Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20160818195024.GB17944@1wt.eu>
Date: Thu, 18 Aug 2016 21:50:24 +0200
From: Willy Tarreau <w@....eu>
To: Adam Maris <amaris@...hat.com>
Cc: oss-security@...ts.openwall.com, Marcus Meissner <meissner@...e.de>,
        Greg KH <greg@...ah.com>, cve-assign@...re.org, security@...nel.org
Subject: Re: Re: CVE Request: Linux kernel crash of OHCI when
 plugging in malicious USB devices

On Thu, Aug 18, 2016 at 08:16:27PM +0200, Adam Maris wrote:
> Attacker doesn't necessarily need to have physical access to USB port. He
> can somehow
> hand USB off to the victim that will with good intentions stick it to his
> USB port, unexpectedly
> causing kernel panic. Difference is that one probably wouldn't pour glue or
> corrosive liquid
> into his USB port believing that nothing bad will happen.

Well, it happened to me when I was a kid, with a PS/2 port. I handed off
a device to someone of trust to connect to the PS/2 port and parallel port.
(PS/2 to pick the +5V). I wired it wrong and the motherboard died, as
amazing as it seems and the person didn't find it fun as it was not his PC.

So yes it can be done even without suspecting. It's easy to do whatever you
want using a USB stick. You can use the 3W it provides to charge a 300V
capacitor and discharge it on the D+/D- to test the clamping diodes
robustness, etc...

Thus I don't think either that something "only causing a panic" deserves
a CVE. It needs to be fixed however, for sure!

Regards,
Willy

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.