Exploiting USB/IP in Linux

Presented at LayerOne 2017, May 27, 2017, 1 p.m. (60 minutes).

USB/IP is a framework for sharing USB devices over the network: it encapsulates USB I/O messages into TCP/IP payloads and transmits them between network-connected hardware. This way, USB devices, plugged into one machine, appear as if they are plugged into another connected machine and can be used without any additional drivers or software.

Being part of the mainline kernel since version 3.17, this framework is immediately available to Linux users. Kernel code supporting this feature is compiled by default as a loadable module and is available for stock kernels in most popular Linux distributions. However, the implementation is rather uncommon for Linux kernel; the USB I/O bearer TCP connection is established by helper user-space applications, but then connected sockets are passed to the kernel and the kernel code itself handles all socket communication. So, most of the application protocol part is directly implemented in the kernel. This is a big shift from the traditional Linux paradigm of “tools only” in kernel code and “policy” in user-space.

The above design puts very strict security requirements on the code implementing the protocol since the code is executed in a highly privileged context (Linux kernel). Not doing proper input validation may create serious security vulnerabilities. Unfortunately, this is the case with USB/IP framework: with specific conditions a malicious party may trigger an out-of-bounds memory access and write arbitrary data to kernel memory. This is especially dangerous here because the potential attacker may do it remotely over the network.

Who is affected? The conditions of the exploitability of the above vulnerability are outlined. Also, some general security recommendations for USB/IP users are presented.


Presenters:

  • Ignat Korchagin
    Ignat is a security engineer at Cloudflare working mostly on platform and hardware security. Ignat’s interests are cryptography, hacking, and low-level programming. Before Cloudflare, Ignat worked as a senior security engineer for Samsung Electronics’ Mobile Communications Division. His solutions may be found in many older Samsung smart phones and tablets. Ignat started his career as a security researcher in the Ukrainian government’s communications services.

Links:

Similar Presentations: