An unpatched vulnerability in software that redirects local USB devices to a remote system could help attackers elevate privileges on a target machine by adding fake devices.
The flaw is identified as CVE-2020-9332 and resides in the bus driver for “USB for Remote Desktop” developed by FabulaTech. The company has an impressive customer list with high-profile organizations from a variety of sectors.
Among them are Google, Microsoft, Texas Instruments, BMW, MasterCard, NASA, Reuters, Intel, Chevron, Shell, Raytheon, Xerox, Harvard, General Electric, and Raiffeisen Bank.
After noticing “weird activity” from the kernel on computers of some customers running FabulaTech software, cybersecurity company SentinelOne decided to investigate and zeroed in on the root of the problem.
The way USB redirection solutions work to make USB devices across the network appear as if they were connected to the local computer is through client/server-side software.
Information about the redirected device collected by the client-side software is sent to the server running on the remote machine. Using a bus driver, the server creates and instructs a virtual object to repeat all the input-output communication from the real device.
This way, the operating system (OS) on the remote system is tricked to believe that a real USB device is connected.
SentinelOne researchers found that FabulaTech’s bus driver called the insecure IoCreateDevice routine that does not have security checks to block access from less privileged entities.
“Typically, drivers protect their device objects either by adding a security descriptor that restricts access to system and admins only, or by enforcing security checks in the driver itself” – SentinelOne
Since FabulaTech’s driver calls the IoCreateDevice routine, this allows a non-privileged user to add and control software devices that are trusted by the OS, SentinelOne says.
The researchers also note that FabulaTech services run under LocalSystem account, which has extensive privileges on the computer.
To make their point, SentinelOne researchers created a proof-of-concept. The gist of it is that FabulaTech’s driver acts as a relay between the OS and a user mode service that fetches data from the real, redirected device.
The disclosure report notes that the driver exposes control codes for creating a device, getting a URB [USB Request Block] from the OS and replying the URB.
“Device creation code gets the device descriptor as input, the other two get and return URBs. The input and output parameters are such that the driver’s private header is followed by the URB, which is followed by the HID report,” reads the research.
In a report today, the researchers go into the technical details that make USB and human interface devices and their configurations recognizable to the operating system.
One malicious scenario the researchers described involves a fake mouse pointer that could be used to bypass User Account Control security feature in Windows.
However, because any USB device can be simulated, more advanced attacks are possible, such as adding an ethernet network card for intercepting traffic.
Another PoC, that emulates a mouse click to consent on the UAC prompt, was also created but remains unpublished because the issue is unfixed and complete exploit code, even if demonstrative, could still serve malicious actors.
A fix is coming
SentinelOne emailed FabulaTech to two addresses asking for a contact to report security vulnerabilities, first on January 29 and then again on February 4 but received no reply. The researchers add that they also posted the issue on the company forum but the administrators deleted the message.
BleepingComputer has reached out to FabulaTech for comments about a plan to patch the vulnerability and what customers can do in the meantime. A company representative replied saying “We don’t see any technical requests from you or any customer with the name SentinelOne.”
After getting more details and checking if the issue exists, the company acknowledged the problem. FabulaTech’s Vladimir Mostovoy, VP Business Operations, told BleepingComputer that it will be addressed in the shortest time possible. A new release of the software containing the patch is expected in the near future.
Priced $199.95, USB for Remote Desktop is currently at version 6.0 for Windows (released on November 22, 2019) and version 5.2.29 for Linux (released on may 8, 2018).