Facedancer USB: Exploiting the Magic School Bus

Presented at REcon 2012, June 14, 2012, 5:30 p.m. (60 minutes)

Here we introduce the Facedancer Board, a tool for implementing USBdevices in host-side Python using the GoodFET framework. Access tothe USB chip is extremely low-level, so protocols may bemis-implemented in all sorts of creative ways. This allows a cleverneighbor to quickly find and exploit USB driver vulnerabilities fromthe comfort of a modern workstation, only later porting such exploitsto run standalone. Additionally, we'll show you some nifty tricks forreplacing the firmware of commercial USB devices in order to houseyour exploits. We learned to respect the network jack. Bad things come in and getrouted over networks, but we have PF, Netfilter, and suchlike tocontrol what goes where. Our packet parsing shed unnecessary andexploitable complexity like IP options and fragmentation, and ispretty defensive. Scapy is fun but it does not explode our networks.Buses, on the other hand, are still a magic trip that "just works". Awise boy prays, "Please, let it be a normal bus trip!", while the restof the kids just happily plug "devices" into "computers" and trusttheir drivers to take them to a magical place. Despite some bus andDMA attack tools, we still behave as if data that comes on a bus doesnot need filtering, cannot scan for the most vulnerable piece of codeit can reach, and then exploit it. We do not treat buses with the samerespect as networks, we do not see "devices" as malicious nodes, northe need for filtering.***This may be because we never connect two computers with a USBcable***, sending data between them like over a proper network. Ifbuses carry packets, why not then do what we do with packets: spoof,scan, forward, craft with Scapy, treat the weakest parser on the otherside to a nice little crafted input to liberate the weird machineswithin? We only need a little help with forwarding.Our Facedancer board does just that, exposing a Maxim MAX3420 USBcontroller to Python. You can then use a host-side scripting languageto emulate devices in USB, connected to a real host on the other side. Ain't that nifty?Be as 1990's network stack-evil as you like on the poor trustingdrivers that were only ever debugged on what actual devices sent. Ifdriver bluescreens are the OS's bad dream, a shape-changing busattacker can always become its worst nightmare.The illusion of buses and devices melts away: there are only networklinks and hostile nodes. The childhood's magic school "bus" stopshere; it's a network out there.