Achieving Linux Kernel Code Execution Through a Malicious USB Device

Conference:  BlackHat USA 2021



The presentation discusses a USB attack on a smartphone using a vulnerability in the Linux kernel. The attack requires physical access to the device and a low activity slab. The presentation also covers challenges and mitigations for the attack.
  • The attack requires physical access to the device and a low activity slab
  • Winning the race is a main challenge for the attack
  • Cache behavior can make it hard to predict where control is taken
  • Address-based layout randomization is a hurdle that needs to be overcome
  • Code and data protections can be mitigated by looking for other attack paths
  • Heap hardening techniques can make the attack impossible to execute
The presenters demonstrated the attack on a smartphone by inserting a USB device to trigger the vulnerability and gain code execution in the context of the Linux kernel. They then launched a reverse shell on the phone that connected to a netcat instance, giving them root privileges and access to the phone's data. The attack could also unlock the device and give immediate access to all stored data.


How robust is the security of a fully updated, widely used and locked-down Linux-based device without any known rooting methods? Where the only non-trusted code being executed is heavily sandboxed JavaScript? Which has almost no user-mode binaries and is stripped down to the bare minimum? In this talk, we show how we gained root by inserting a malicious USB device that exploits a forgotten vulnerability in the USB stack of the Linux kernel, known as CVE-2016-2384 and originally found by Andrey Konovalov. Exploiting this vulnerability allows gaining arbitrary code execution in the context of the kernel without any interaction with the device, which we then used to get a root shell.While the vulnerability was quickly resolved by (most of) the mainstream Linux distributions, it remains highly relevant in the context of device security. Here major Linux kernel upgrades are much less common and even newly released devices which cost hundreds or even thousands of euros might go to the market with an already outdated Linux kernel. Those devices where we encountered this particular bug in the last year are used by (tens of) millions of households.A proof-of-concept exploit for the vulnerability exists and is publicly available. However, this PoC requires the capability to run unprivileged code on the device to elevate the privileges of an existing process to root. It uses well-known exploitation techniques which rely on calls such as sendmmsg() and add_key() to spray attacker controlled data on the heap. However, these techniques require the ability to execute unprivileged code in the first place and cannot be used for a USB-based attack.We will demonstrate that it is possible to gain runtime control on the device through Linux kernel driver exploitation by nothing else than inserting a malicious USB device. We believe our method is not limited to this specific vulnerability. But some additional work would be required for devices with newer Linux kernels or implementing more advanced mitigation techniques.While rooting the device did not allow us to bypass additional security layers (i.e. TEE technology), it shows the (sometimes) underestimated risk of dealing with complex subsystems. Lastly, even for highly experienced and motivated product teams, it is difficult to consistently resolve all known vulnerabilities in Linux devices.