Linux To Try Again To Disable All RNDIS Protocol Drivers

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • pWe00Iri3e7Z9lHOX2Qx
    replied
    The Microsoft RNDIS protocol is, as designed, insecure and vulnerable on any system that uses it with untrusted hosts or devices. Because the protocol is impossible to make secure, just disable all rndis drivers to prevent anyone from using them again.
    I'd wager large sums of money that most people trust their Linux laptop / desktop and their Linux kernel running Android phone, and that they are going to be pretty cheesed off in whatever weird circumstance they really need to tether and can't. But saving them from some l33t hax0rs who came down through the AC vent on a cable system Mission Impossible style to hook up some poisoned malware infested phone for networking is definitely a more important and realistic scenario to defend them against.

    Windows only needed this for XP and newer systems, Windows systems older than that can use the normal USB class protocols instead, which do not have these problems.

    This is such a weird statement. Who cares about the ancient Windows systems before XP? In this context, who cares about any of them besides Windows 10 and Windows 11 which haven't hit EOL? That's like writing "Windows only needs this for currently supported Windows systems".

    Android has had this disabled for many years so there should not be any real systems that still need this.
    Almost every Android phone in existence uses this, including very recent high end devices like the Samsung Galaxy S23 Ultra. Where do they get this shit?

    Leave a comment:


  • pWe00Iri3e7Z9lHOX2Qx
    replied
    Originally posted by willmore View Post
    What's insecure about this? If I own both devices and plug them together, am I vulnerable to something? Or is the thread that 'some foreign device can be plugged into your trusted one and your device will trust the foreign device and accept it as a network interface'? Because the latter is simply "you're holding it worng". Are getting rid of USB/HID? I can plug a hostile device into your trusted one and you'll trust my device if it claims to be HID.
    You are basically spot on.​

    The Microsoft RNDIS protocol is, as designed, insecure and vulnerable on any system that uses it with untrusted hosts or devices. Because the protocol is impossible to make secure, just disable all rndis drivers to prevent anyone from using them again.
    I trust my host and my phone. The chances of me needing to tether with my phone because reasons is about 1000% higher than the chance of someone compromising my laptop with an "evil phone providing network" attack.

    Leave a comment:


  • pWe00Iri3e7Z9lHOX2Qx
    replied
    Originally posted by Namelesswonder View Post
    I don't know the currently supported protocols on recent phones like the Galaxy S23, but new Android phones are still a small drop in the bucket of billions of older Android devices.
    Galaxy S23 Ultra here...

    Code:
    foo@G15:~> lsmod | rg rndis
    rndis_host             24576  0
    cdc_ether              24576  1 rndis_host
    usbnet                 65536  2 rndis_host,cdc_ether
    usbcore               446464  8 xhci_hcd,usbnet,usbhid,cdc_acm,rndis_host,btusb,xhci_pci,cdc_ether​

    Leave a comment:


  • pWe00Iri3e7Z9lHOX2Qx
    replied
    Originally posted by jokeyrhyme View Post
    For Android, the kernel version is frozen years before the device even hits shelves, they practically never get new kernel updates, only backported fixes for vulnerabilties (when we're lucky)

    This will not impact existing devices at all

    For future devices, Google can either patch the kernel, or manufacturers can patch the kernel, or (unfortunately) consumers can be forced to throw away insecure/affordable networking adapters and buy new ones
    How's that going to work for you when the machine you are trying to tether for doesn't have a rndis module to load?

    Leave a comment:


  • pWe00Iri3e7Z9lHOX2Qx
    replied
    Originally posted by gavron

    So many things.

    First, a git pull is not a push, and there is no "upstream" than kernel.org.

    Second your phone doesn't use any version of a yet-to-be-released kernel. You'll note Android doesn't use any 6.x kernel yet. https://source.android.com/docs/core...android-common
    Code:
    foo@G15:~> locate rndis | rg modules
    /usr/lib/modules/6.5.3-1-default/kernel/drivers/net/usb/rndis_host.ko.zst
    /usr/lib/modules/6.5.3-1-default/kernel/drivers/net/wireless/legacy/rndis_wlan.ko.zst
    /usr/lib/modules/6.5.3-1-default/kernel/drivers/usb/gadget/function/usb_f_rndis.ko.zst
    /usr/lib/modules/6.5.4-1-default/kernel/drivers/net/usb/rndis_host.ko.zst
    /usr/lib/modules/6.5.4-1-default/kernel/drivers/net/wireless/legacy/rndis_wlan.ko.zst
    /usr/lib/modules/6.5.4-1-default/kernel/drivers/usb/gadget/function/usb_f_rndis.ko.zst​
    Plugs in "ancient" 512GB Samsung Galaxy S23 Ultra and turns on USB tethering...

