슬라이드 1 - PDF 무료 다운로드

USB Hacking mongii@grayhash

Summary About USB protocol USB Packet Analysing USB Stack Fuzzing File System Fuzzing Multi-media File Fuzzing

USB(Universal Serial Bus) 기초

USB(Universal Serial Bus) 소개 Host Device architecture Host driven communication Half-Duplex (1.1, 2.0 기준 ) Speeds Low Speed: 1.5Mbits/s Full Speed: 12Mbits/s High Speed: 480Mbits/s Differential signaling (D+, D-) Up to 127 devices can be connected Power: 5V

USB 시스템의구조 Host USB 통신의중심 USB 네트워크에오직한개의호스트만가짐 루트허브를포함 Device USB Host 에연결되는장치 USB Hub 혹은 Function

USB bus topology USB Host Controller (Virtual Root Hub) Device Hub Device Upstream Device Hub Downstream Device Device

USB Packet 분석

Beagle USB 480 USB Packet Analyzer 가격 : 약 $1,400 Software : Total Phase Data Center USBpcap 과의차이점 Low Level 의 USB 패킷들을볼수있음

USB Packet Capture

USB Packet Capture 대상 USB 장치연결 (ex> USB 키보드 )

USB Packet Capture

USB Packet 요약 Get Device Descriptor Set Address Get Device Descriptor Get Device Descriptor Set Configuration Get Report Descriptor Set Output Report Input Report Get Report Descriptor Set Output Report Input Report Get Report Descriptor 주요키워드 Device Descriptor Configuration Descriptor String Descriptor Report Descriptor

Get String Descriptor Get Device Descriptor Set Address Get Device Descriptor : Get Header : USB Keyboard Get Device Descriptor Set Configuration : Get Header : USB Keyboard : Get Header : USB Keyboard : Get Header : USB Keyboard Get Report Descriptor Set Output Report Input Report : Get Header : USB Keyboard Get Report Descriptor Set Output Report Input Report : Get Header : USB Keyboard Get Report Descriptor - 총여섯번반복 - 필요할때마다재요청하기때문 (USB 스택 & 드라이버의구현마다다름, 한번요청후정보를저장해놓는경우도있음 ) - 헤더를먼저요청후길이, 인코딩정보를파악 => 전체정보요청

Get String Descriptor Get Device Descriptor Set Address Get Device Descriptor : Get Header : USB Keyboard Get Device Descriptor Set Configuration : Get Header : USB Keyboard : Get Header : USB Keyboard : Get Header : USB Keyboard Get Report Descriptor Set Output Report Input Report : Get Header : USB Keyboard Get Report Descriptor Set Output Report Input Report : Get Header : USB Keyboard Get Report Descriptor Length : 0x1A(26) Type : 0x03 (string descriptor) 혹은문자열데이터

Descriptor Type 0x01 : DEVICE 0x02 : CONFIGURATION 0x03 : STRING 0x04 : INTERFACE 0x05 : ENDPONT

Device Descriptor Get Device Descriptor Set Address Get Device Descriptor Get Device Descriptor Set Configuration Get Report Descriptor Set Output Report Input Report Get Report Descriptor Set Output Report Input Report Get Report Descriptor - 셋모두동일 (string 과같은이유 ) - 장치에대한기본적인정보들제공 -Vendor, Product ID 정보제공 -Configuration 의개수정보제공

Get Device Descriptor Set Address Get Device Descriptor Get Device Descriptor Set Configuration Get Report Descriptor Set Output Report Input Report Get Report Descriptor Set Output Report Input Report Get Report Descriptor Device Descriptor

Device Descriptor Size 12 Type 01 Release num 10 01 Class Code 00 Sus-Class // 00 Protocol // 00 Packet Size 08 Vendor ID 2C 1A Product ID 2A 0B Release ver 10 01 String index 01 String index 02 String index 00 Config num 01

Vendor ID & Product ID 이값이무엇이냐에따라 OS 에인식되는장치명과사용되는 Device Driver 가달라짐 http://www.linux-usb.org/usb.ids buy a VID? You can buy the right to use a single VID from the usb.org. They charge $2000 for this, but this is a one-time fee. This gives you 65536 PID numbers, more than enough for the rest of your life. Check Getting a Vendor ID on the usb.org website for this option.

