Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20160823053842.GB21570@1wt.eu>
Date: Tue, 23 Aug 2016 07:38:42 +0200
From: Willy Tarreau <w@....eu>
To: Marcus Meissner <meissner@...e.de>
Cc: oss-security@...ts.openwall.com, Adam Maris <amaris@...hat.com>,
        Greg KH <greg@...ah.com>, cve-assign@...re.org, security@...nel.org
Subject: Re: Re: CVE Request: Linux kernel crash of OHCI when
 plugging in malicious USB devices

Hi Marcus,

On Mon, Aug 22, 2016 at 05:24:49PM +0200, Marcus Meissner wrote:
> Hi,
> 
> This seems a bit sore topic, and Mitre does not want to chime in.
> 
> Perhaps we need to add more criteria to select CVE assignment.
> 
> - simple DOS (e.g. NULL ptr dereference) when plugging in: No CVE
> - code execution (use after free, write overflows) when plugging in: Assign CVE

I'd classify it differently : something where a bug allows someone
unauthorized to do something he couldn't do differently needs a CVE.
That includes memory corruption, code execution, privilege increases,
local DoS/panic/oops by just executing an exploit, etc. Here we're
speaking about someone plugging some hardware into an open port which
immediately takes the whole system down. Sure, the faulty code makes
this possible. But the hardware is purposely designed for this. I can
also design some hardware which takes the system down and possibly even
fries it without involving the code at all. So once this device is
built, if we assign a CVE, nobody will fix it and it will not even
apply to any specific OS. Oh, after just one Google request I found
that I was not the first one to think about it, it already exists :

   http://arstechnica.com/security/2015/10/usb-killer-flash-drive-can-fry-your-computers-innards-in-seconds/

> That said, this leaves malicious USB devices posing as regular keyboards 
> for text injection unclassified ... 

You can't differenciate them from a real keyboard operated by someone
typing from memory. It already happened to me at least once to enter
some hex shell code via a keyboard connected to a KVM to try to recover
access to a remote machine where the password was lost. How is this
different from having an AVR-based Digispark, Trinklet or whatever
allowing you to emulate a keyboard to inject code sequences ? I had
one adding "+ +" to the user's .rhosts 1 minute after being plugged
in some time ago (just as a proof of concept). The OS is not at fault
here, only the user accepting to plug whatever into their system.

Cheers,
Willy

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.