Achieving Linux Kernel Code Execution Through a Malicious USB Device

Presented at Black Hat Europe 2021, Nov. 11, 2021, 3:20 p.m. (40 minutes)

How robust is the security of a fully updated, widely used and locked-down Linux-based device without any known rooting methods? Where the only non-trusted code being executed is heavily sandboxed JavaScript? Which has almost no user-mode binaries and is stripped down to the bare minimum? In this talk, we show how we gained root by inserting a malicious USB device that exploits a forgotten vulnerability in the USB stack of the Linux kernel, known as CVE-2016-2384 and originally found by Andrey Konovalov. Exploiting this vulnerability allows gaining arbitrary code execution in the context of the kernel without any interaction with the device, which we then used to get a root shell.

While the vulnerability was quickly resolved by (most of) the mainstream Linux distributions, it remains highly relevant in the context of device security. Here major Linux kernel upgrades are much less common and even newly released devices which cost hundreds or even thousands of euros might go to the market with an already outdated Linux kernel. Those devices where we encountered this particular bug in the last year are used by (tens of) millions of households.

A proof-of-concept exploit for the vulnerability exists and is publicly available. However, this PoC requires the capability to run unprivileged code on the device to elevate the privileges of an existing process to root. It uses well-known exploitation techniques which rely on calls such as sendmmsg() and add_key() to spray attacker controlled data on the heap. However, these techniques require the ability to execute unprivileged code in the first place and cannot be used for a USB-based attack.

We will demonstrate that it is possible to gain runtime control on the device through Linux kernel driver exploitation by nothing else than inserting a malicious USB device. We believe our method is not limited to this specific vulnerability. But some additional work would be required for devices with newer Linux kernels or implementing more advanced mitigation techniques.

While rooting the device did not allow us to bypass additional security layers (i.e. TEE technology), it shows the (sometimes) underestimated risk of dealing with complex subsystems. Lastly, even for highly experienced and motivated product teams, it is difficult to consistently resolve all known vulnerabilities in Linux devices.


Presenters:

  • Dana Geist - Senior Security Analyst, Riscure
    Dana Geist is a Senior Security Analyst at Riscure where she tests the security of a wide range of embedded devices. Her work includes embedded software analysis, reverse-engineering of firmware and exploitation, with a focus on Trusted Execution Environment solutions including operating systems, drivers, and bootloaders. She also enjoys working with new ways of discovering vulnerabilities and performing hardware attacks such as fault injection.
  • Martijn Bogaard - Principal Security Analyst, Riscure
    Martijn Bogaard is a Principal Security Analyst at Riscure where he focuses most of his time on firmware security. One of his main interests is the complicated interaction between hardware and software components/engineers and how this can lead to subtle but critical vulnerabilities.

Links:

Similar Presentations: