NetUSB Hole Leaves Devices Vulnerable

Wednesday, May 20, 2015 @ 12:05 PM gHale

There is a critical kernel stack buffer overflow vulnerability in NetUSB, a software component that provides “USB over IP” functionality, researchers said.

The technology is a part of firmware versions for TP-Link, Netgear, Trendnet, and Zyxel networking devices, said researchers at SEC Consult.

Apache Fixes Security Manager Hole
Apache Fixes Message Broker Software
Cisco Video Conference Vulnerabilities
Malware Delivers Trojan to Enterprises

After attempting to its vendor, Taiwanese company KCodes, address the issue for months, SEC Consult first opted for informing TP-Link and Netgear and providing a proof of concept exploit privately.

Then they notified the CERT Coordination Center (CERT/CC) and asked for help in coordinating vulnerability disclosure with other affected vendors. They also published a security advisory which does not include the proof of concept exploit code because other vendors have yet to patch the vulnerability.

“USB devices (e.g. printers, external hard drives, flash drives) plugged into a Linux-based embedded system (e.g. a router, an access point or a dedicated ‘USB over IP’ box) are made available via the network using a Linux kernel driver that launches a server (TCP port 20005). The client side is implemented in software that is available for Windows and OS X. It connects to the server and simulates the devices that are plugged into the embedded system locally. The user experience is like that of a USB device physically plugged into a client system,” the researchers said in a blog post.

“We initially found the NetUSB kernel driver on a TP-LINK device and decided to spend some time on it. To establish a server-connection, a simple mutual authentication check needs to be passed. The authentication is entirely useless as the AES keys are static and can be found in the kernel driver as well as in the client software for Windows and OS X. As part of the connection initiation, the client sends his computer name,” the researchers said. “This is where it gets interesting: The client can specify the length of the computer name. By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket. Easy as a pie, the ‘90s are calling and want their vulns back, stack buffer overflow. All the server code runs in kernel mode, so this is a “rare” remote kernel stack buffer overflow.”

This can result in memory corruption, which can then end up exploited by attackers to remotely execute arbitrary code.

The NetUSB technology has several other names depending on the vendor: ReadySHARE, print sharing, USB share port.

“While NetUSB was not accessible from the Internet on the devices we own, there is some indication that a few devices expose TCP port 20005 to the Internet. We don’t know if this is due to user misconfiguration or the default setting within a specific device. Exposing NetUSB to the Internet enables attackers to get access to USB devices of potential victims and this would actually count as another vulnerability,” the researcher said.

Nearly 100 devices suffer from this vulnerability.

Leave a Reply

You must be logged in to post a comment.