Virtual USB Fuzzer Updates

Size: px

Start display at page:

Download "Virtual USB Fuzzer Updates"

Wilfrid Arthur Parsons
5 years ago
Views:

Virtual USB Fuzzer Updates [ 110.768243] usb 1-1: new full-speed USB device number 48 using xhci_hcd [ 111.028327] usb 1-1: config 1 has 1 interface, different from the descriptor's value: 10 [ 111.

133086] usb 1-1: New USB device found, idvendor=04c5, idproduct=10c7 [ 111.134764] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 111.136602] usb 1-1: Product:?<89> [ 111.

1 Virtual USB Fuzzer Updates [ ] usb 1-1: new full-speed USB device number 48 using xhci_hcd [ ] usb 1-1: config 1 has 1 interface, different from the descriptor's value: 10 [ ] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint descriptors, different from the interface descriptor's value: 27 [ ] usb 1-1: New USB device found, idvendor=04c5, idproduct=10c7 [ ] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ ] usb 1-1: Product:?<89> [ ] usb 1-1: Manufacturer:?<89> [ ] usb 1-1: SerialNumber: % [ ] usbhid 1-1:1.0: couldn't find an input interrupt endpoint [ ] BUG: unable to handle kernel NULL pointer dereference at f [ ] IP: [<ffffffff8119ff4d>] kmalloc+0x8d/0x190 [ ] PGD 61a0067 PUD 59e5067 PMD 0 [ ] Oops: 0000 [#1] SMP [ ] Modules linked in: io_ti ipaq ftdi_sio usbserial snd_usb_audio snd_usbmidi_lib snd_hwdep snd_pcm snd_page_alloc snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore dvb_usb_dib0700 dib8000 dib7000m dib0090 dib0070 dib7000p dib3000mc dibx000_common dvb_usb dvb_core rc_core gspca_zc3xx gspca_main videodev usbhid hid cirrus ttm drm_kms_helper drm bnep rfcomm psmouse bluetooth serio_raw syscopyarea sysfillrect sysimgblt i2c_piix4 mac_hid parport_pc ppdev lp parport e1000 floppy [ ] CPU: 0 PID: 1252 Comm: systemd-udevd Not tainted generic #46-Ubuntu [ ] Hardware name: QEMU Standard PC (i440fx + PIIX, 1996), BIOS Bochs 01/01/2011 [ ] task: ffff f0 ti: ffff dc000 task.ti: ffff dc000 [ ] RIP: 0010:[<ffffffff8119ff4d>] [<ffffffff8119ff4d>] kmalloc+0x8d/0x190 [ ] RSP: 0018:ffff ddd80 EFLAGS: [ ] RAX: RBX: ffff d7780 RCX: f9e1 [ ] RDX: f9e0 RSI: RDI: ffffffff [ ] RBP: ffff dddb0 R08: R09: [ ] R10: ffff880005d42000 R11: R12: f [ ] R13: d0 R14: f8 R15: ffff [ ] FS: 00007f0081b02880(0000) GS:ffff (0000) knlgs: [ ] CS: 0010 DS: 0000 ES: 0000 CR0: b [ ] CR2: f CR3: CR4: f0 [ ] Stack: [ ] ffffffff ffff d7780 ffff880005d fffffff4 [ ] ffff de f8 ffff dde78 ffffffff [ ] ffff dddd0 ffffffff813199c3 ffff dde38 ffffffff81318d82 [ ] Call Trace: Sergej Schumilo - sergej@os-t.de

2 Bugs in USB Device Drivers USB Code runs inside the Kernel An exploit could potentially compromise the whole OS Privilege Escalation Kernel-Rootkit etc.. History (using HW fuzzers) CVE CVE CVE CVE Sergej Schumilo - sergej@os-t.de

3 Proof CVE CVE Sergej Schumilo - sergej@os-t.de

4 vusbf finds bugs fast! Speed -> more code coverage USB requires HW Solution vusbf: virtualize OS to execute multiple instances on emulate USB-device instead of using real USB-devices for data generation 4 Sergej Schumilo - sergej@os-t.de

5 vusbf Virtualization using QEMU / KVM USB Data injection through USB-Redirection protocol USB-Emulation of core protocol (Enumeration) and subprotocols (HID, SCSI, etc.) Permutation Fuzzing Engine Multiprocessing / Clustering capabilities Logging of crashes in reproducible formats Up to 360 test per second vusbf was initially released at Black Hat Europe Sergej Schumilo - sergej@os-t.de

6 vusbf Performance reload mode non reload mode HW fuzzer 0,5 0,5 vusbf Multiprocessing vusbf Clustering tests per seconds 6 Sergej Schumilo - sergej@os-t.de

7 vusbf CLI it s okay - but difficult to use and to demonstrate the impact 7 Sergej Schumilo - sergej@os-t.de

8 Introducing the new vusbf Frontend 8 Sergej Schumilo - sergej@os-t.de

9 vusbf Fronted 9 Sergej Schumilo - sergej@os-t.de

10 Introducing the CAOS Stick 10 Sergej Schumilo - sergej@os-t.de

capable to store multiple USB-Payloads Fully programmable

11 CAOS-Stick CRASH ANY OPERATING SYSTEM Based on LeoStick Arduino Leonardo compatible vusbf automatically generate compatible firmwares CAOS-Stick is capable to store multiple USB-Payloads Fully programmable Time-To-Wait-Until-Execute Timeout-Between-Payloads UART-Interface for debug purposes 11 Sergej Schumilo - sergej@os-t.de

12 Demo 12 Sergej Schumilo - sergej@os-t.de

13 Possible Payloads Multiple drivers of Linux, FreeBSD, OS X, MS Windows are vulnerable at least 30 vulnerable drivers in Linux Nullpointer-Dereferences, Page-Faults, Bufferoverflow, etc. appropriable for DoS-attacks Stack-Bufferoverflows only exploitable in combination of an information leakage 13 Sergej Schumilo - sergej@os-t.de

14 Future Work Manual analyses of discovered bugs Comprehensive vusbf fuzzing of OS X Publishing the bugs Implementation of more advanced USB fuzzing techniques Kernel-land AFL fuzzer USB-redirection fuzzer (learning by intercepting) Fuzz other kernel interfaces by using the already established infrastructure PCI-Express Intel Thunderbolt Local Kernel-Interfaces syscalls ioctl 14 Sergej Schumilo - sergej@os-t.de

15 Thank you! Questions? 15 Sergej Schumilo - sergej@os-t.de

OS-S Security Advisory Linux aiptek Nullpointer Dereference

OS-S Security Advisory Linux aiptek Nullpointer Dereference OS-S Security Advisory 2016-05 Linux aiptek Nullpointer Dereference Date: March 4 th, 2016 Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg CVE: CVE-2015-7515 CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)