Forget physical access: Remote USB attacks can blue screen Windows servers

NCC Group Research Director Andy Davis likes to test USB host security; over the years, Davis has “identified over 100 bugs covering all the major operating systems.” He said most vendors typically respond with “Thank you for the bug, but as you need physical access to plug in your rogue device, the impact is actually quite low.” Yet Davis continued researching USB security, giving presentations such as “Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack Interactions” [pdf] at Black Hat USA 2013.

Three years ago at Black Hat USA, Davis used “Frisbee,” a proof-of-concept exploit, “to identify and attack flaws in Windows 7, Windows XP, Xbox 360 and Apple OS X.” He said a person with a rigged USB could insert it and “do a huge amount (of damage) in a few seconds.” But major security vendors said they couldn’t provide USB security, leading Davis “to joke that the only truly foolproof way to protect computers from the threats posed by compromised USBs is to ‘fill the USB sockets with epoxy resin’.”

But now vendors may take the potential impact from USB attacks a lot more seriously; they may change their tune about bugs introduced via rogue USB devices after Black Hat Asia in Singapore where Davis presented “USB Attacks Need Physical Access Right? Not Any More…”

Davis explained:

Due to recent advances in a number of remoting technologies, USB attacks can now be launched over a network. The talk went into detail about how these technologies work, the resulting impact on the world of USB bugs and included a live demo remotely triggering a USB kernel bug in Windows 2012 server.

Davis noted “implications for future USB bugs” such as:

• Windows USB bugs no longer need local physical access.
• Remote exposure of the Windows kernel has been increased.
• What were local DoS bugs can now remotely “blue-screen” a server.
• May apply to other (non-Windows) remoting technologies.

Primarily, it seems as if the presentation highlighted [pdf] how “physical access is no longer a requirement to trigger Windows USB bugs.” The talk is on slides, but that’s not the same as seeing it in person, in video, or even just audio.

Those slides seem to indicate that Davis demonstrated RemoteFX redirection attacks in which the rogue USB can “blue screen” a remote desktop protocol (RDP) server. He concluded, “RemoteFX USB remoting has exposed more of the Windows kernel to attackers.”

According to the Remote Desktop Services blog post that introduced Microsoft’s RemoteFX USB device redirection, “The goal of RemoteFX USB redirection is simple: the user should be able to use any device they want, and have it just work.” However, “to redirect USB devices from a given machine, the RemoteFX USB redirection feature must be enabled.” The post goes on to explain how to “enable the policy and specify whether you wish to allow all users or only admins to redirect devices.”

The second RemoteFX USB redirection tutorial explained how to setup to allow for webcams with microphones, biometric devices, printers, USB audio devices, cameras, scanners and VoIP phones. Server device security stated:

Multiple Group Policy settings are available to control when and how users can use RemoteFX USB redirection. RemoteFX USB redirection can be controlled by using the same policy settings that control Plug and Play device redirection. The “Do not allow supported Plug and Play device redirection” policy setting can be used to allow or block RemoteFX USB redirection on a VM. The Plug and Play redirection policy settings for RD Gateway apply as well.

It seems obvious that the best protection would be to not enable RemoteFX if it’s not needed. According to Davis:

How can you reduce the risks?

• If RemoteFX is not required on the server, turn it off.
• If RemoteFX is required specify GUIDs of authorized USB devices.
• Do not enable RemoteFX USB remoting on clients.
• Minimise the use of USB “High-level” remoting via RDP.
• Be more cautious of “local” vulnerabilities and apply the patches.

Here is Davis’s slide presentation of “USB Attacks Need Physical Access Right? Not Any More…” [pdf].

Like this? Here’s more posts:

• Don’t you have a right to link to a hack without going to jail?
• IP address does not identify a person, judge tells copyright troll in BitTorrent case
• Google Map jacker called a hero by feds he wiretapped
• Is Obama’s proposal to end NSA bulk collection of phone records really a privacy win?
• How to customize Windows 8.1 Start screen and keyboard shortcut tricks
• Google wants to black out court details about data-mining e-mails
• Fake police warning leads to murder-suicide: Deaths due to ransomware?
• Your privacy is ‘very important,’ Microsoft says after reading users’ emails and IMs
• How to change Windows 8.1 to local account with no Microsoft email account required
• Biased software vulnerability stats praising Microsoft were 101% misleading
• North Korean leader plays Homefront on Xbox to practice taking over US
• Researchers: Phone metadata surveillance reveals VERY personal info about callers

Follow me on Twitter @PrivacyFanatic