![Page 2: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/2.jpg)
Who am I?
● systems engineer at Cloudflare● interests in security and crypto● enjoy low-level programming● more builder than a breaker● … but try to stay alert
![Page 3: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/3.jpg)
Agenda
● What is USB/IP● USB/IP implementation in Linux● Overview of sharing a USB device● Vulnerable USB/IP code● Potential exploit impact● Hardening USB/IP setups
![Page 4: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/4.jpg)
But first....
![Page 5: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/5.jpg)
But first...
Am I vulnerable?
![Page 6: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/6.jpg)
What is USB/IP?
![Page 7: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/7.jpg)
What is USB/IP?
● a way to share your USB devices over the network
![Page 8: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/8.jpg)
What is USB/IP?
● a way to share your USB devices over the network
● driver/device agnostic
![Page 9: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/9.jpg)
What is USB/IP?
● a way to share your USB devices over the network
● driver/device agnostic● sends URBs over TCP connection
![Page 10: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/10.jpg)
What is USB/IP?
● a way to share your USB devices over the network
● driver/device agnostic● sends URBs over TCP connection● implemented for Linux and Windows
![Page 11: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/11.jpg)
USB/IP architecture
http://usbip.sourceforge.net/
![Page 12: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/12.jpg)
USB/IP implementation in Linux
![Page 13: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/13.jpg)
USB/IP Linux implementation
usbip-core
usbip-host
usbip usbipd
Client Server
usbip-core
vhci-hcd
USB hcd
userkernel
![Page 14: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/14.jpg)
USB/IP Linux implementation
usbip-core
usbip-host
USB device
usbip usbipd
Client Server
usbip-core
vhci-hcd
USB hcd
userkernel
![Page 15: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/15.jpg)
USB/IP Linux implementation
usbip-core
usbip-host
USB device
usbip usbipd
Client Server
usbip-core
vhci-hcd driver
USB hcd
userkernel
![Page 16: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/16.jpg)
USB/IP Linux implementation
usbip-core
usbip-host
USB device
usbip usbipd
Client Server
usbip-core
vhci-hcd driver
USB hcd
userkernel
![Page 17: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/17.jpg)
USB/IP Linux implementation
usbip-core
usbip-host
USB device
usbip usbipd
Client Server
usbip-core
vhci-hcd driver
USB hcd
userkernel
![Page 18: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/18.jpg)
USB/IP Linux implementation
usbip-core
usbip-host
USB device
usbip usbipd
Client Server
usbip-core
vhci-hcd driver
USB hcd
userkernel
![Page 19: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/19.jpg)
USB/IP Linux implementation
usbip-core
usbip-host
USB device
usbip usbipd
Client Server
usbip-core
vhci-hcd driver
USB hcd
userkernel
![Page 20: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/20.jpg)
USB/IP Linux implementation
usbip-core
usbip-host
USB device
usbip usbipd
Client Server
usbip-core
vhci-hcd driverdriver
USB hcd
userkernel
![Page 21: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/21.jpg)
USB/IP Linux implementation
$ usbip list -r 127.0.0.1usbip: error: failed to open /usr/share/hwdata//usb.idsExportable USB devices====================== - 127.0.0.1 1-1: unknown vendor : unknown product (dead:beef) : /sys/fake/dangerous/usbipdemo : (Defined at Interface level) (00/00/00)
![Page 22: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/22.jpg)
USB/IP Linux implementation
$ usbip list -r 127.0.0.1usbip: error: failed to open /usr/share/hwdata//usb.idsExportable USB devices====================== - 127.0.0.1 1-1: unknown vendor : unknown product (dead:beef) : /sys/fake/dangerous/usbipdemo : (Defined at Interface level) (00/00/00)
$ sudo usbip attach -r 127.0.0.1 -b 1-1
![Page 23: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/23.jpg)
USB/IP Linux implementation
$ ps aux | grep usbiproot 884 0.0 0.0 0 0 ? S 16:46 0:00 [usbip_eh]root 886 0.0 0.0 0 0 ? S 16:46 0:00 [usbip_eh]root 887 0.0 0.0 0 0 ? S 16:46 0:00 [usbip_eh]root 888 0.0 0.0 0 0 ? S 16:46 0:00 [usbip_eh]root 889 0.0 0.0 0 0 ? S 16:46 0:00 [usbip_eh]root 890 0.0 0.0 0 0 ? S 16:46 0:00 [usbip_eh]root 891 0.0 0.0 0 0 ? S 16:46 0:00 [usbip_eh]root 892 0.0 0.0 0 0 ? S 16:46 0:00 [usbip_eh]ignat 895 0.0 0.0 14228 980 pts/1 S+ 16:46 0:00 grep usbip
![Page 24: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/24.jpg)
WAT?
