lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 9 Jan 2016 13:14:03 +0300
From: gremlin@...mlin.ru
To: fulldisclosure@...lists.org
Subject: Re: [FD] Combining DLL hijacking with USB keyboard emulation

On 2016-01-08 00:50:51 -0200, Rodrigo Menezes wrote:

 > Many of us have now been long aware of the possibility of
 > programming an USB device to emulate a keyboard and automatically
 > send keystrokes in order to perform malicious actions on a
 > computer. Some of the most interesting payloads that can be used
 > with this technique are based around downloading or creating an
 > executable file and then running it.
 > I'd like to bring to light that this attack could be combined
 > with DLL hijacking, with some benefits for the attacker.
 > For instance, a payload which simply downloads a DLL to the
 > current user's folder tends to complete faster and be more
 > reliable than one which tries to transfer an executable
 > AND immediately run it. The DLL would then most likely
 > be found and executed by a vulnerable installer [...] This way,
 > there would be no need for embeeding in the payload a complicated
 > attempt of bypassing the active defense mechanisms.

Once you can fool the user to plug the USB device, you don't need
anything else. The device may appear as
1. A mass storage, and
2. A keyboard or any other HID, and
3. Some unknown hardware

Once the W-ndows enumerates this hardware, it will try to find and
automatically install drivers for it. With a mass storage and a
keyboard it will succeed, thus immediately bringing them to use,
and unknown hardware would bring up a "search for drivers" dialog,
where the attacker may (after some delay) send keystrokes to choose
"search removable devices for drivers". Obviously, the mass storage
part of the USB device would contain suitable .inf file pointing to
malicious binaries.

The USB device capable of performing such attack may be as simple
as ATtiny85 + 25Q64 chips (both are available in a 3*4 mm SOP8),
with a total cost of 1 EUR. The 25Q64 offers 8 Mbyte of storage,
which is well enough for almost anything.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