Date: Sun, 31 Jul 2016 13:34:02 +0200 From: פאי פי <phi.reporter@...la.co.il> To: oss-security@...ts.openwall.com Subject: badUSB exploit - affects all Linux distros Title: badUSB exploit - affects all Linux distros --------------------------------------------------------- Dear oss-security mail list members, Please, I urge you to fix the known badUSB security exploit that exists in any Linux distro. There is available (to the general public) a relatively cheap product which does the "rubberducky" attack, it uses the badUSB exploit. See the link (found it by searching "rubberducky" in google - clicked first result): http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe That is *cross-platform* due to USB's nature - it affects ALL Linux distros. Therefore I suspect that Linux fails to protect against that, because that the "rubberducky" attack can "type" the following commands: 1. Copy-paste a bash script 2. chmod it so that it will execute (under normal user - NOT root) 3. malware is active... Note that by default - Linux's firewall is disabled, therefore allowing an easy access to the attacker via internet. In addition, it is possible to program a USB flash drive to behave like a keyboard, because that the electrical functionality is available (you only need a different driver). Therefore the user would think that he connect a USB flash drive, but actually he connects a USB keyboard. ----------------- My solution to this exploit: On the connection of a device that has a direct physical access, the OS should permit the device to perform actions based on what the users allows it to do. Does the user allow a USB flash drive to act like a USB keyboard? Probably not! Also, if from a single USB port - the OS detect a USB flash drive AND a USB keyboard - this kind of event should light a red alert (!). Thus, upon connection of the USB stick, the OS should ask the user: Do you allow the USB stick to act as: (1) .. (2) .. (3) .. While the options (1) to (3) are the devices that the USB stick presents itself to the PC. By default: Linux should allow that only a single keyboard is used at a single time (which is the keyboard that was connected first). This behavior may be modified via the USB permissions system (which should be written). ----------------- The following are quotes of questions which I was asked regarding this exploit and my solution to it. My answers to these questions appear immediately after the quotes. "- How would a user interact when plugging in the first keyboard or mouse?" The first keyboard and mouse are normally connected when powering on the PC. The behaviour should be like today - no restrictions for the first keyboard and mouse. (Normally the USB flash drive is connected only *after* that the normal keyboard & mouse are already connected.) "- What if the malicious device was first only because it was 'earlier' in the USB network?" If by "earlier in the USB network" you mean : * "connected before the keyboard and mouse" then for now there is not much I can think of. But normally that does not happen, and *some* protection is better than none. * "connected in parallel (same time) to keyboard & mouse" then alert the user that he needs to remove one of them in order to proceed. "- How would the system tell a keyboard-with-hub that a user intended to buy from a keyboard-with-hub that a user didn't intend to buy?" Hubs aren't the norm. In case that someone has a hub (doubtful..) then he can always disable the security behaviour. I sincerely believe that most of the people would prefer to have more protection and little discomfort than having this huge exploit. "- What would the interaction look like on a computer with no displays? With a dozen displays? With a dozen seats?" With no displays: Does it connect via ssh? If so, then he could see the message. If not then a sound/beep would be activated. If having no speakers then the user should understand that something is wrong... But I think that this is rarely happen, therefore if it does happen - then it is probably(??) the USB exploit. With dozen of displays: Simply display an alert window of some sort on one of the desktop (is this really a problem? How does Linux manages to display errors with dozen of displays in other scenarios?). With a dozen seats: What do you mean by "seats" ? USB is very flexible indeed, but most people would prefer to know that their system is secure than spending few minutes (or half an hour in worst case) in understanding the (rare) problem and fixing it. ----------------- I opened a bug report at launchpad for Ubuntu: https://bugs.launchpad.net/ubuntu/+bug/1393612 (Read my post: "johnmne (phi-reporter) wrote on 2016-06-27: ") It is recommended to read the duplicate bug report that I opened at the following URL: https://bugs.launchpad.net/ubuntu/+bug/1590990 (Discussed with "Seth Arnold (seth-arnold)") Also, sorry - I am NOT an expert in Ubuntu, neither in Linux, therefore I can't suggest how to implement the behavior that I offered. There is a common scenario for Linux, in which: 1. A keyboard and a screen is already available. If the screen isn't available, then the user is able to connect via network. 2. Another USB stick is connected to the PC. If the USB behaves like a keyboard, an interactive program (either GUI or command-line) could initiate - alerting the user on the problem and suggesting to block it. This is the most common and basic setup for this exploit to be ever used. By default you (the developers) may disable this security patch, but the user should be able to choose whether he wants to enable it (I'm sure that most people would enable it..). Please reply to my EMail, so that I'll know that you received it. Thank you. Best regards.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