Conversation

Andrey Konovalov

@andreyknvl

This is the first Linux-kernel-host-code-execution-over-USB exploit known to me. Awesome job!

@jmartijnb

@geistdana

Quote Tweet

Linux Kernel Security

@linkersec

Nov 13, 2021

Achieving Linux Kernel Code Execution Through a Malicious USB Device; by Martijn Bogaard @jmartijnb and Dana Geist @geistdana Slides: i.blackhat.com/EU-21/Thursday

Show this thread

6:36 PM · Nov 13, 2021Twitter Web App

Replying to

The exploit is based on the bug I found a few years ago. However, my exploit required cooperating userspace, so it didn't really count. Happy to see a purely USB one! xairy.io/articles/2016/

Andrey Konovalov

@andreyknvl

Nov 13, 2021

Exploiting a USB host from the device side is hard due to limited control: the device can only respond to host's requests. You can't simply start sending messages for heap shaping, etc. You need to find a way to make the kernel ask for those.

Replying to

and

Really impressive! I recently found a bug that should be triggerable through USB and even writing a crash PoC is annoying 😝

Replying to

Nice! Remember being happy to trigger within few minutes login screen null pointer dereference in iPAQ PDA driver w/Arduino-based USB fuzzer I cobbled together years ago. Alas, not new discovery: patched couple of months earlier after being triggered by...updated iPAQ model.😂

Replying to

and

Now the trick is finding an actual USB port…most linux severs r in cage or in cloud.