Critical Windows USB exploit allows flash drives to grant root access, patch issued

[humble3d]

Critical Windows USB exploit allows flash drives to grant root access, patch issued

By Rick Burgess

On March 13, 2013, 4:30 PM

Security Update for Windows XP (KB2807986)

Microsoft's Patch Tuesday yielded an interesting security fix for a glaring vulnerability in how the Windows kernel handles USB device enumeration. The critical vulnerability allowed potential hackers with physical access to a Windows PC to run arbitrary code with system user privileges -- even while Windows was locked and users logged off.

Would-be hackers could exploit the security hole by merely inserting a specially-formatted USB flash drive with a custom device descriptor. During device detection, the Windows kernel would parse this information and execute malicious code found on such a USB drive, irrespective of autorun or AutoPlay settings. The code would run with elevated system privileges.

Microsoft's researchers admit this attack may indicate other, similar "avenues of exploitation" -- but perhaps where physical access to the host system is not required.

The vulnerability (MS13-027) is found across all versions of Windows ranging from Windows 8 to as far back as Windows XP SP2, including Windows Server variants.

Because the hack requires no user interaction and exploits how Windows kernel-mode drivers handles memory-resident objects, the security snafu could be exploited even without a logged on user or while a Windows system is locked.

Having physical access to a computer can make rooting a standard Windows box relatively straightforward; however, exploits which require only brief casual access can be dangerous, particularly in office and educational settings -- a user's privacy and security can be compromised in a matter of seconds.

Microsoft addressed this security issue in yesterday's round of updates. Windows Update is the simplest way to install the patch, but it can also be downloaded and installed manually.

MS13-027: Addressing an issue in the USB driver requiring physical access
swiat 12 Mar 2013 9:59 AM
Today we are addressing a vulnerability in the way that the Windows USB drivers handle USB descriptors when enumerating devices. (KB 2807986). This update represents an expansion of our risk assessment methodology to recognize vulnerabilities that may require physical access, but do not require a valid logon session. Windows typically discovers USB devices when they are inserted or when they change power sources (if they switch from plugged-in power to being powered off of the USB connection itself). To exploit the vulnerability addressed by MS13-027, an attacker could add a maliciously formatted USB device to the system. When the Windows USB device drivers enumerate the device, parsing a specially crafted descriptor, the attacker could cause the system to execute malicious code in the context of the Windows kernel.

Because the vulnerability is triggered during device enumeration, no user intervention is required. In fact, the vulnerability can be triggered when the workstation is locked or when no user is logged in, making this an un-authenticated elevation of privilege for an attacker with casual physical access to the machine. Other software that enables low-level pass-through of USB device enumeration may open additional avenues of exploitation that do not require direct physical access to the system.

- Josh Carlson and William Peteroy, MSRC

Today we are addressing a vulnerability in the way that the Windows USB drivers handle USB descriptors when enumerating devices. (KB 2807986). This update represents an expansion of our risk assessment methodology to recognize vulnerabilities that may require physical access, but do not require a valid logon session. Windows typically discovers USB devices when they are inserted or when they change power sources (if they switch from plugged-in power to being powered off of the USB connection itself). To exploit the vulnerability addressed by MS13-027, an attacker could add a maliciously formatted USB device to the system. When the Windows USB device drivers enumerate the device, parsing a specially crafted descriptor, the attacker could cause the system to execute malicious code in the context of the Windows kernel.

Because the vulnerability is triggered during device enumeration, no user intervention is required. In fact, the vulnerability can be triggered when the workstation is locked or when no user is logged in, making this an un-authenticated elevation of privilege for an attacker with casual physical access to the machine. Other software that enables low-level pass-through of USB device enumeration may open additional avenues of exploitation that do not require direct physical access to the system.

- Josh Carlson and William Peteroy, MSRC
Attack Vector, kernel

[dcs18]

To protect oneself against not only USB removable drives - but, all volumes (from past, present & future vulnerabilities) in 2 easy steps:-

01.) Disable autoplay

02.) Immunize all removable drives and also internal drives with the help of the following illustration.

Disclaimer:–

This little tip may not work on for the following types of Characters:

