Remix.run Logo
Findecanor 5 hours ago

A few years ago, plugging in a Razer USB mouse made Windows download and run a installer from which the current user could start PowerShell with administrator privileges. Razer first tried to downplay the issue, but fixed it later. [1]

The USB protocol does not have any authentication, just a VendorID/ProductID pair: 2×16 bits that Windows uses for looking up the driver package to install. Programming a MCU to use any VendorID/ProductID is straightforward. A USB device could even appear innocuous at first but after a timer or external trigger disconnect and reconnect masquerading as another device.

1. https://arstechnica.com/information-technology/2021/08/need-...

globalnode 3 hours ago | parent [-]

not a usb programmer, but are you saying i can buy any old usb chip and program it with any vendors ID and spoof windows into giving me admin? if so, gj micrcosoft.

Findecanor 2 hours ago | parent | next [-]

You could use any programmable microcontroller with a USB interface. Consumer products tend to have fuses set to they can't be programmed again.

The latest driver registered with Microsoft for the product you're going to spoof would need to have a vulnerability to exploit. You can't supply any driver.

globalnode 2 hours ago | parent [-]

ok thanks, so its not as bad as i thought.

nottorp 3 hours ago | parent | prev | next [-]

You can pretend to be any vid:pid with usb gadget mode. For example with a raspberry pi zero something.

But you can't pretend to be any vendors id, only the ones with vulnerabilities. And the drivers or spyware will be downloaded by windows from the vendor's site, not from your peripheral.

But yes, usb device identifier is done through software/firmware.

MatejKafka 3 hours ago | parent | prev [-]

You can "spoof" any system where you can load older drivers into giving you admin/root, you just need to find a vulnerable driver. Nothing Windows-specific in that.

tosti 2 hours ago | parent [-]

Also, disabling drivers from windows update is enforceable with group policy (iirc).

The BSDs have config, Linux can run without module support.