Vendor ID & Product ID http://www.the-sz.com/products/usbid/index.php?v=0x1a2c

Device Descriptor

Configuration Descriptor Get Device Descriptor Set Address Get Device Descriptor Get Device Descriptor Set Configuration Get Report Descriptor Set Output Report Input Report Get Report Descriptor Set Output Report Input Report Get Report Descriptor - 다섯모두동일 (string 과같은이유 ) - 인터페이스의개수정보제공 - 파워공급방법을기술함

Configuration Descriptor

그렇다면뒤쪽의데이터들은?

Interface Descriptor Class & SubClass 정보제공 해당장치가어떤역할을하는지나타냄 한장치안에여러개의 Interface 존재가능 스마트폰 : 이동식저장장치, adb 디버깅, 설치 CD 등

Class & SubClass Interface(0) Descriptor : 09 04 00 00 01 03 01 01 00 http://www.rennes.supelec.fr/ ren/fi/elec/docs/usb/hid1_11.p df 0x03 : HID 0x01 : Boot Interface http://www.usb.org/developers/defined_class/

Interface Descriptor Interface(0) Descriptor Interface(1) Descriptor

Endpoint Descriptor 실질적인데이터가오가는통로 Endpoint Descriptor 역시여러개가될수있음 Transfer Type 정보제공 Control, Interrupt, Bulk, Isochronous 파이프라고부르기도함

Transfer Type Interrupt Function 에서 Host 에주기적으로소량의데이터를입력하는경우에적합 키보드 / 마우스등 Contol 디바이스가설정정보등을호스트에전송할때사용 혹은호스트가디바이스로새로운설정정보전송 Bulk 대량의데이터고속전송 신뢰성이요구되는경우에적합 EX> USB 이동식저장장치

Transfer Type Isochronous 등시성전송 일정주기에일정량의데이터를전송하고자할때적합 다른전송모드에비해높은우선순위 데이터전송폭과전송시간을보장 실시간어플리케이션에적합 예 > CCTV 영상, 오디오스트리밍 데이터오류보장은 X 오류시재전송요청불가

Interface & Endpoint Descriptor Endpoint(1) Descriptor Endpoint(2) Descriptor * Endpoint(0) 은기본으로존재하는 Endpoint 로서, Control packet 들을처리하는역할을함

USB Descriptor Hierarchy Device Desriptor VID, PID 정보 Configuration 0 전원정보 Configuration 1 Interface 0 AS0 Interface 1 AS1 Class 정보 Interface 0 AS0 Interface0 AS1 Interface0 AS0 Endpoint 1 Endpoint 2 Endpoint 3 데이터전송방식정보 -VID : 0x1a2c (China Resource..) -PID : 0x0b2a (USB Keyboard) -전원 : Bus More Powered, Endpoint Descriptors 98mA -CLASS : HID keyboard - 전송방식 : Interrupt

USB Stack Fuzzing

USB Fuzzing 위한준비물 Fuzzing 대상 USB Host stack (OS kernel) File system parser (OS kernel) Hardware requirement : USB OTG port Software requirement : Customizable USB Device source code

Hardware : OrangePi series

Hardware : OrangePi series Support USB Host & Device port (OTG) Support UART port for debug console Support Linux and Android software Support WIFI ETC

Software : Linux USB Gadget USB Device function 들을구현해놓은커널모듈들 Supports USB Serial, USB Ethernet, USB Printer, USB Mass-storage and etc Kernel/drivers/usb/gadget/*

Fuzzing Target 디바이스가호스트로전송하는정보들 USB Descriptors Fuzzing Device descriptors Configuration descriptors Interface descriptors Endpoint descriptors Etc File System Fuzzing Using Mass-storage gadget Mutation variety file-system image

Descriptor Fuzzer 구현방법 Build kernel for orange-pi mini Modify Kernel-Level USB gadget source code for fuzzing Implement User-Level Fuzzer using python Make mutated image or descriptors for fuzzing Load Gadget module using modprobe command Wait for enumeration done Unload gadget module using modprobe r command Repeat these Mutation methods Evil payloads DB for fuzzing Using radamsa (mutation tool by google, need to cross-compile)

USB Fuzzer 의구성 USB descriptor Fuzzing descfuzz.py g_fuzz.ko usbfuzz.c File System Fuzzing fsfuzz_radamsa.py fsfuzz_fuzzdb.py g_mass_storage.ko

Implement : Descriptor Fuzzer Mutation 반복 Module Loading descfuzz.py

Implement : Descriptor Fuzzer g_fuzz.ko USB descriptor Fuzzing 을위한특수 gadget User level 의 descriptor 파일을 Parsing 하여 usb gadget 의 descriptor 데이터를생성 Usage: modprobe g_fuzz.ko descfile=<descriptor binary file> strdescfile=<string descriptor binary file>

