address concerns with kernel mode drivers.