USB Attacks Going Commercial?

in the public hacking world, so far we have mostly seen usb technology from security vendors… not the attackers side.

a few years ago we had discussions on pen-test, and later bugtraq and fd on these risks, following an article in 2600 and a post from me on the risks digest. on pen-test, harlan carvey and others also followed up.
since then there have been multiple threads everywhere. this was not new back then, either, imo.

back then i mainly addressed the risk of driver attacks (now more acknowledged since blackhat 2005 and blackhat 2006 presentations on the subject appeared), and didn’t get much attention. hackers did not know usb technology that well and most did not see what the heck drivers had to do with it.

what did come up were the risks of autorun technology (which is a simple solution to making usb devices execute code). these were not as easy as they first appeared, and did not work if windows xp’s screen saver was active. still, things were interesting and my fav quote of: the janitor is the richest person in the organization, got some interest.

today, with several usb buffer overflow discovered (mostly in the linux kernel) and driver attacks getting more attention, i came across the following blog entry by xavier ashe.

in his blog he discusses a usb autorun technology which is actually an hacking tool, combined with a password stealing program/script, and how the actual attack works despite of old issues with autorun. it exploits the u3 technology, as he explains:

in this segment we’ll overview a few of microsoft window’s security weaknesses and show how to build a custom usb key that will retrieve vital information from a target computer, necessary for auditing password strength. a major flaw in the way windows stores password information is the use of the legacy lm, or lan manager hash. while this hash is based on des encryption it is vulnerable to time-memory trade-off attacks due to it’s poor implementation. our custom usb key uses new u3 technology to automatically and invisibly retrieve these weak hashes within seconds of being inserted into the target computer. from here the lm hashes can be tested against a set of rainbow tables using the popular rainbowcrack software and audited for password strength. we will also cover password best practices and prevention methods for this type of attack.

the beauty of our custom password hash retrieving usb key comes from it’s unique use of u3 technology. u3 is relatively new usb flash drive technology developed by u3 llc in cooperation with sandisk and m-systems. more information about u3 can be found at the website http://www.u3.com

it basically uses a portion of the flash drive’s memory as a virtual cd-rom drive. this allows the windows autorun feature to work properly, enabling us to run programs as soon as the drive is inserted into a computer. the autorun feature does not work properly on standard usb flash drives so a u3 enabled usb flash drive is required to make this work.

further, he points to an article at hak.5 on how to set it up:
http://www.hak5.org/forums/viewtopic.php?p=31505

people used to glue usb ports when security was paramount, today that is no longer an option and other solutions from different vendors have been created. i don’t like the buzz and hype around this subject, as important as it might be. it is just one of many different threats that corporate security should include in its design. let’s not all make people take off their shoes to prevent them using shoes in attacks, but rather secure things right?

gadi evron,
ge@beyondsecurity.com.

Share
  • http://windowsir.blogspot.com keydet89

    There’s an important distinction here…though the U3 stuff is on a physical USB thumb drive, the U3 utilities create a small CDFS partition that is recognized by a Windows system as a CD, and is therefore autorun enabled by default.

    This functionality, of course, can be disabled via the Registry.