Implement : Descriptor Fuzzer g_fuzz.ko user defined descriptor parsing

Implement : Descriptor Fuzzer g_fuzz.ko Load String Descriptors

Implement : Descriptor Fuzzer usbfuzz.c Make abnormal usb descriptors Storing random values to descriptor fields

File System Fuzzing

Implement : fsfuzz_radamsa.py

Implement : fsfuzz_fuzzdb.py

USB Fuzzer 실행방법 USB descriptor Fuzzer just run python descfuzz.py g_fuzz.ko : auto loading by descfuzz.py usbfuzz : auto running by descfuzz.py File System Fuzzer Radamsa ver : python fsfuzz_radamsa.py Fuzz DB ver : python fsfuzz_fuzzdb.py

Crash Detection Host 로부터의응답이살아있는지를체크 오류발생시 Kernel Panic 이발생하기때문 방법 1 : USB packet 응답을체크 Kernel level 에서구현 방법 2 : Host OS 에간단한 echo TCP Server 를가동한후, 응답이오는지를체크 User level 에서구현

Fuzzer 실행화면

Multi-Media File Fuzzing

Fuzzing 방법 Radamsa Mutation tool by google https://github.com/aoh/radamsa Dumb Fuzzing 무작위변조 Insert, Delete, Edit(Overwriting) Fuzz Payloads Format String Bug Buffer Overflow Command Injection ETC

Fuzzing 주요코드 Fuzzing 과정 샘플파일선택 샘플파일 mutation Radamsa Dumb Fuzzing Fuzz Payloads 파일재생 재생커멘드이용 Crash 발생확인 Crash 발생파일보관 Logging

Fuzzing 주요코드 Dumb Fuzzing Fuzz Payloads

Fuzzer 실행 python MediaFuzzRadamsa.py 1000

Crash 확인방법 Crash 발생 Crash 재생전후플레이어의 pid 확인

Fuzzing 결과 Target Formats aac, ac3, aiff, amr, au, flac, m4a, mid, mka, mp3, ogg, ra, voc, wav, wma Crash 발생 Formats flac, m4a, mka, ra, wma

결론 USB 포트를이용하여대상장비를장악하는것이가능함 USB 를공격하기위한방법은 USB Stack, File System, Multi-media file 등다양함 Fuzzing 을통해 USB 공격을자동화할수있음

QNA

감사합니다!

기타참고자료

HCI Packet Type - HCI Command : 0x01 명령전송 (from host) - HCI Event : 0x04 결과, 상태값전송 (to host) - ACL Data : 0x02 데이터전송 (both) * HCI : Host-Controller Interface

Bluetooth Stack Bluetooth Radio 무선주파수통신구간 LC (Link Control) 흐름제어, 확인응답 (ACK), 재전송요청 LMP (Link Manager Protocol) 장치간링크생성및해제 인증, 암호화 전원관리

Bluetooth Stack HCI : Host Controller Interface CPU와 Bluetooth IC 사이를연결 host stack (CPU, OS) the controller (Bluetooth 모듈 ) UART, USB 및 PCMCIA로연결

Bluetooth Stack L2CAP 논리적인연결생성 Multiplexing ( 다중화 ) 데이터의용도구분 Segmentation and reassembly 패킷조각화 / 복구 QoS management TCP 레이어의역할

Bluetooth Stack RFCOMM 시리얼프로토콜에뮬레이팅 Data stream 전달

Bluetooth Stack SDP Service discovery protocol 장치에서제공하는기능 ( 프로파일 ) 들에대한정보제공

Bluetooth Stack OBEX Object Exchange Data Object 교환 블루투스프로파일중하나

SDP Packet

Get String Descriptor Get Device Descriptor Set Address Get Device Descriptor : Get Header : USB Keyboard Get Device Descriptor Set Configuration : Get Header : USB Keyboard : Get Header : USB Keyboard : Get Header : USB Keyboard Get Report Descriptor Set Output Report Input Report : Get Header : USB Keyboard Get Report Descriptor Set Output Report Input Report : Get Header : USB Keyboard Get Report Descriptor The First Get String Descriptor Packet http://www.usb.org/developers/docs/usb_langids.pdf

기타 : Report Descriptor Get Device Descriptor Set Address Get Device Descriptor Get Device Descriptor Set Configuration Get Report Descriptor Set Output Report Input Report Get Report Descriptor Set Output Report Input Report Get Report Descriptor HID 관련정보제공자세한정보 : http://www.rennes.supelec.fr/ren /fi/elec/docs/usb/hid1_11.pdf