风险简介:
[SYSS-2018-033]:富士通无线键盘组LX901 -击键注入漏洞
风险报告ID: sys - 2018 - 033
产品:无线键盘套件LX901
制造商:富士通
受影响版本:型号GK900
测试版本:型号GK900
漏洞类型:密码问题(CWE-310)、击键注入漏洞
风险级别:高
解决状态:开放
制造商通知:2018-10-19
解决日期:-
公开披露:2019-03-15
CVE参考:尚未分配
发现者:Matthias Deeg (SySS GmbH)
概述:
富士通无线键盘套装LX901是一款由鼠标和键盘组成的无线桌面套装。
制造商对产品描述如下(见[1]):
“无线键盘LX901是面向生活方式导向的客户的顶级桌面解决方案,提供用户想要的最好的办公体验。与传统的界面设备相比,这款键盘为办公用户提供了更多的功能、安全性和更好的性能。它包括2.4 GHz技术和128 AES加密技术。”
由于数据通信实现不安全,无线键盘LX901容易受到击键注入攻击。
漏洞细节:
SySS GmbH公司发现,富士通LX901无线台式电脑很容易受到Keystroke Injection Vulnerability(击键注入攻击),因为它会向接收器(USB dongle)发送未加密的数据包,并提供正确的数据包格式。
富士通无线键盘本身仅通过AES加密的数据包传输按键,有效载荷为16字节,使用Cypress Semiconductor公司的2.4 GHz收发器CYRF6936(见[2])。
然而,富士通无线桌面设备的接收器(又名网桥)不仅处理键盘和网桥固件中包含的正确共享AES密钥加密的键盘数据包,还处理Cypress Semiconductor的CY4672 PRoC LP Reference Design Kit中描述的数据包格式的未加密的数据包(见[3])。
因此,攻击者可以向受害者的计算机系统发送任意按键。通过这种方式,攻击者可以远程控制使用受影响的富士通LX901无线桌面设备操作的受害者计算机。
与安全报告SYSS-2016-068(参见[4])中描述的重放攻击相结合,Keystroke Injection Vulnerability(击键注入攻击)允许远程攻击具有活动屏幕锁的计算机系统,例如,以便在目标系统无人值守时安装恶意软件。
漏洞证明(PoC):
SySS GmbH公司可以成功地对富士通无线桌面设备LX901进行Keystroke Injection Vulnerability(击键注入攻击),攻击是使用内部开发的固件,用于使用CYRF6936收发器的4-in-1无线模块(见[5])。
解决方案:
SySS GmbH不知道上述安全问题的解决方案。
披露时间表:
2018-10-19:漏洞报告给制造商
2018-10-22:富士通确认收到安全咨询
2018-10-25:富士通询问有关报告的安全问题的更多信息
2018-10-26:提供更多关于富士通安全漏洞报告的信息
2018-10-29:富士通询问更多关于报告的安全问题和攻击证据的信息(重放和击键注入)
2018-10-30:说明重放(SYSS-2016-068)和击键注入(SYSS-2018-033)漏洞的一些问题,提供开发的PoC工具源代码,并提供利用这两个安全问题进行POC攻击的视频
2019-03-15:公开发布安全公告
引用:
[1]富士通无线键盘产品网站
http://www.fujitsu.com/global/products/computing/peripheral/accessories/input-devices/keyboards/wl-keyboard-lx901.html
[2]Datasheet WirelessUSB LP 2.4 GHz无线SoC (CYRF6936)
http://www.cypress.com/file/126466/download
[3] CY4672 PRoC LP参考设计工具包
http://www.cypress.com/documentation/reference-designs/cy4672-proc-lp-reference-design-kit
[4] SySS安全咨询SySS -2016-068
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-068.txt
[5] Banggood 4-in-1射频收发模块
https://www.banggood.com/2_4G-CC2500-A7105-Flysky-Frsky-Devo-DSM2-Multiprotocol-TX-Module-With-Antenna-p-1048377.html
[6] SySS安全咨询 SySS -2018-033
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-033.txt
[7]系统负责任的披露策略
https://www.syss.de/en/responsible-disclosure-policy/
[8] SySS POC视频:富士通无线键盘组LX901按键注入攻击
https://youtu.be/87jZKTTBdtc
荣誉:
SySS GmbH公司的Matthias Deeg发现了这个安全漏洞。
E-Mail: matthias.deeg(at)syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB
免责声明:
本安全咨询中提供的信息是“按原样”提供的,没有任何形式的保证。本安全谘询的详情可能会更新,以便提供尽可能准确的资料。该安全咨询的最新版本可在SySS网站上获得。
版权:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
译:我超怕的
URL:https://www.cnblogs.com/iAmSoScArEd/
--------------------
Advisory ID: SYSS-2018-033
Product: Wireless Keyboard Set LX901
Manufacturer: Fujitsu
Affected Version(s): Model No. GK900
Tested Version(s): Model No. GK900
Vulnerability Type: Cryptographic Issues (CWE-310)
Keystroke Injection Vulnerability
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2018-10-19
Solution Date: -
Public Disclosure: 2019-03-15
CVE Reference: Not yet assigned
Author of Advisory: Matthias Deeg (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Fujitsu Wireless Keyboard Set LX901 is a wireless desktop set consisting of a mouse and a keyboard.
