The researchers add that they also posted the issue on the company forum but the administrators deleted the message.īleepingComputer has reached out to FabulaTech for comments about a plan to patch the vulnerability and what customers can do in the meantime. SentinelOne emailed FabulaTech to two addresses asking for a contact to report security vulnerabilities, first on January 29 and then again on February 4 but received no reply. However, because any USB device can be simulated, more advanced attacks are possible, such as adding an ethernet network card for intercepting traffic.Īnother PoC, that emulates a mouse click to consent on the UAC prompt, was also created but remains unpublished because the issue is unfixed and complete exploit code, even if demonstrative, could still serve malicious actors. One malicious scenario the researchers described involves a fake mouse pointer that could be used to bypass User Account Control security feature in Windows. In a report today, the researchers go into the technical details that make USB and human interface devices and their configurations recognizable to the operating system. The input and output parameters are such that the driver's private header is followed by the URB, which is followed by the HID report,” reads the research. “Device creation code gets the device descriptor as input, the other two get and return URBs. The disclosure report notes that the driver exposes control codes for creating a device, getting a URB from the OS and replying the URB. The gist of it is that FabulaTech’s driver acts as a relay between the OS and a user mode service that fetches data from the real, redirected device. To make their point, SentinelOne researchers created a proof-of-concept. The researchers also note that FabulaTech services run under LocalSystem account, which has extensive privileges on the computer. Since FabulaTech’s driver calls the IoCreateDevice routine, this allows a non-privileged user to add and control software devices that are trusted by the OS, SentinelOne says. “Typically, drivers protect their device objects either by adding a security descriptor that restricts access to system and admins only, or by enforcing security checks in the driver itself” - SentinelOne SentinelOne researchers found that FabulaTech’s bus driver called the insecure IoCreateDevice routine that does not have security checks to block access from less privileged entities. This way, the operating system (OS) on the remote system is tricked to believe that a real USB device is connected. Using a bus driver, the server creates and instructs a virtual object to repeat all the input-output communication from the real device. Information about the redirected device collected by the client-side software is sent to the server running on the remote machine. The way USB redirection solutions work to make USB devices across the network appear as if they were connected to the local computer is through client/server-side software. Insecure routineĪfter noticing “weird activity” from the kernel on computers of some customers running FabulaTech software, cybersecurity company SentinelOne decided to investigate and zeroed in on the root of the problem. The company has an impressive customer list with high-profile organizations from a variety of sectors.Īmong them are Google, Microsoft, Texas Instruments, BMW, MasterCard, NASA, Reuters, Intel, Chevron, Shell, Raytheon, Xerox, Harvard, General Electric, and Raiffeisen Bank. The flaw is identified as CVE-2020-9332 and resides in the bus driver for “USB for Remote Desktop” developed by FabulaTech. An unpatched vulnerability in software that redirects local USB devices to a remote system could help attackers elevate privileges on a target machine by adding fake devices.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |