Andrey Konovalov on Twitter: "Exploiting a USB host from the device side is hard due to limited control: the device can only respond to host's requests. You can't simply start sending messages for heap shaping, etc. You need to find a way to make the kernel ask for those." / Twitter

This is the first Linux-kernel-host-code-execution-over-USB exploit known to me. Awesome job!

Quote Tweet

Nov 13, 2021

Achieving Linux Kernel Code Execution Through a Malicious USB Device; by Martijn Bogaard @jmartijnb and Dana Geist @geistdana Slides: i.blackhat.com/EU-21/Thursday

Show this thread

4

65

249

Andrey Konovalov

@andreyknvl

Nov 13, 2021

The exploit is based on the bug I found a few years ago. However, my exploit required cooperating userspace, so it didn't really count. Happy to see a purely USB one! xairy.io/articles/2016/

1

4

33

Andrey Konovalov

@andreyknvl

Exploiting a USB host from the device side is hard due to limited control: the device can only respond to host's requests. You can't simply start sending messages for heap shaping, etc. You need to find a way to make the kernel ask for those.

6:36 PM · Nov 13, 2021Twitter Web App

Replying to

Not even when acting as keyboard?

1

Replying to

Not even then. The host periodically polls the keyboard for key events. The keyboard can't send anything by itself. No USB-based devices can: all communication is initiated by the host.

1

Conversation