USB attacks need physical access right? Not any more...



Similar documents
Using Microsoft RemoteFX USB Redirection to forward an F-Response Dongle

Configuring RemoteFX on Windows Server 2012 R2

Windows Embedded Compact 7: RemoteFX and Remote Experience Thin Client Integration

USB Undermining Security Barriers

rs-ba1 remote control software quick reference guide

FabulaTech Products Advanced Communications Solutions

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Cloudvue Remote Desktop Client GUI User Guide

Connecting your Blackberry to Aliant Hosted Exchange. Instructions for connecting Blackberry hand-held devices to Aliant Hosted Exchange

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # )

Remote Desktop Services Overview. Prerequisites. Additional References

Deploying Microsoft RemoteFX on a Single Remote Desktop Virtualization Host Server Step-by-Step Guide

Kaseya 2. Quick Start Guide. for Network Monitor 4.1

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

ViPNet ThinClient 3.3. Quick Start

Deploying F5 with Microsoft Remote Desktop Services

Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions

Technical Note. CounterACT: Powerful, Automated Network Protection Inside and Out

Kaseya 2. User Guide. for Network Monitor 4.1

Windows Operating Systems. Basic Security

Advanced Aircraft Analysis 3.6 Network Floating License Installation

Decrypting RDP Traffic with Message Analyzer Bryan S. Burgin Sr. Escalation Engineer, Developer Support, Open Specs Microsoft Corporation

How To Secure Your System From Cyber Attacks

Host Installation on a Terminal Server

Kaseya 2. Quick Start Guide. for Network Monitor 4.1

Redirect Printer Port to LPT3 for Printing to Local Printer in Remote Desktop Session

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

e-dpp May 2013 Quick Installation Guide Microsoft Windows 2003 Server, XP, Vista, 7 Access Database

Guide for Remote Control PDA

M2M Series Routers. Port Forwarding / DMZ Setup

Software Installation Guide

Kepware Technologies Remote OPC DA Quick Start Guide (DCOM)

Connection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V

Setting up VPN and Remote Desktop for Home Use

FileMaker Pro 11. Running FileMaker Pro 11 on Terminal Services

Windows Remote Access

The Remote Desktop Connection Handbook. Brad Hards Urs Wolfer

Palomar College Dial-up Remote Access

New possibilities in latest OfficeScan and OfficeScan plug-in architecture

Deploying Microsoft RemoteFX for Personal Virtual Desktops Step-by-Step Guide

HP ProLiant Essentials Vulnerability and Patch Management Pack Planning Guide

How to Download Images Using Olympus Auto-Connect USB Cameras and Olympus Master

UBC Digital Signage Service: CoolSign 5.0 Initial Set- up Guide

Software Installation Guide

End-User troubleshooting guide For Sentinel SuperPro/UltraPro and Sentinel Hardware Keys

Getting Started With Halo for Windows For CloudPassage Halo

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

Guide to Installing BBL Crystal MIND on Windows 7

Installing the OKI MCx61MFP USB Attached, in Windows 8

Windows MultiPoint Server 2011 Deployment Guide. Document Version 1.0 March 2011

Comodo MyDLP Software Version 2.0. Endpoint Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Adafruit's Raspberry Pi Lesson 5. Using a Console Cable

Network/Floating License Installation Instructions

Setting up Hyper-V for 2X VirtualDesktopServer Manual

FileMaker Pro 13. Using a Remote Desktop Connection with FileMaker Pro 13

Stephen Coty Director, Threat Research

How To Install The Safenet-Inc.Com Software On A Pc Or Mac Or Macintosh (For A Powerpoint) With A Powerline (For Windows) Or Ipad (For Mac) With The Safetime (For Pc

Configuring Windows 7 64 bit for AutoVISION

Setting up VPN and Remote Desktop for Home Use

HP ThinPro. Table of contents. Enabling RemoteFX for RDP. Technical white paper

DSG SoftPhone & USB Phone Series User Guide

Locking down a Hitachi ID Suite server

Non-ThinManager Components

Immotec Systems, Inc. SQL Server 2005 Installation Document

Transferring Scans from your Dolphin into Destiny

BorderGuard Client. Version 4.4. November 2013

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

e-gate USB Smart Card Driver Install Notes (Windows 98/98SE/Me)

