Beyond Autorun: Exploiting vulnerabilities with removable storage Jon Larimer [email protected], [email protected] IBM X-Force Advanced Research BlackHat – Washington, DC - 2011 January 18, 2011 Beyond Autorun (v1.0) (c) 2011 IBM Corp. 1 Contents 1. Abstract ..................................................................................................................................................... 5 2. Introduction .............................................................................................................................................. 6 2.1. A brief history of removable storage malware .................................................................................. 6 2.2. AutoRun and AutoPlay ....................................................................................................................... 6 2.3. Stuxnet and the LNK vulnerability...................................................................................................... 7 2.4. Attacks on physical systems ............................................................................................................... 7 3. USB Architecture ....................................................................................................................................... 9 3.1. About USB .......................................................................................................................................... 9 3.2. Host controllers ................................................................................................................................ 10 3.3. Devices ............................................................................................................................................. 10 3.3.1. Hubs .......................................................................................................................................... 10 3.3.2. Functions ................................................................................................................................... 10 3.3.3. Interfaces .................................................................................................................................. 10 3.3.4. Endpoints .................................................................................................................................. 11 3.3.5. Device classes ............................................................................................................................ 11 3.3.6. USB descriptors ......................................................................................................................... 12 3.4. Mass storage class devices ............................................................................................................... 13 3.5. Attacks using the USB protocols ...................................................................................................... 14 3.6. Fuzzing USB drivers .......................................................................................................................... 14 3.6.1. Windows Device Simulation Framework .................................................................................. 15 3.6.2. QEMU/BOCHS ........................................................................................................................... 15 4. USB operation on Windows 7 ................................................................................................................. 16 4.1. USB driver stack ............................................................................................................................... 16 4.1.1. Core stack .................................................................................................................................. 16 4.1.2. Class drivers .............................................................................................................................. 17 4.1.3. USB device recognition ............................................................................................................. 18 4.1.4. The danger of drivers from Windows Update .......................................................................... 20 4.2. Mass storage devices ....................................................................................................................... 21 4.2.1. USB storage port driver and Windows disk class driver ........................................................... 21 Beyond Autorun (v1.0) (c) 2011 IBM Corp. 2 4.2.2. Partition and volume management .......................................................................................... 22 4.2.3. File system drivers .................................................................................................................... 22 4.2.4. Fuzzing filesystem drivers on Windows .................................................................................... 23 4.3. Exploiting USB and file system drivers ............................................................................................. 24 4.4. PnP Manager .................................................................................................................................... 24 4.4.1. Kernel mode PnP manager ....................................................................................................... 24 4.4.2. User mode PnP manager .......................................................................................................... 25 4.5. AutoPlay ........................................................................................................................................... 25 4.5.1. Shell Hardware Detection Service ............................................................................................. 25 4.5.2. ReadyBoost ............................................................................................................................... 27 5. Windows Explorer ................................................................................................................................... 28 5.1. Shell Extension Handlers .................................................................................................................. 28 5.1.1. Registered file types and perceived types ................................................................................ 29 5.1.2. Icon handlers ............................................................................................................................. 30 5.1.3. Thumbnail handlers .................................................................................................................. 32 5.1.4. Image handlers .......................................................................................................................... 34 5.1.5. Preview handlers ....................................................................................................................... 35 5.1.6. Infotip handlers ......................................................................................................................... 36 5.1.7. COM object persistence and type confusion ............................................................................ 36 5.1.8. Fuzzing shell extensions ............................................................................................................ 36 5.1.9. Exploiting shell extensions ........................................................................................................ 36 5.2. Property system ............................................................................................................................... 37 5.3. Folder customization ....................................................................................................................... 38 5.3.1. Shell namespace extensions ..................................................................................................... 39 6. USB operation on GNU/Linux ................................................................................................................. 40 6.1. Core .................................................................................................................................................. 40 6.2. USB interface drivers ....................................................................................................................... 40 6.3. USB mass storage class driver .......................................................................................................... 40 6.4. udev, udisks, D-Bus .......................................................................................................................... 41 6.5. File systems in Linux ......................................................................................................................... 41 7. GNOME and Nautilus .............................................................................................................................. 43 7.1. Automatic mounting of storage devices .......................................................................................... 43 Beyond Autorun (v1.0) (c) 2011 IBM Corp. 3 7.2. Autorun capabilities ......................................................................................................................... 44 7.3. Thumbnailers ................................................................................................................................... 45 7.3.1. Exploiting