• The Vain
• The Dead
• The Proud
• The n00bs
• The Sheep
• The Dense
• The Slaves
• The Losers
• The Biased
• The MisFits
• The Prudes
• The Flaccid
• The Morons
• The Pussies
• The Lamers
• The KillJoys
• The Gullible
• The Jealous
• The Rippers
• The Retards
• The Flamers
• The Faggots
• The Blamers
• The Quitters
• The Whiners
• The ShitLess
• The Dumbos
• The Flunkies
• The FullCups
• The Stoogies
• The Haughty
• The Eunuchs
• The Doubtful
• The Paranoid
• The Yes-Men
• The Accusers
• The Laggards
• The Theorists
• The Alarmists
• The ImPotent
• The Gamblers
• The ImPatient
• The CryBabies
• The Comatose
• The InCapable
• The Weaklings
• The Pessimists
• The Hypocrites
• The Lamenters
• The LukeWarm
• The Ignoramus
• The Contended
• The DisInclined
• The PallBearers
• The ShameLess
• The ImPractical
• The SpoilSports
• The Know-It-All
• The Astrologers
• The Vanquished
• The Speculators
• The GreenHorns
• The Conformists
• The Constipated
• The SoothSayers
• The Conspirators
• The Philosophers
• The UnCharitable
• The DayDreamers
• The non-Believers
• The Escape Artists
• The InCompetents
• The OverConfident
• The Living UnDead
• The UnResourceful
• The Breast Beaters
• The Fuddy Duddies
• The Procrastinators
• The Rabble Rousers
• The Rumor Mongers
• The WindowsBashers
• The FanBoyz & FanGals
• The Don't-Fix-It-If-It's-Not-Broken

[Tunerz]

I doubt even disabling autoplay would automatically protect you from this, since the OS automatically performs device enumeration when a USB device is plugged in. I assume this is also why you don't have to restart your computer when you plug in USB devices, unlike PS/2 devices.

[sanjoa]

Source? Fix?

[dcs18]

Source?

http://www.techspot.com/news/51929-critical-windows-usb-exploit-allows-flash-drives-to-grant-root-access-patch-issued.html

Source? Fix?

The fix was deployed in last Patch Tuesday Windows Updates.

[Bizarre™]

Would-be hackers could exploit the security hole by merely inserting a specially-formatted USB flash drive with a custom device descriptor. During device detection, the Windows kernel would parse this information and execute malicious code found on such a USB drive, irrespective of autorun or AutoPlay settings. The code would run with elevated system privileges.

Good thing it's patched

[xpmule]

dcs18 i don't see how what your saying will protect you.

the story mentions a custom device descriptor..

[ASIO]

DOWNLOAD

http://labs.bitdefender.com/wp-content/plugins/download-monitor/download.php?id=BDUSBImmunizerLauncher.exe

[dcs18]

dcs18 i don't see how what your saying will protect you.

If you don't see - don't use it.

Edit:

Added a Disclaimer, for the deaf, mute & . . . . . . . . . . . . . . . . . . . The Blind.

[captcha]

dcs18 i don't see how what your saying will protect you.

If you don't see - don't use it.

Edit:

Added a Disclaimer, for the deaf, mute & . . . . . . . . . . . . . . . . . . . The Blind.

are'nt you a hot head your words and disclaimer seems rude anyway just chill bro! ;)

[dcs18]

dcs18 i don't see how what your saying will protect you.

If you don't see - don't use it.

Edit:

Added a Disclaimer, for the deaf, mute & . . . . . . . . . . . . . . . . . . . The Blind.

are'nt you a hot head your words and disclaimer seems rude anyway just chill bro! ;)

Why don't you; chill yourself . . . . . . . . . bro. (those who find themselves listed in my Disclaimer will find it rude - those who don't . . . . . . won't - how about you???) :coolwink:

[captcha]

sweet i love fights but sorry this the end and goodluck with the disclaimer stuff :hypocrite:

[Marik]

they should really correct that typo, it should be "its volume label" not "it's"

[xpmule]

dcs18 i don't see how what your saying will protect you.

If you don't see - don't use it.

Edit:

Added a Disclaimer, for the deaf, mute & . . . . . . . . . . . . . . . . . . . The Blind.

are'nt you a hot head your words and disclaimer seems rude anyway just chill bro! ;)

Why don't you; chill yourself . . . . . . . . . bro. (those who find themselves listed in my Disclaimer will find it rude - those who don't . . . . . . won't - how about you???) :coolwink:

not only are you a acting like a rude jerk again for no good reason but you are far too cocky for your own good.

using some software program you download to control PREDEINFED device descriptors on usb devices is a fail.

You ignored what i said and issued a snotty reply.. ANSWER THE QUESTION

If you don't know the id of the descriptor yet explain to me how your program is going to block it let alone see it ? (aka: know what it is)

You failed at basic common sense and logic.

Spare me your disclaimer garbage and answer the question..

You have a nasty attitude around here and if you want a disclaimer on your comments maybe add one saying

"hey everyone i'm a cocky jerk with a chip on my shoulder so don't be surprised when i insult people"

[dcs18]

ANSWER THE QUESTION

<response made in anger deleted by self> ;)

[dcs18]

sweet i love fights but sorry this the end and goodluck with the disclaimer stuff :hypocrite:

I do not like to fight - next time, don't try to be an uninvited Arbitrator (just check his last 25 posts and you'll understand the reason for my response.)

Good-luck.

[ande]

[Lite]

Topic closed.

This was supposed to be about a security exploit, not a way to grow peoples egos.