Ubuntu
linux package

USB Webkey devices send arbitrary keyboard input to focused window without confirmation

Bug #798858 reported by Tom Chiverton
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Medium
Unassigned

Bug Description

When inserting a 'USB Webkey' (generic-usb 0003:05AC:020B.0001) without any user interaction a stream of characters is sent to whatever window the user happens to have focused. Such as Konsole session to a remote machine.
This shouldn't happen. Anything* could be made to happen accidentally or not...

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: linux-image-2.6.38-8-generic 2.6.38-8.42
ProcVersionSignature: Ubuntu 2.6.38-8.42-generic 2.6.38.2
Uname: Linux 2.6.38-8-generic i686
AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.23.
Architecture: i386
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: falken 3019 F.... pulseaudio
CRDA:
 country TW:
  (2402 - 2472 @ 40), (3, 27)
  (5270 - 5330 @ 40), (3, 17), DFS
  (5735 - 5815 @ 40), (3, 30)
Card0.Amixer.info:
 Card hw:0 'Intel'/'HDA Intel at 0xfe9fc000 irq 47'
   Mixer name : 'SigmaTel STAC9228'
   Components : 'HDA:14f12c06,14f1000f,00100000 HDA:10951392,10280242,00100000 HDA:83847616,10280242,00100402'
   Controls : 31
   Simple ctrls : 19
Date: Fri Jun 17 18:42:57 2011
HibernationDevice: RESUME=UUID=a97d09a5-ff7d-4f3e-b320-86747eb1b2ca
MachineType: Dell Inc. Inspiron 1525
ProcEnviron:
 LANGUAGE=
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcKernelCmdLine: root=UUID=01aa6a10-1c91-4b24-9632-a45de910f911 ro quiet splash resume=/dev/sda5
RelatedPackageVersions:
 linux-restricted-modules-2.6.38-8-generic N/A
 linux-backports-modules-2.6.38-8-generic N/A
 linux-firmware 1.52
SourcePackage: linux
UpgradeStatus: Upgraded to natty on 2011-04-05 (72 days ago)
UserAsoundrc:
 # ALSA library configuration file

 # Include settings that are under the control of asoundconf(1).
 # (To disable these settings, comment out this line.)
 </home/falken/.asoundrc.asoundconf>
WpaSupplicantLog:

dmi.bios.date: 10/16/2008
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A16
dmi.board.name: 0U990C
dmi.board.vendor: Dell Inc.
dmi.chassis.type: 8
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvrA16:bd10/16/2008:svnDellInc.:pnInspiron1525:pvr:rvnDellInc.:rn0U990C:rvr:cvnDellInc.:ct8:cvr:
dmi.product.name: Inspiron 1525
dmi.sys.vendor: Dell Inc.

Revision history for this message
Tom Chiverton (bugs-launchpad-net-falkensweb) wrote :
Revision history for this message
Tom Chiverton (bugs-launchpad-net-falkensweb) wrote :
Download full text (4.6 KiB)

Syslog of insertion:
Jun 17 18:44:06 wopr kernel: [ 249.370784] ehci_hcd 0000:00:1a.7: setting latency timer to 64
Jun 17 18:44:06 wopr kernel: [ 249.632098] usb 5-1: new low speed USB device using uhci_hcd and address 2
Jun 17 18:44:06 wopr laptop-mode: Laptop mode
Jun 17 18:44:06 wopr laptop-mode: enabled, active
Jun 17 18:44:07 wopr kernel: [ 250.830533] input: USB Webkey USB Webkey as /devices/pci0000:00/0000:00:1d.0/usb5/5-1/5-1:1.0/input/input12
Jun 17 18:44:07 wopr kernel: [ 250.830762] generic-usb 0003:05AC:020B.0001: input,hidraw0: USB HID v1.10 Keyboard [USB Webkey USB Webkey] on usb-0000:00:1d.0-1/input0
Jun 17 18:44:07 wopr kernel: [ 250.830802] usbcore: registered new interface driver usbhid
Jun 17 18:44:07 wopr kernel: [ 250.830806] usbhid: USB HID core driver
Jun 17 18:44:07 wopr laptop-mode: Laptop mode
Jun 17 18:44:07 wopr laptop-mode: enabled, active
Jun 17 18:44:08 wopr kernel: [ 250.984319] uhci_hcd 0000:00:1d.2: PCI INT C disabled
Jun 17 18:44:08 wopr kernel: [ 251.028201] uhci_hcd 0000:00:1d.1: PCI INT B disabled
Jun 17 18:44:08 wopr kernel: [ 251.824170] ehci_hcd 0000:00:1d.7: PCI INT A disabled
Jun 17 18:44:08 wopr kernel: [ 251.824246] ehci_hcd 0000:00:1d.7: PME# enabled
Jun 17 18:44:08 wopr kernel: [ 251.824271] uhci_hcd 0000:00:1a.1: PCI INT B disabled
Jun 17 18:44:08 wopr kernel: [ 251.831677] uhci_hcd 0000:00:1a.0: PCI INT A disabled
Jun 17 18:44:10 wopr kernel: [ 253.840154] ehci_hcd 0000:00:1a.7: PCI INT C disabled
Jun 17 18:44:10 wopr kernel: [ 253.840220] ehci_hcd 0000:00:1a.7: PME# enabled
Jun 17 18:44:13 wopr kernel: [ 256.662409] uhci_hcd 0000:00:1d.2: PCI INT C -> GSI 22 (level, low) -> IRQ 22
Jun 17 18:44:13 wopr kernel: [ 256.662419] uhci_hcd 0000:00:1d.2: setting latency timer to 64
Jun 17 18:44:13 wopr kernel: [ 256.702624] uhci_hcd 0000:00:1d.1: PCI INT B -> GSI 21 (level, low) -> IRQ 21
Jun 17 18:44:13 wopr kernel: [ 256.702633] uhci_hcd 0000:00:1d.1: setting latency timer to 64
Jun 17 18:44:13 wopr kernel: [ 256.742909] uhci_hcd 0000:00:1a.1: PCI INT B -> GSI 21 (level, low) -> IRQ 21
Jun 17 18:44:13 wopr kernel: [ 256.742919] uhci_hcd 0000:00:1a.1: setting latency timer to 64
Jun 17 18:44:13 wopr kernel: [ 256.782373] uhci_hcd 0000:00:1a.0: PCI INT A -> GSI 20 (level, low) -> IRQ 20
Jun 17 18:44:13 wopr kernel: [ 256.782383] uhci_hcd 0000:00:1a.0: setting latency timer to 64
Jun 17 18:44:13 wopr kernel: [ 256.836273] ehci_hcd 0000:00:1d.7: BAR 0: set to [mem 0xfed1c000-0xfed1c3ff] (PCI address [0xfed1c000-0xfed1c3ff])
Jun 17 18:44:13 wopr kernel: [ 256.836301] ehci_hcd 0000:00:1d.7: restoring config space at offset 0xf (was 0x100, writing 0x10a)
Jun 17 18:44:13 wopr kernel: [ 256.836339] ehci_hcd 0000:00:1d.7: restoring config space at offset 0x1 (was 0x2900000, writing 0x2900102)
Jun 17 18:44:13 wopr kernel: [ 256.839076] ehci_hcd 0000:00:1d.7: PME# disabled
Jun 17 18:44:13 wopr kernel: [ 256.839095] ehci_hcd 0000:00:1d.7: PCI INT A -> GSI 20 (level, low) -> IRQ 20
Jun 17 18:44:13 wopr kernel: [ 256.839107] ehci_hcd 0000:00:1d.7: setting latency timer to 64
Jun 17 18:44:14 wopr kernel: [ 256.904053] ehci_hcd 0000:00:1a.7: BAR 0: set to [mem 0xfed1c400-0xfed1c7ff] (PC...