FileMaker Pro 12. Using a Remote Desktop Connection with FileMaker Pro 12

Thinspace deskcloud. Quick Start Guide

Managing Remote Access

Installation Procedure For McAfee Agent

WinConnect Server ES User Manual

Smart Card Certificate Authentication with VMware View 4.5 and Above WHITE PAPER

Core Protection for Virtual Machines 1

LifeCyclePlus Version 1

Oracle Retail XBR Loss Prevention and Store Analytics Remote Desktop Services Configuration Guide Release 7.0. August 2015

FAR 23 LOADS 6.0 Network Floating License Installation

SA Citrix Virtual Desktop Infrastructure (VDI) Configuration Guide

Important Notes for WinConnect Server ES Software Installation:

Running FileMaker Pro 5.0v3 on Windows 2000 Terminal Services

Networking Best Practices Guide. Version 6.5

ScreenBeam. Configurator for. Windows 8.1. User Manual V1.2

NAS 323 Using Your NAS as a VPN Server

HP ThinPro. Table of contents. USB Manager. Technical white paper

This document is intended to make you familiar with the ServersCheck Monitoring Appliance

DIRECT INTERNET DATA. User s Guide

Release Notes. Contents. Release Purpose. Platform Compatibility. Windows XP and Internet Explorer 8 Update

Encrypting with BitLocker for disk volumes under Windows 7

SETUP MANUAL. Midmark Products over Thin Client Environments

How To Deploy Software Updates Using SCCM 2012 R2

Quick start to evaluating HP Windows Embedded Standard 2009 Thin Clients. HP t5630w, HP t5730w, HP t5740, HP gt7720

Installation Guide. Installing MYOB AccountRight in a Remote Desktop Services Environment

PCLinq2 Hi-Speed USB Bridge-Network Cable. Quick Network Setup Guide

Network DK2 DESkey Installation Guide

TE100-P21/TEW-P21G Windows 7 Installation Instruction

Leostream Corporation leostream.com Share this Whitepaper!

Transcription:

An NCC Group Publication USB attacks need physical access right? Not any more... Prepared by: Andy Davis Research Director andy.davis at nccgroup dot com

Contents 1 Introduction... 3 2 The bug and how it can be triggered... 3 3 USB Redirection via RDP... 4 3.1 Problems with remote exploitation via High-Level redirection... 4 4 RemoteFX USB Redirection... 5 4.1 Enable RemoteFX on the client... 6 4.2 Remote FX USB redirection attack... 7 5 How can you reduce the risks?... 10 5.1 Disable RemoteFX on servers... 10 5.2 Disable RemoteFX on clients... 10 5.3 Use more granular RemoteFX security controls... 10 5.4 Take local USB vulnerabilities more seriously... 10 6 Conclusions and implications for future USB bugs... 10 List of Figures and Tables Figure 1: Bugcheck triggered by bug in usbaudio.sys Figure 2: RDP client connected to an RDP server Figure 3: A rogue USB device is connected to the client Figure 4: The bug is triggered on the RDP client rather than the RDP server Figure 5: Local Windows policy setting to enable RemoteFX USB redirection Figure 6: RDP client Local Resource settings Figure 7: RDP client RemoteFX USB device settings Figure 8: RDP client configured to use RemoteFX connected to a Windows 2012 RDP server Figure 9: Legitimate USB device inserted into the RDP client machine Figure 10: The RDP session Devices icon Figure 11: The USB devices that can be redirected via RemoteFX USB redirection Figure 12: The rogue device is now inserted and will be redirected via RemoteFX USB redirection Table 1: A comparison between RemoteFX and High-Level USB redirection NCC Group Page 2

1 Introduction Historically USB bugs have required physical access so that a rogue device can be inserted into the target system to trigger a vulnerability by supplying malicious data, often within a USB protocol descriptor. This paper provides step-by-step instructions, showing how to remotely trigger a Windows-based USB bug by using a combination of open source hardware, open source software and new functionality provided by Microsoft RDP server. 2 The bug and how it can be triggered The USB bug that will be used for the demonstration resides in an audio driver (usbaudio.sys) and runs in kernel mode on all current versions of Microsoft Windows. When it is triggered a Bugcheck (or BSOD) occurs; however, Microsoft has confirmed that it is a Denial of Service bug that does not result in code execution and therefore, they do not consider it to be a security issue. Figure 1: Bugcheck triggered by bug in usbaudio.sys The bug can be triggered using umap * (Note: ensure you have the latest testcases.py) as follows: $ sudo python3 umap.py -P /dev/ttyusb0 -s 01:01:00:C:4 --------------------------------------- '_ ` _ \ / _` '_ \ _ (_ _) \,_ _ _ _ \,_. / _ The USB host assessment tool Andy Davis, NCC Group 2013 Version: 1.0 Based on Facedancer by Travis Goodspeed For help type: umap.py -h --------------------------------------- Fuzzing: 2014/02/18 12:43:34 Class-specific data... Audio class: 0004 - CSInterface1_bInCollection_null * https://github.com/nccgroup/umap NCC Group Page 3

