Recon2012 - PREVIEW

Recon 2012

Sergey Bratus
Travis Goodspeed
Day Day 1 - 2012-06-14
Room Grand Salon
Start time 17:30
Duration 01:00
ID 237

Facedancer USB: Exploiting the Magic School Bus

Here we introduce the Facedancer Board, a tool for implementing USB devices in host-side Python using the GoodFET framework. Access to the USB chip is extremely low-level, so protocols may be mis-implemented in all sorts of creative ways. This allows a clever neighbor to quickly find and exploit USB driver vulnerabilities from the comfort of a modern workstation, only later porting such exploits to run standalone. Additionally, we'll show you some nifty tricks for replacing the firmware of commercial USB devices in order to house your exploits.

We learned to respect the network jack. Bad things come in and get routed over networks, but we have PF, Netfilter, and suchlike to control what goes where. Our packet parsing shed unnecessary and exploitable complexity like IP options and fragmentation, and is pretty defensive. Scapy is fun but it does not explode our networks.

Buses, on the other hand, are still a magic trip that "just works". A wise boy prays, "Please, let it be a normal bus trip!", while the rest of the kids just happily plug "devices" into "computers" and trust their drivers to take them to a magical place. Despite some bus and DMA attack tools, we still behave as if data that comes on a bus does not need filtering, cannot scan for the most vulnerable piece of code it can reach, and then exploit it. We do not treat buses with the same respect as networks, we do not see "devices" as malicious nodes, nor the need for filtering.

*This may be because we never connect two computers with a USB cable*, sending data between them like over a proper network. If buses carry packets, why not then do what we do with packets: spoof, scan, forward, craft with Scapy, treat the weakest parser on the other side to a nice little crafted input to liberate the weird machines within? We only need a little help with forwarding.

Our Facedancer board does just that, exposing a Maxim MAX3420 USB controller to Python. You can then use a host-side scripting language to emulate devices in USB, connected to a real host on the other side. Ain't that nifty?

Be as 1990's network stack-evil as you like on the poor trusting drivers that were only ever debugged on what actual devices sent. If driver bluescreens are the OS's bad dream, a shape-changing bus attacker can always become its worst nightmare.

The illusion of buses and devices melts away: there are only network links and hostile nodes. The childhood's magic school "bus" stops here; it's a network out there.