![Page 25: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/25.jpg)
Kernel usbip usbipd
usbip-core
vhci-hcd
Kernel
usbip-core
usbip-host
Client Server
get device list
USB/IP Linux implementation
![Page 26: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/26.jpg)
Kernel usbip usbipd
usbip-core
vhci-hcd
Kernel
usbip-core
usbip-host
Client Server
get device list
import device
USB/IP Linux implementation
![Page 27: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/27.jpg)
Kernel usbip usbipd
usbip-core
vhci-hcd
Kernel
usbip-core
usbip-host
Client Server
get device list
import device
socket fd socket fd
USB/IP Linux implementation
![Page 28: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/28.jpg)
Kernel usbip usbipd
usbip-core
vhci-hcd
Kernel
usbip-core
usbip-host
Client Server
get device list
import device
socket fd socket fd
URB traffic
USB/IP Linux implementation
![Page 29: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/29.jpg)
Vulnerable USB/IP code
![Page 30: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/30.jpg)
USB/IP network protocol
USB/IP header USB request block data
https://www.kernel.org/doc/Documentation/usb/usbip_protocol.txt
![Page 31: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/31.jpg)
USB/IP network protocol
USB/IP header USB request block data
https://www.kernel.org/doc/Documentation/usb/usbip_protocol.txt
length
![Page 32: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/32.jpg)
USB/IP network protocol
USB/IP header USB request block data
https://www.kernel.org/doc/Documentation/usb/usbip_protocol.txt
length
![Page 33: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/33.jpg)
USB/IP in Linux kernel
static void vhci_recv_ret_submit(struct vhci_device *vdev, struct usbip_header *pdu){... /* unpack the pdu to a urb */ usbip_pack_pdu(pdu, urb, USBIP_RET_SUBMIT, 0);
/* recv transfer buffer */ if (usbip_recv_xbuff(ud, urb) < 0) return;
...
![Page 34: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/34.jpg)
USB/IP in Linux kernel
static void vhci_recv_ret_submit(struct vhci_device *vdev, struct usbip_header *pdu){... /* unpack the pdu to a urb */ usbip_pack_pdu(pdu, urb, USBIP_RET_SUBMIT, 0);
/* recv transfer buffer */ if (usbip_recv_xbuff(ud, urb) < 0) return;
...
![Page 35: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/35.jpg)
USB/IP in Linux kernel
static void vhci_recv_ret_submit(struct vhci_device *vdev, struct usbip_header *pdu){... /* unpack the pdu to a urb */ usbip_pack_pdu(pdu, urb, USBIP_RET_SUBMIT, 0);
/* recv transfer buffer */ if (usbip_recv_xbuff(ud, urb) < 0) return;
...
![Page 36: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/36.jpg)
USB/IP in Linux kernel
static void usbip_pack_ret_submit(struct usbip_header *pdu, struct urb *urb, int pack){ struct usbip_header_ret_submit *rpdu = &pdu->u.ret_submit;
if (pack) { ... } else { urb->status = rpdu->status; urb->actual_length = rpdu->actual_length; urb->start_frame = rpdu->start_frame; urb->number_of_packets = rpdu->number_of_packets; urb->error_count = rpdu->error_count; }}
![Page 37: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/37.jpg)
USB/IP in Linux kernel
static void usbip_pack_ret_submit(struct usbip_header *pdu, struct urb *urb, int pack){ struct usbip_header_ret_submit *rpdu = &pdu->u.ret_submit;
if (pack) { ... } else { urb->status = rpdu->status; urb->actual_length = rpdu->actual_length; urb->start_frame = rpdu->start_frame; urb->number_of_packets = rpdu->number_of_packets; urb->error_count = rpdu->error_count; }}
![Page 38: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/38.jpg)
USB/IP in Linux kernel
int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb){ int ret; int size;
if (ud->side == USBIP_STUB) { ... } else { ... size = urb->actual_length; }
...
ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size);
![Page 39: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/39.jpg)
USB/IP in Linux kernel
int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb){ int ret; int size;
if (ud->side == USBIP_STUB) { ... } else { ... size = urb->actual_length; }
...
ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size);
![Page 40: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/40.jpg)
USB/IP in Linux kernel
int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb){ int ret; int size;
if (ud->side == USBIP_STUB) { ... } else { ... size = urb->actual_length; }
...
ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size);
![Page 41: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/41.jpg)
USB/IP in Linux kernel
It is possible to write arbitrary length data to urb->transfer_buffer
![Page 42: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/42.jpg)
USB/IP in Linux kernel
● urb->transfer_buffer is usually allocated either by USB core code or USB device driver
It is possible to write arbitrary length data to urb->transfer_buffer
![Page 43: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/43.jpg)
USB/IP in Linux kernel
● urb->transfer_buffer is usually allocated either by USB core code or USB device driver
● urb->transfer_buffer is allocated on request submit, so always assumes some maximum length
It is possible to write arbitrary length data to urb->transfer_buffer
![Page 44: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/44.jpg)
USB/IP in Linux kernel
● urb->transfer_buffer is usually allocated either by USB core code or USB device driver
● urb->transfer_buffer is allocated on request submit, so always assumes some maximum length
● According to USB/IP protocol the packet with “large” amount of data is valid
It is possible to write arbitrary length data to urb->transfer_buffer
![Page 45: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/45.jpg)
USB/IP in Linux kernel
● Introducing CVE-2016-3955
It is possible to write arbitrary length data to urb->transfer_buffer
![Page 46: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/46.jpg)
USB/IP in Linux kernel
● Introducing CVE-2016-3955
● CVSS base score: 9.8 (v. 3.0) and 10 (v. 2.0)
It is possible to write arbitrary length data to urb->transfer_buffer
![Page 47: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/47.jpg)
USB/IP in Linux kernel
● Introducing CVE-2016-3955
● CVSS base score: 9.8 (v. 3.0) and 10 (v. 2.0)
● UBOAT = [U]SB/IP [B]uffer [O]verflow [AT]tack
It is possible to write arbitrary length data to urb->transfer_buffer
![Page 48: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/48.jpg)
Requisites
● Victim has to actually use USB/IP
![Page 49: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/49.jpg)
Requisites
● Victim has to actually use USB/IP
● Victim has to be a client in USB/IP terminology
![Page 50: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/50.jpg)
Requisites
● Victim has to actually use USB/IP
● Victim has to be a client in USB/IP terminology
● Victim has to “import” at least one USB device
![Page 51: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/51.jpg)
Requisites
● Victim has to actually use USB/IP
● Victim has to be a client in USB/IP terminology
● Victim has to “import” at least one USB device
● Attacker either has to control USB/IP server or do a MiTM on the network
![Page 52: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/52.jpg)
Demo
![Page 53: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/53.jpg)
Potential exploit impact
![Page 54: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/54.jpg)
Linux kernel heap exploit
● DoS: crash USB/IP client
![Page 55: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/55.jpg)
Linux kernel heap exploit
● DoS: crash USB/IP client
● Data injection
![Page 56: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/56.jpg)
Linux kernel heap exploit
● DoS: crash USB/IP client
● Data injection
● Code execution
![Page 57: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/57.jpg)
Linux kernel heap exploit
● DoS: crash USB/IP client
● Data injection
● Code execution
○ (much harder with heap exploits, but still possible)
![Page 58: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/58.jpg)
Linux kernel heap exploit
● DoS: crash USB/IP client
● Data injection
● Code execution
○ (much harder with heap exploits, but still possible)
https://jon.oberheide.org/blog/2010/09/10/linux-kernel-can-slub-overflow/
![Page 59: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/59.jpg)
Linux SLUB caches
32 32 32 32 32
64 64 64
128 128
![Page 60: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/60.jpg)
Linux SLUB caches
32 32 32 32 32
64 64 64
128 128
![Page 61: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/61.jpg)
Linux SLUB caches
32 32 32 32 32
64 64 64
128 128
![Page 62: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/62.jpg)
Linux SLUB caches
● Find out which USB device drivers are using the same cache size as the desired object to be exploited
![Page 63: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/63.jpg)
Linux SLUB caches
● Find out which USB device drivers are using the same cache size as the desired object to be exploited
● Emulate the device from the USB/IP server or by modifying USB/IP network traffic
![Page 64: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/64.jpg)
Linux SLUB caches
● Find out which USB device drivers are using the same cache size as the desired object to be exploited
● Emulate the device from the USB/IP server or by modifying USB/IP network traffic
● Perform the buffer overflow
![Page 65: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/65.jpg)
Hardening USB/IP setups
![Page 66: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/66.jpg)
Hardening USB/IP setups
● Reconsider
![Page 67: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/67.jpg)
Hardening USB/IP setups
● Reconsider● Patch your system
![Page 68: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/68.jpg)
Hardening USB/IP setups
● Reconsider● Patch your system● Protect your traffic (TLS, IPSec)
![Page 69: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/69.jpg)
Hardening USB/IP setups
● Reconsider● Patch your system● Protect your traffic (TLS, IPSec)
○ even in intranet
![Page 70: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/70.jpg)
Hardening USB/IP setups
● Reconsider● Patch your system● Protect your traffic (TLS, IPSec)
○ even in intranet● Ensure your USB/IP server is trustworthy with proper
ACLs
![Page 71: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/71.jpg)
Resources
● https://pqsec.org/uboat-CVE-2016-3955/
● https://github.com/pqsec/uboatdemo
● https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3955
● https://nvd.nist.gov/vuln/detail/CVE-2016-3955
![Page 72: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/72.jpg)
Black Hat Sound Bytes
● Never sacrifice security for performance○ extra buffer copy is not an excuse to move everything to kernel space
● Validate your input
● Consider least privilege principle○ break code into modules
○ pay more attention to high-privileged code
![Page 73: Exploiting USB/IP in Linux - Black Hat Briefings...USB/IP in Linux kernel urb->transfer_buffer is usually allocated either by USB core code or USB device driver urb->transfer_buffer](https://reader030.vdocument.in/reader030/viewer/2022040406/5ea4814da12be4244148c6af/html5/thumbnails/73.jpg)
Thank you