If you want an object lesson in the dangers that await us on the Internet of Things, check out SEC Consult’s write up on NetUSB, a widely used technology developed by an obscure Taiwanese company that just happens to contain a nasty, remotely exploitable vulnerability.
According to this alert, published on Tuesday, NetUSB “suffers from a remotely exploitable kernel stack buffer overflow” that could be used to run malicious code on affected devices. Even worse: the NetUSB component is ubiquitous – found in a long list of devices, from low-end wireless access points and broadband routers for small office and home office deployments to what SEC Consult called “high end devices…released very recently.” Networking devices from 26 vendors, including TP-Link, NetGear and others were found to use the NetUSB technology in their products.
The vulnerability discovered by SEC Consult is straight-forward enough. According to their advisory, the NetUSB code does an inadequate job of input validation, allowing an attacker to use an overly long value to overflow the “computer name” kernel stack buffer. This results in memory corruption which can be turned into arbitrary remote code execution.
Triggering the vulnerability is fairly simple. As part of the connection initiation, the NetUSB client sends her computer name to the device and can specify the length of the computer name.
“By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket. Easy as a pie, the ‘90s are calling and want their vuln(erabilitie)s back, stack buffer overflow.”
The company developed a proof of concept exploit for the vulnerability which would cause an affected device to crash (denial of service). However, SEC has not released it because few affected vendors have updated their firmware to patch the hole.
According to SEC Consult, NetUSB is a proprietary technology developed by the Taiwanese company KCodes. It is used to provide “USB over IP” functionality that link USB peripheral devices like printers, external hard drives and flash drives to Linux-based embedded systems like a broadband router or wireless access point or a USB over IP dongle. When connected, the peripheral are made available to the local network using a Linux kernel driver that launches a server, which listens on TCP port 20005.
The technology is “white labeled” by KCodes and goes by many different names: ReadySHARE (NetGear), or generically as “print sharing” or “USB share port.” On the client side, NetUSB is implemented in software for Windows and OS X. The client software connects to the server and simulates the devices that are plugged into the embedded system locally, so users can interact with the USB device as if it were physically plugged into their system. In the systems SEC Consult tested, the NetUSB feature was enabled by default and the server ran regardless of whether any USB devices were connected to it and using NetUSB.
Generally, an attacker would need access to the same network the device was connected to in order to carry out an attack, though SEC said it did find some devices that exposed TCP Port 20005 to the Internet, which would allow remote attacks.
And there were other signs of shoddy work, SEC found. The AES keys used to do mutual authentication check are static and can be found stored in both the kernel driver as well as in the client software for Windows and OS X. That tends to undercut the value of the authentication.
Predictably, SEC got no response from KCodes despite months of trying to get the company to address the security issue it discovered. It has coordinated with Carnegie Mellon’s CERT to issue a vulnerability note.
While NetUSB isn’t likely to be a show stopper. There have been other, widespread vulnerabilities affecting this class of device, notably: a brute force vulnerability in the common “Wi Fi Protected Setup” technology that is common with SOHO routers and wireless access points.
And, as we’ve reported: home routers are a common source of both vulnerabilities and attacks these days.
The NetUSB vulnerability is another reminder of the as-yet-undiscovered and exploitable weaknesses lurking in the global, embedded device supply chain. As more computing power shifts from powerful, multipurpose PCs to embedded systems like broadband routers, it becomes clear that the ingredients going into the “sausage” of embedded systems are often poorly vetted, even by sophisticated, upstream consumers. In this case, the kudos go to SEC Consult, which got curious about the NetUSB component after noticing the NetUSB kernel driver on a TP-LINK device, identified the vulnerability then traced its wide impact.