3 USB Redirection via RDP For many years the remoting of different USB devices has been possible via RDP, using a method known as High-Level redirection. The support for different USB device types has increased steadily as different device-specific remoting techniques have been added to the RDP protocol; examples are listed below: Easy Print Drive Redirection Smart Card Redirection Plug-and-Play Device Redirection Input Redirection Audio Redirection Port Redirection 3.1 Problems with remote exploitation via High-Level redirection The fundamental problem with trying to exploit a USB bug via High-Level redirection is that the driver used for the USB device resides on the client, not on the server and therefore, an exploitation attempt would look something like Figures 2 to 4. Firstly, the RDP client is configured to use High-Level redirection for the USB device associated with the attack then a connection is established between the RDP client and RDP server: Figure 2: RDP client connected to an RDP server Next, the rogue USB device (that will trigger the bug) is inserted into the RDP client machine: Figure 3: A rogue USB device is connected to the client NCC Group Page 4

However, because the driver used in High-Level USB redirection resides on the RDP client machine, the bug is triggered on the client rather than the server (if the client machine is not vulnerable to the bug being tested then nothing will happen): Figure 4: The bug is triggered on the RDP client rather than the RDP server 4 RemoteFX USB Redirection However, there is another, more recent USB redirection technology that was introduced with Windows Server 2012, called RemoteFX USB redirection. Table 1 lists the differences between RemoteFX and High-Level USB redirection technologies and as highlighted within the table, the most important change from the perspective of remote exploitation is that with RemoteFX, the USB driver used is the one installed on the RDP server. RemoteFX USB Redirection Does not require drivers on the client Requires device driver to be installed on the server Uses on redirection method for many types of devices Forwards URBs to and from the device over the DRP connection Enables only one session to use a device at a given time; the local client cannot use the device while an RDP session is using it Is optimised for the LAN, like the rest of RemoteFX RDP High-Level Device Redirection Requires drivers for the device to be installed on the client Generally does not require drivers on the server Uses a specific, unique method for each type of device being redirected Exposes high-level device functionality in the remote session by using an optimised protocol for the device type Enables any number of sessions to access the device simultaneously, including the local client Works with both LAN and WAN Table 1: A comparison between RemoteFX and High-Level USB redirection (from blogs.msdn.com) NCC Group Page 5

4.1 Enable RemoteFX on the client In order to use RemoteFX USB redirection, the RDP client needs to be configured to do so, by setting the following option in the local Windows Group Policy settings: Group Policy name: Allow RDP redirection of other supported RemoteFX USB devices from this computer Group Policy setting: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\RemoteFX USB Device Redirection Figure 5: Local Windows policy setting to enable RemoteFX USB redirection Once the setting has been changed, the following command needs to be issued and then the client machine rebooted: C:\> gpupdate /force Once the machine has rebooted and the RDP client started, select Local Resources, as shown in Figure 6 and a new checkbox will have appeared, called Other supported RemoteFX USB devices, as shown in Figure 7. This confirms that RemoteFX USB redirection has been successfully configured on the RDP client. NCC Group Page 6

Figure 6: RDP client Local Resource settings Figure 7: RDP client RemoteFX USB device settings 4.2 Remote FX USB redirection attack Now we are ready to launch the USB attack against a remote Windows 2012 server running an RDP server. First, select the Other supported RemoteFX USB devices checkbox within the RDP client settings and then establish an RDP session with the remote machine (Figure 8). Note: The attacker still needs to authenticate with the remote machine using a valid user account; however, the privilege level of this user is irrelevant (the built-in Guest user can successfully be used, if it is enabled). Figure 8: RDP client configured to use RemoteFX connected to a Windows 2012 RDP server Next, a legitimate USB device is inserted into the RDP client machine to establish the redirection associated with that device (Figure 9). This can be achieved using umap as follows: NCC Group Page 7

