Exploiting the Magic School Bus

Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
1
Thank you kindly,
• Searchio
• Dmitry Nedospasov
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
2
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
3
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
4
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
5
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
6
Facedancer10
• GoodFET41+MAX3420E
• Write a USB device in Python.
• Rapid Exploit Development
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
7
Maxim MAX3420E
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
8
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
9
Hop on the Magic School Bus!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
10
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
11
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
12
Some USB terminology.
• Ports are called Endpoints.
• EP0 or the SETUP endpoint is for autoconfiguration.
• The setup exchange is called Enumeration.
• Devices are described by Descriptors.
• Nested lengths.
• Structs unique to each device class.
• Class types are standardized. (HID, Mass Storage)
• Vendor types are not. (FTDI, Wifi)
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
13
Exploit Development Cycle
• Sniff with Wireshark or VMWare.
• Read the driver.
• Find a vuln.
• Exploit it.
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
14
Without a Facedancer
1
Change your code.
2
Plug the dongle into your workstation.
3
Reflash it.
4
Move the dongle to your target.
5
Try it.
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
15
With a Facedancer
1
Change your code.
2
Try it.
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
16
With a Facedancer
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
17
Facedancer Architecture
• MSP430+FTDI, like any GoodFET.
• MAX3420 for USB Device Emulation.
• Minimal C firmware in the MSP430.
• Python Client on a real workstation.
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
18
Facedancer Architecture
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
19
GoodFET
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
20
Maxim MAX3420E
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
21
Facedancer Architecture
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
22
MAX3420 Registers
• The MAX3420 datasheet describes its registers.
• That’s all you need to speak USB!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
23
HID Emulation
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
24
HID Emulation
• python goodfet.maxusbhid
• Easiest to implement.
• Lots of prior examples,
• Social Engineering Toolkit
• Teensy, AVR USB Key, vendor examples
• Embarassing bugs remain!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
25
Enumeration
• The device enumerates over its SETUP endpoint, EP0.
• This is how the host knows what the device does.
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
26
NAKs
• Whenever the device is too busy, it can give the host a
NAK.
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
27
Exploiting Enumeration
• Host requests the first few bytes of the descriptor.
• Host mallocs that many bytes.
• Host reads the entire descriptor into a temporary buffer.
• Host memcpy() the descriptor into the malloced buffer.
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
28
Exploiting Enumeration
• Host requests the first few bytes of the descriptor.
• Host mallocs that many bytes.
• Host reads the entire descriptor into a temporary buffer.
• Host memcpy() the descriptor into the malloced buffer.
• PSGroove exploits this on the Playstation 3!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
28
Hop on the Magic School Bus!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
29
HID Format String
• Ubuntu 12.04, Xorg
• Manufacturer String: “%n%s%n%s%n%s”
• Device String: “%n%s%n%s%n%s”
• Thanks to the ChromeOS team!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
30
Hop on the Magic School Bus!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
31
Skype crashes too!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
32
Hop on the Magic School Bus!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
33
FTDI Emulation
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
34
FTDI Emulation
• python goodfet.maxusbftdi
• Vendor/Manufacturer IDs now matter.
• BULK endpoints instead of INTERRUPT.
• BULK transfers are data bytes with 1 or 2 byte header.
• SETUP transfers for rate, size, and other parameters.
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
35
FTDI Emulation
• Protocol is fully explained in Linux code. (UGLY!)
• Protocol is better explained in OpenBSD code.
(Incomplete.)
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
36
OpenBSD’s uftdi.h for
FTDI_SIO_RESET
• BmRequestType: “0100 0000”
• bRequest: FTDI_SIO_RESET (0x00)
• wValue:
• 0, Reset SIO
• 1, Purge RX Buffer
• 2, Purge TX Buffer
• wIndex: Port
• wLength: 0
• Data: None
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
37
Hop on the Magic School Bus!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
38
Host Mode Emulation
• Round-trip-time becomes an issue. (Only on OS X.)
• Code is already in SVN, but hardware will wait a while.
• Firmware security is even worse than in drivers!
• Most exploits can use libusb instead of a GoodFET.
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
39
Hop on the Magic School Bus!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
40
Device Bugs
• Memory exposed by reads past the end of the Strings table.
• Integer overflows, stack smashing, etc.
• Never any ASLR; any DEP is accidental.
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
41
Hop on the Magic School Bus!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
42
Fuzzing USB as a Device
• Write your own damn fuzzing scripts.
• Automatic disconnect/reconnect is essential!
• Python base, so use Scapy or Peach v.2.
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
43
Hop on the Magic School Bus!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
44
Bus to Driver: The New Frontier
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
45
Bus to Driver: The New Frontier
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
46
Bus to Driver: The New Frontier
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
47
Bus to Driver: The New Frontier
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
48
Targets in Linux
• Old and rare device.
• Anything with ugly code.
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
49
Hop on the Magic School Bus!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
50
Targets in Windows
• Unmaintained drivers are gold.
• Auto-installation approximates Linux variety.
• Windows 8 disables misbehaving USB ports.
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
51
Hop on the Magic School Bus!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
52
Targets on Mac
• Holy crap the stack’s performance is bad.
• Can’t emulate HID on localhost!
• Lack of driver variety can limit attack surface.
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
53
Hop on the Magic School Bus!
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
54
Hop on the Magic School Bus!
• Assembled boards will not be sold.
• PCBs available at cost, free for students.
• Limited stock today, hundred arriving next month.
• http://goodfet.sf.net/
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
55
Read the Fucking Paper
• http://travisgoodspeed.com/
• http://goodfet.sf.net/
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
56
Questions
Bratus/Goodspeed
Facedancer: Exploiting the Magic School Bus
57