Yesterday, Microsoft patched a flaw in the Windows USB Mass Storage Class Driver that could put some people on edge. Though the flaw was rated “important,” likely because it requires local access to exploit, previous work in this arena shows that such a bug could be attacked remotely.
Andy Davis of NCC Group in the U.K. privately disclosed the flaw, CVE-2016-0133, to Microsoft. His recent research includes a focus on USB bugs that are no longer limited to local exploits. For Black Hat Asia 2014, for example, Davis released a paper explaining techniques that could allow an attacker to take advantage of RDP and RemoteFX USB redirection features in Windows.
Davis, who could not be reached for comment on yesterday’s patch, said in his paper that organizations should disable RemoteFX on clients and servers, use granular RemoteFX security controls, and pay attention to “local” USB vulnerabilities.
The one patched yesterday, Microsoft said, can be used to elevate privileges on a compromised machine by an attacker inserting a malicious USB drive into a vulnerable computer. Microsoft said the driver in question fails to properly validate objects in memory.
“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode,” Microsoft said in its advisory. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Craig Young, a researcher at Tripwire, said the vulnerability likely could be exploited even on a locked workstation.
“Based on the description from Microsoft, insertion of the crafted USB stick would be enough to exploit vulnerable code within the mass storage driver without any further user-interaction,” Young said. “The flaw may exist within code responsible for low-level device access as opposed to higher-level filesystem related activities and these activities should take place regardless of whether there is an interactive logon session at the console.”
Stuxnet, which was used to disrupt Iran’s nuclear program in 2009, spread via infected USB drives, primarily to attack air-gapped machines that the attackers could not reach with any of the zero-day exploits at their disposal. Stuxnet exploited a vulnerability in LNK files, which define shortcuts to files or directories; Windows allows them to use custom icons from control panel files (.CPL). In Windows, those icons are loaded from modules, either executables or DLLs; CPLs are DLLs. An attacker is able to then define which executable module would be loaded, and use the .LNK file to execute arbitrary code inside of the Windows shell.
“In contrast, the LNK vulnerability exploited by Stuxnet and patched in MS10-046 would require that a victim browse to a malicious folder to trigger code execution,” Young said.
Making this vulnerability even more angst-ridden is the kernel access it affords because it’s a driver vulnerability. This gives an attacker a direct path to code execution within the kernel rather than in context of a logged in user, Young said.
“Execution within the kernel means that an attacker can hide their tracks, gain persistent access, and dump password hashes or security tokens left on the system,” Young said, who added that based on public information, there may not be any limitations to the payload associated with an exploit of this flaw.
“This issue generally presents a large risk in any environment where someone has physical access to a USB port of someone else’s system. For example, I regularly see that medical offices will leave patients in a room with a PC containing private health information and that many retail locations have PCs for sales people to check inventory or prepare sales quotes,” Young said. “At a larger scale, Windows based data centers could also be heavily affected if server racks are not locked to make USB ports inaccessible to employees or anyone else who makes it into the data center.”