$ sudo python3 umap.py -P /dev/ttyusb0 -e 01:01:00 --------------------------------------- '_ ` _ \ / _` '_ \ _ (_ _) \,_ _ _ _ \,_. / _ The USB host assessment tool Andy Davis, NCC Group 2013 Version: 1.0 Based on Facedancer by Travis Goodspeed For help type: umap.py -h --------------------------------------- Emulating 01:01:00 - Audio : Audio control : PR Protocol undefined Facedancer reset GoodFET monitor initialized MAXUSB initialized MAXUSB enabled MAXUSB revision 19 MAXUSB connected device USB audio device USB audio device received request dir=1, type=0, rec=0, r=6, v=256, i=0, l=64 USB audio device received GET_DESCRIPTOR req 1, index 0, language 0x0000, length 64 MAXUSB wrote 12 01 00 02 00 00 00 40 1e 04 02 04 00 01 01 02 03 01 to endpoint 0 USB audio device received request dir=0, type=0, rec=0, r=5, v=7, i=0, l=0 USB audio device received SET_ADDRESS request for address 7 USB audio device received request dir=1, type=0, rec=0, r=6, v=256, i=0, l=18 USB audio device received GET_DESCRIPTOR req 1, index 0, language 0x0000, length 18 MAXUSB wrote 12 01 00 02 00 00 00 40 1e 04 02 04 00 01 01 02 03 01 to endpoint 0 USB audio device received request dir=1, type=0, rec=0, r=6, v=512, i=0, l=255 USB audio device received GET_DESCRIPTOR req 2, index 0, language 0x0000, length 255 MAXUSB wrote 81 03 04 00 02 to endpoint 0 <Truncated for brevity> Figure 9: Legitimate USB device inserted into the RDP client machine Within the RDP session a new Devices icon is displayed (Figure 10), which when clicked will display the device type that can be remoted, which in this instance is a Creative HS-720 Headset (Figure 11). NCC Group Page 8

Figure 10: The RDP session Devices icon Figure 11: The USB devices that can be redirected via RemoteFX USB redirection Quickly select this checkbox and click OK to enable future remoting of this device (before the device emulation in umap times out). Next, (virtually) insert the rogue device by issuing the following umap command line: $ sudo python3 umap.py -P /dev/ttyusb0 -s 01:01:00:C:4 This will now use the previously selected USB redirection for the device during the session (Figure 12) and trigger the bug on the remote server. Figure 12: The rogue device is now inserted and will be redirected via RemoteFX USB redirection NCC Group Page 9

5 How can you reduce the risks? There are a number of steps you can take to reduce the risks associated with this type of attack; these are detailed below. 5.1 Disable RemoteFX on servers If RemoteFX is not required on the server, turn it off using Group Policy. Group Policy name: Configure RemoteFX Group Policy setting: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host \Remote Session Environment 5.2 Disable RemoteFX on clients Disable RemoteFX USB redirection on clients using Group Policy. Group Policy name: Allow RDP redirection of other supported RemoteFX USB devices from this computer Group Policy setting: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\RemoteFX USB Redirection Group Policy name: Do not allow supported Plug and Play device redirection Group Policy setting: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host \Device and Resource Redirection 5.3 Use more granular RemoteFX security controls Information about how more granular control can be exercised over RemoteFX USB redirection is provided by Microsoft on the MSDN site. 5.4 Take local USB vulnerabilities more seriously As it has now been demonstrated that the potential impact associated with USB bugs has increased, be more cautious of local USB vulnerabilities and ensure that any security patches released are appropriately installed. 6 Conclusions and implications for future USB bugs This paper has shown that USB bugs are no longer just a threat associated with physical access to machines. The recent addition of more fully featured remoting technologies has extended the reach of USB attacks and with Microsoft Windows, has increased the exposure to the kernel via attacks against USB drivers over the network. Therefore, appropriate steps, as described above, should be taken to secure server infrastructures where RemoteFX USB redirection could be deployed. http://blogs.msdn.com/b/rds/archive/2010/06/10/introducing-microsoft-remotefx-usb-redirection-part-2.aspx NCC Group Page 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information