Re: arbitrary code execution on unformatted usb stick

To: debian-security@lists.debian.org
Subject: Re: arbitrary code execution on unformatted usb stick
From: Elmar Stellnberger <estellnb@elstel.org>
Date: Sat, 2 May 2020 16:50:05 +0200
Message-id: <[🔎] d7a90d7e-ef01-d165-245d-afe769a98b1e@elstel.org>
In-reply-to: <a68889c2-03da-6791-c2b3-840c1c8b53e0@elstel.org>
References: <b2489138-53ee-e747-31cc-cdce48339dbe@zoho.com> <e0b57757-da9a-1824-149f-9f49c9312515@gmail.com> <46c05a86-1c2d-436a-a37d-5cca18a68bcf@gmail.com> <39e4e14a-26e1-be1c-7108-3824d32e28a1@gmail.com> <e0b4b492-afa2-7ee1-cb0f-12f887f1a9e2@gmail.com> <2e13d71d-f29b-3cb2-4147-5fcf9c8c6a3e@gmail.com> <2a3b7e9a-d483-e4c8-8761-6803b6faf011@gmail.com> <CAKTje6ExBrtZoW+J-pdDW2+r3EJV0dVjVyakTSNfz2WUs+EOVw@mail.gmail.com> <CAKTje6HY-+tAeDkcSZyHdBKKWk1AiSaVr2jQuFhobuiTgtuCxA@mail.gmail.com> <4d768eaf-4b60-c060-3e68-7bfcbaa334aa@elstel.org> <a96c3b9cbc6df435b6a1c6bc1e20eb2c21f8f524.camel@debian.org> <1f279581-fd7b-b054-013c-d0a527db59e0@elstel.org> <c0c4f2eb10e435f81f3ba8f1cd5e7c1fe9391500.camel@debian.org> <e5906e91-201e-6b91-5fad-b60b4ce33180@elstel.org> <b74b1527-d500-6939-2a36-5361deeb5973@vheuser.com> <CAKTje6GB+i5GNqhVq3+xzx17e5Dpp=RcwwSuMeY9o954XG+ioA@mail.gmail.com> <87wo6imspv.fsf@miraculix.mork.no> <a68889c2-03da-6791-c2b3-840c1c8b53e0@elstel.org>

Am 25.04.20 um 15:38 schrieb Elmar Stellnberger:

Dear readers of the debian-security mailing list
The first time I had lost my new coreboot i7 notebook when I pluggeda vfat formatted usb stick into the notebook run merely offline where Ideveloped the a̅tea. Suddenly low level operating system errors appearedand since a power off/power on it refuses to boot from any media:internal m2 and usb. The notebook is thus unusable. I have sent thecomputer for repair but I got it back in the exactly the same condition.If you like you can read https://www.elstel.org/uploads/laptop-note.pdf.It contains an error description (I have written it with my typewriterand the company scanned the document). Consequently I thought that there would be an arbitrary codeexecution bug in the vfat file system. I prepared an USB stick, createdan msdos partition table with 7 partitions and used tar to read andwrite from the partitions (20-blueusb.rules). However it turned outsooner and later that this also caused arbitrary code executions. Itmade my offline Debian installation where I run an Apache server tocreate content for elstel.org several times unusable. I simply could notbelieve it. A program as simple as tar should not contain an arbitrarycode execution bug! There was no other way the system could get in touchwith the outside so the usb stick was definitely at fault. Today I have finally used cat and dd to stitch three text filestogether and read them back from a partition. That way I have avoided touse tar. It was on my most secure system which normally does not haveany contact to other computers at all because the system with the Apacheserver for elstel.org was unsuable for another time. And see there I gotthe exactly same result without tar: After unexplainable operatingsystem errors the system does not boot as soon as any SATA drive isattached. Flashing the BIOS does not help against this kind of error asthere is also other firmware. I have seen 3 of my Kingston USB readersmanipulated to not read a certain sdcard while 3 other readers of thesame type and same shipping locked in a box did still read it (sdcardblue ray image to install a clean Debian10). Obviously the firmware ofthat device was altered. As with the USB card reader a computer has manydevices each with its own firmware which can be altered to damage acomputer. This time I am at loss. If I can not plug in an USB stick there isapparently ¿almost? no safe way to communicate with that computer. Thereneeds to be an arbitrary code execution bug hidden in the kernel whichgets executed as soon as a partition table is read in. As I do not haveany filesystem on that USB stick and I have automounting disabled thatshould not be due to filesystem probing. As my experience with bugreporting at the Firefox browser I am quite sure at least some of themare bought by secret services due to their unwillingness to fix flagrantbugs. However I would never have believed this could be the case withthe Linux kernel. A kernel developer could perhaps help me if he saidwhat code exactly got executed on plugging in an USB stick. Finally Iwould need to use another operating system but I can´t as there is noother distribution than Debian which offers a blue ray image for offlineinstallation. Downloading singleton files in a batch via tor isconspicuous to secret services and thus not viable. They would simplyalter the download as they have done many times. I wonder how the peopleat the Iranian nuclear progam do their things?
Yours Sincerely,
Elmar Stellnberger

On from the beginning I had been in doubt about the conclusion ofwhat I reported in my last email. Such a bug in the usb mass storagedriver of the Linux kernel would be extremely hard to hide. From what Ibelieve now that supposed bug does not exist. Very likely they have aremote control of that offline PC used to maintain elstel.org. They arebadgering me there too. I already had that with a previous offlinecomputer which is of another model/make. I know it for sure with thatcomputer since they have hindered me there to program a̅tea. I know itfrom other occasions as well. They knew on my online computer what I wasdoing offline before. Impossible if they have no connection. It is forthem exactly the way as if that computer were online connected with aLAN cable or Wifi. They can do everything there. There was nothingapparently visible on the mainboard but electronic components are smalland a component could have been replaced. This time it was most likelybefore I have received the mainboard and assembled my computer.Consequently as there is no one who would help me and even no onewhom I can meet in person who would be interested in what I have to tellfrom 2011 I will have to give up my security related engagement. Justtelling other people about what has happened could help a lot (Youremember my German email from last time?). There is for sure a bug inthe vfat driver. My System76 notebook was clean as otherwise they wouldnever have left me develop a̅tea on it up to the state in which the toolis at the present time. However there are some things that would need tobe done for a̅tea. That DoH/DoT shit in libunbound has an arbitrary codeexecution bug which concerns a̅tea every time you do not state theserver certificate on the command line. You can download the servercertificate securely with dig or drill so the tool is basically alreadyfully functional. I would replace libunbound with direct system callsfor DNS and verify the trust chain up to the final RRSIG manually by theprogram. If that condition was met, a̅tea would be fully secure andfunctional. We have also been talking about missing DANE support for webbrowsers. I know an easy-to-implement workaround: A https proxy with aFirefox-local configured certification authority. It would forwardDANE-enabled sites 1:1 with self-generated certificates. Something thatwould work for all browsers you can think of. Unfortunately I have noway to implement that as the ultimate defenders of our freedom wouldsimply turn my computer off if I attempted to program anything the like.This is bitter truth!

Reply to:

Follow-Ups:
- Re: arbitrary code execution on unformatted usb stick
  - From: Elmar Stellnberger <estellnb@elstel.org>

Prev by Date: Fwd: Re: Scripts that run insecurely-downloaded code
Next by Date: Re: arbitrary code execution on unformatted usb stick
Previous by thread: Fwd: Re: Scripts that run insecurely-downloaded code
Next by thread: Re: arbitrary code execution on unformatted usb stick
Index(es):
- Date
- Thread