The manufacturer describes the product as follows (see [1]):
"The Wireless Keyboard LX901 is a top of the line desktop solution for lifestyle orientated customers, who want only the best for their desk. This superb keyboard set offers ambitious users more functions, security and better features than a conventional interface device. It even includes 2.4 GHz technology and 128 AES encryption for security."
Due to an insecure implementation of the data communication, the wireless keyboard LX901 is prone to keystroke injection attacks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
SySS GmbH found out that the wireless desktop set Fujitsu LX901 is vulnerable to keystroke injection attacks by sending unencrypted data packets with the correct packet format to the receiver (USB dongle).
The Fujitsu wireless keyboard itself only transmits keystrokes via AES-encrypted data packets with a payload size of 16 bytes using the 2.4 GHz transceiver CYRF6936 from Cypress Semiconductor (see [2]).
However, the receiver (a.k.a. bridge) of the Fujitsu wireless desktop set not only processes keyboard data packets encrypted with the correct shared AES key contained in the keyboard and bridge firmware, but also unencrypted data packets with the data packet format described in the CY4672 PRoC LP Reference Design Kit by Cypress Semiconductor (see [3]).
Thus, an attacker is able to send arbitrary keystrokes to a victim's computer system. In this way, an attacker can remotely take control over the victim's computer that is operated with an affected Fujitsu LX901 wireless desktop set.
In combination with the replay attack described in the SySS security advisory SYSS-2016-068 (see [4]), a keystroke injection attack allows to remotely attack computer systems with an active screen lock, for example in order to install malware when the target system is unattended.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The SySS GmbH could successfully perform keystroke injection attacks against the Fujitsu wireless desktop set LX901 using an in-house developed firmware for a 4-in-1 wireless module using a CYRF6936 transceiver (see [5]).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
SySS GmbH is not aware of a solution to the described security issue.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2018-10-19: Vulnerability reported to manufacturer
2018-10-22: Fujitsu confirms receipt of security advisory
2018-10-25: Fujitsu asks for more information about the reported
security issue
2018-10-26: Provided more information concerning the reported security
vulnerability to Fujitsu
2018-10-29: Fujitsu asks for more information about the reported
security issue and proof of attacks (replay and keystroke
injection)
2018-10-30: Clarified some misunderstandings concerning the replay
(SYSS-2016-068) and the keystroke injection (SYSS-2018-033)
vulnerabilities, provided source code of a developed PoC
tool, and provided videos with proof-of-concept attacks
exploiting these two security issues
2019-03-15: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for Fujitsu Wireless Keyboard Set
http://www.fujitsu.com/global/products/computing/peripheral/accessories/input-devices/keyboards/wl-keyboard-lx901.html
[2] Datasheet WirelessUSB LP 2.4 GHz Radio SoC (CYRF6936)
http://www.cypress.com/file/126466/download
[3] CY4672 PRoC LP Reference Design Kit
http://www.cypress.com/documentation/reference-designs/cy4672-proc-lp-reference-design-kit
[4] SySS Security Advisory SYSS-2016-068
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-068.txt
[5] Banggood 4-in-1 RF Transceiver Module
https://www.banggood.com/2_4G-CC2500-A7105-Flysky-Frsky-Devo-DSM2-Multiprotocol-TX-Module-With-Antenna-p-1048377.html
[6] SySS Security Advisory SYSS-2018-033
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-033.txt
[7] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/
[8] SySS Proof-of-Concept Video: Fujitsu Wireless Keyboard Set LX901 Keystroke Injection Attack
https://youtu.be/87jZKTTBdtc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Matthias Deeg of SySS GmbH.
E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Website.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en