risky usbusiness say 'what the fuzz.' if you can't say it ...risky usbusiness say...
TRANSCRIPT
![Page 1: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/1.jpg)
Risky USBusinessSay ”what the fuzz.”... If you can’t say it, you can’t do it.
Jordan [email protected]
@la_F0uin3
Fernand [email protected]
Hack.lu, October 22, 2014
![Page 2: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/2.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Starting points
Observation
USB ubiquity
Workstations;
Interactive machines;
Printers;
Embedded systems;
Etc.
Massively used, but internals are not well known.
2/35
![Page 3: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/3.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Starting points
Interest
Possible attacks
USB devices are attack vectors:
Physical access in limited time;
Device deliberately left behind;
Attacks on isolated networks.
3/35
![Page 4: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/4.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Summary
1 USB basics
2 Fuzzing approaches
3 Our tool
4 Results
5 Conclusion
4/35
![Page 5: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/5.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Table of contents
1 USB basics
2 Fuzzing approaches
3 Our tool
4 Results
5 Conclusion
5/35
![Page 6: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/6.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
A hierarchical protocol
Hierarchy
Figure: USB topology
An ordered topology
1 host controller: 127 devices
One hub can be connectedto another
Connections and transfersare initiated by a host only(except OTG)
6/35
![Page 7: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/7.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
A hierarchical protocol
Device logical view
EP 0IN
OUT
EP1IN
EP3OUT
EP1OUT
EP2IN
EP3IN
Interface 0 Interface 1
USB Controller
OS drivers
User application An interface provides a function
It contains endpoints
Endpoints are logical links between thedevice and the host drivers
They are unidirectional. Four kinds oftransfer are available:
ControlInterruptBulkIsochronous
7/35
![Page 8: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/8.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
A hierarchical protocol
Descriptors
Data structures that describe the device:
1 Its characteristics (USB version, VID, PID...);
2 Its interfaces (type, endpoint numbers...);
3 Its endpoints (direction, transfert type...).
A configuration descriptor corresponds to different associations ofconfiguration.
8/35
![Page 9: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/9.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
A hierarchical protocol
Standard requests
Descriptors are retrieved during the enumeration process.
USB Setup80
bmRequestType 0x80
06
bRequest GET DESCRIPTOR
00 01
wValue 0x0100
00 00
wIndex 0x00
40 00
wLength 0x40
USB Device Descriptor Response12
bLength 18
01
bDescriptorType 1
00 02
bcdUSB 0x0200
00
bDeviceClass 0x00
00
bDeviceSubClass 0x00
00
bDeviceProtocol 0x00
40
bMaxPacketSize0 64
3c 41
idVendor 0x413c
07 21
idProduct 0x2107
78 01
bcdDevice 0x0178
01
iManufacturer 1
02
iProduct 2
03
iSerialNumber 3
01
bNumConfigurations1
9/35
![Page 10: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/10.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Enumeration
Enumeration
10/35
![Page 11: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/11.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Table of contents
1 USB basics
2 Fuzzing approaches
3 Our tool
4 Results
5 Conclusion
11/35
![Page 12: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/12.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Virtualized environments
Qemu: configuration 1
Dumb fuzzer: fuzzing the forwarded traffic between a virtual machineand a physical device.
Experimented by: Fabien Perigaud
12/35
![Page 13: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/13.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Virtualized environments
Qemu: configuration 2
A virtual fuzzer device
Experimented by: MWR Labs
13/35
![Page 14: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/14.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Virtualized environments
Qemu: configuration 3
USB traffic is forwarded to the host userland by the virtual device. Thenit’s fuzzed and re-injected.
Experimented by: Tobias Mueller and Sergej Schumilo (vUSBf)
14/35
![Page 15: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/15.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Virtualized environments
Feedbacks
Pros:
Restoration of the system toa healthy state usingsnapshots;
Better instrumentation andmonitoring;
Easy to parallelize;
No special hardware needed.
Cons:
Not all OS can bevirtualized;
Possible bugs in USBimplementation in thehypervisor.
15/35
![Page 16: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/16.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Hardware environment
Possibilities
Dedicated hardware
Pros: Low level capture/replay, scripting languageCons: Expensive, inflexible APIExample: Totalphase Beagle USB*
Microcontrollers and FPGAs
Pro: CheapCon: You need to re-flash each time you make a modification of the codeExamples: PIC, AVR (like Teensy with LUFA library), Daisho for theFPGA
A compromise: the Facedancer?