Read more...

visibility: private → public
Brad Figg (brad-figg)
Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Tom Chiverton (bugs-launchpad-net-falkensweb) wrote :

Least anyone think the risk from trusting input from these sort of devices is kinda abstract : http://www.theregister.co.uk/2011/06/27/mission_impossible_mouse_attack/

Revision history for this message
Sam Liddicott (sam-liddicott) wrote :

Hmm... can selinux disable USB input devices?

There is a strong case that usb input devices not used for logon should be explicitly enabled after logon (and perhaps remembered).

Revision history for this message
Tom Chiverton (bugs-launchpad-net-falkensweb) wrote :

If selinux can't udev certainly can (I remember having to add special rules to make VirtualBox talk to USB devices) :-)
I suppose you could run a script on login ... but have no idea how you might find out what USB devices were active during the login window....

And what about if I reboot with one of these hacked mice / marketing USB sticks connected ? Then it'd be active at login, could wait a few minutes and then start sending the 'bad' key sequences. So you'd actually have to ask X exactly what USB device was typed on ?

Revision history for this message
penalvch (penalvch) wrote :

Tom Chiverton, this bug was reported a while ago and there hasn't been any activity in it recently. We were wondering if this is still an issue? If so, could you please test for this with the latest development release of Ubuntu? ISO images are available from http://cdimage.ubuntu.com/daily-live/current/ .

If it remains an issue, could you please run the following command in the development release from a Terminal (Applications->Accessories->Terminal), as it will automatically gather and attach updated debug information to this report:

apport-collect -p linux <replace-with-bug-number>

Also, could you please test the latest upstream kernel available (not the daily folder) following https://wiki.ubuntu.com/KernelMainlineBuilds ? It will allow additional upstream developers to examine the issue. Once you've tested the upstream kernel, please comment on which kernel version specifically you tested. If this bug is fixed in the mainline kernel, please add the following tags:
kernel-fixed-upstream
kernel-fixed-upstream-VERSION-NUMBER

where VERSION-NUMBER is the version number of the kernel you tested. For example:
kernel-fixed-upstream-v3.13-rc3

This can be done by clicking on the yellow circle with a black pencil icon next to the word Tags located at the bottom of the bug description. As well, please remove the tag:
needs-upstream-testing

If the mainline kernel does not fix this bug, please add the following tags:
kernel-bug-exists-upstream
kernel-bug-exists-upstream-VERSION-NUMBER

As well, please remove the tag:
needs-upstream-testing

Once testing of the upstream kernel is complete, please mark this bug's Status as Confirmed. Please let us know your results. Thank you for your understanding.

tags: added: bios-outdated-a17 needs-upstream-testing regression-potential
Changed in linux (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Incomplete
Revision history for this message
Tom Chiverton (bugs-launchpad-net-falkensweb) wrote :

Almost certainly still an issue, but I don't have the USB device any more.

Revision history for this message
penalvch (penalvch) wrote :

Tom Chiverton, this bug report is being closed due to your last comment https://bugs.launchpad.net/ubuntu/+source/linux/+bug/798858/comments/7 regarding you no longer have the hardware. For future reference you can manage the status of your own bugs by clicking on the current status in the yellow line and then choosing a new status in the revealed drop down box. You can learn more about bug statuses at https://wiki.ubuntu.com/Bugs/Status. Thank you again for taking the time to report this bug and helping to make Ubuntu better. Please submit any future bugs you may find.

Changed in linux (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.