    Code:
    foo@G15:~> lsmod | rg rndis
    rndis_host             24576  0
    cdc_ether              24576  1 rndis_host
    usbnet                 65536  2 rndis_host,cdc_ether
    usbcore               446464  8 xhci_hcd,usbnet,usbhid,cdc_acm,rndis_host,btusb,xhci_pci,cdc_ether​
    From Greg's diff...

    Code:
    config USB_NET_RNDIS_HOST
    tristate "Host for RNDIS and ActiveSync devices"
    depends on USB_USBNET
    + depends on BROKEN
    Seems like that's going to be a problem.

    Originally posted by gavron
    Finally, nobody here cares more than I about exactly what you're "going to be back on". As I quiver in anticipation though I do think you should know Windows last supported the "pocket PC" in Windows Mobile v10 which had an end of life five years ago. https://learn.microsoft.com/en-us/li...end-of-support Even short sighted "If I can't screw my sister I'm moving back to Arkansas" geniuses can't run Windows on their Pixel 6, OnePlus 5, Samsung 22, or whatever you have (pink Ma Bell Princess phone with RJ-12 jack?).

    But honestly you did make me laugh. Sorry about your sister and the relationship and all that. Do keep us informed. Nothing Phoronix readers like more than knowing who is moving their new Android phone to Windows because Linux kernel 6.7+ may remove a feature or so.
    What?

    Leave a comment:


  • Sonadow
    replied
    Originally posted by gavron View Post

    Wall of bullshit
    You can start by learning the difference between RNDIS and NDIS before spewing bullshit.

    Leave a comment:


  • billyswong
    replied
    So... is this removal going to prevent phones from internet tethering and/or reverse tethering (via Gnirehtet) with a LInux PC? If no, any clarification? If yes, what can we do?

    Leave a comment:


  • Shtirlic
    replied
    Do we have alternative solution for usb-c <=> usb-c ethernet connection on Linux? It's still funny to see that we can't use at least 5gbits connection via USB ports between 2 devices, It's feels so natural for Unix, before we had rs232 and even LPT cables for interlink/laplink and now in 2023 we still can't have reliable point-to-point network between high speed ports on devices, unbelievable.

    PS
    Imagine you have 2 SFF boxes in homelab and it connected to each other via direct type-c cable on gen2 10gbit speed or more in case of usb4.
    Last edited by Shtirlic; 02 October 2023, 12:09 AM. Reason: PS

    Leave a comment:


  • gavron
    replied
    Originally posted by Mangix View Post
    this confuses me. so a USB device that implements an ethernet port will no longer work?
    NDIS was an interim method MS touted to allow some devices to function on WinXP. Linux offered the 'shim' called NDISWRAPPER to allow that to work under Linux. It's a hardware abstraction layer (HAL) and works... but has a lot of assumptions and glosses over on things that make drivers fail that inevitably make it a huge security hole. ndiswrapper doesn't cleanly build on any kernel newer than 5.4 and even then functionality is less than perfect. As a shim to a HAL it was never perfect to begin with.

    These proposed changes continue the philosophy of linux being done with ndis.

    Most manufacturers produced compliant drivers following WinXP, such as for e.g Vista, 2k, 2003, 2008, 2010, 7, 8, 10, and now 11. Some of those have had their guts probed and linux equivalents written. Some mfgs provide linux support. Some are in kernel.

    To answer your question, it is too vague as is, but if you state WHICH USB device you are looking at that implements an Ethernet port, perhaps with an 'lsusb' showing the driver id... it can be looked up to see support.

    To help out in case that's not clear
    1. $ lsusb
    2. Look for the device you're interested in
    3. Note the vendor and ID in the form of xxxx:xxxx where x is any of {0-9,a-f}
    4. Google "linux support xxxx:xxxx" and see if it's either built into the kernel or you can download module sources and simply add the module. The scope of that is not in tis short reply but if it doesn't include directions, a quick google of "add driver module to running kernel linux" should help you. Make sure you have the appropriate kernel-headers-`uname-r` package installed...

    E

    Leave a comment:


  • Mangix
    replied
    this confuses me. so a USB device that implements an ethernet port will no longer work?

    Leave a comment:

Working...
X