16/35
![Page 17: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/17.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Hardware environment
Facedancer
Introduction
Developped by Travis Goodspeed
Contains a serial/USB adapter, a MSP430 microcontroller and aUSB controller
Allows USB device emulation by controlling it with Python scriptsrunning on a remote machine
Figure: http://int3.cc/
17/35
![Page 18: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/18.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Hardware environment
Limitations
Only 3 endpoints
No isochronous transfer support
Low data rate because of the serial connection over USB
No USB3 support
However, the Facedancer is enough to begin to fuzz.
18/35
![Page 19: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/19.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Table of contents
1 USB basics
2 Fuzzing approaches
3 Our tool
4 Results
5 Conclusion
19/35
![Page 20: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/20.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Features
Architecture
Figure: USB fuzzing architecture
20/35
![Page 21: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/21.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Features
Usage
21/35
![Page 22: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/22.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Features
Technical details
Base
Based on the open source tool Umap developed by Andy Davis
Umap is based on Travis Goodspeed’s code
22/35
![Page 23: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/23.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Features
Contribution
Modifications
PCAP capture and replay
Mutation of replayed data with Radamsa
Frame choice, bytes and fuzzing patterns to apply
Fuzzing monitor with crash report
Step by step debug mode
23/35
![Page 24: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/24.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Table of contents
1 USB basics
2 Fuzzing approaches
3 Our tool
4 Results
5 Conclusion
24/35
![Page 25: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/25.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Bugs
Results on Windows 8.1
HID parsing
Other bytes values which trigger the same crash of Andy Davis:Not exploitable
Mass storage device
Wrong control of endpoints number in USBSTOR.sys:Not exploitable
25/35
![Page 26: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/26.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Study case
Mutated descriptor
Craft of a configuration descriptorproviding an interface thatcontains 0 endpoint.Result: crash
26/35
![Page 27: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/27.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Study case
Enumeration
27/35
![Page 28: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/28.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Study case
Crash analysis
We move in USBSTOR_SelectConfiguration.
Figure: USBSTOR.sys : USBSTOR_SelectConfiguration+EE
28/35
![Page 29: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/29.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Study case
Crash analysis
Figure: usbd.sys : USBD_CreateConfigurationRequestEx+113
Duplication of the USB_INTERFACE_DESCRIPTOR.bNumEndpoints field.29/35
![Page 30: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/30.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Study case
Crash analysis
Figure: USBSTOR.sys : USBSTOR_SelectConfiguration+11
Duplication of USBD_INTERFACE_INFORMATION structure.30/35
![Page 31: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/31.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Study case
Crash origin in x64
ECX ←− endpoint numberECX ←− ECX − 1R8←− 3 ∗ RCXR8←− R8 ∗ 8 + 80memset(@dest, 0x0, R8)
If endpoint number is 0 :ECX ←− 0− 1 = 0xffffffffR8←− 0xffffffff ∗ 3 = 0x0002fffffffdR8←− 0x0002fffffffd ∗ 8 + 80 = 0x1800000038memset(@dest, 0x0, 0x1800000038)
31/35
![Page 32: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/32.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Study case
x86 problem
EAX ←− endpoint numberEAX ←− ECX − 1EAX ←− EAX ∗ 0x14 + 0x38memset(@dest, 0x0, EAX)
If endpoint number is 0 :EAX ←− 0− 1 = 0xffffffffEAX ←− 0xffffffff ∗ 0x14 + 0x38 = 0x24memset(@dest, 0x0, 0x24)
The last 20 bytes of the _URB_SELECT_CONFIGURATION structure are notinitialized.
32/35
![Page 33: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/33.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Table of contents
1 USB basics
2 Fuzzing approaches
3 Our tool
4 Results
5 Conclusion
33/35
![Page 34: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/34.jpg)
Context USB basics Fuzzing approaches Our tool Results Conclusion
Conclusion and prospects
Currently
Functional capture sources: Facedancer and VMware
Host fuzzing is working
To do
Improve performances:
FPGAARM board with OTG port for capture/replay using USBGadget
Implement device fuzzing
Add other capture sources
Add USB3 support
34/35
![Page 35: Risky USBusiness Say 'what the fuzz.' If you can't say it ...Risky USBusiness Say "what the fuzz."... If you can’t say it, you can’t do it. Jordan BOUYAT jbouyat@quarkslab.com](https://reader033.vdocuments.mx/reader033/viewer/2022051900/5fef153b44c3ad3fa97ce927/html5/thumbnails/35.jpg)
[email protected] I @quarkslab.com
Questions?Thanks to all the QuarksLab team and particularly Fernand Lone-Sang,Kevin Szkudlapski and Damien Aumaıtre.