I think I understand why the USB exploit analyzed by Amnesty International uses both a virtual Extigy sound card and a FastTrackPro sound card.
https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/
It took me 6 weeks to notice: in the logs, the Extigy and the FastTrackPro sound cards are not two virtual devices.
They're one device with two interfaces.
Which explains why the device "morphs":
- it first returns Extigy as the USB VID/PID in its device descriptor
- the Extigy quirk causes Linux to re-fetch the device descriptor
- the Amnesty analysis points out that you can return a bigger bNumConfigurations in the new device descriptor to cause an out-of-bound read+free on disconnect
- but you can also return a different VID/PID - say, the FastTrackPro VID/PID
- and Linux will use that VID/PID to probe the next audio interface:
https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/sound/usb/card.c;l=773;drc=bc9dca02d645353bd4ff789c5a3a20064923889b
Now you have a device with both a corrupted bNumConfigurations - and with VID/PID set to FastTrackPro, which now triggers FastTrackPro quirks.
The original writeup identifies that, like the Extigy, the FastTrackPro has quirks that are only run for that VID/PID.
Amnesty speculates that the attacker uses the FastTrackPro "to confirm that the memory corruption primitive CVE-2024-53197 is functional".
The writeup looks at the skip_setting quirk:
https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/sound/usb/quirks.c;l=1598;drc=bc9dca02d645353bd4ff789c5a3a20064923889b
but there's also this boot quirk, which switches the device's configuration:
https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/sound/usb/quirks.c;l=1652;drc=bc9dca02d645353bd4ff789c5a3a20064923889b
This calls to usb_set_configuration(dev, 2), which reads bNumConfigurations and looks for configuration #2.
https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/drivers/usb/core/message.c;l=2007;drc=9f2a3933beeaeead53829d3a7be53770e41e7869
So if you wanted to confirm that your heap manipulation worked, in your fake `struct usb_host_config`, set 2 as your bConfigurationValue.
usb_set_configuration will read the corrupted bNumConfigurations and start reading `struct usb_host_config`s out of bounds.
If it finds configuration #2, it means your fake is located in the right place, right after the Extigy/FastTrackPro's own `struct usb_host_config`s.
And since the search doesn't dereference anything, you can't crash.
Zhuowei Zhang /
npub1cp…9e7uy
2025-04-12 04:27:03
Author Public Key
npub1cppa6rw8av0n2zjc6yarum7k0nmtkka4d7qas3ndy0sqpjfz9u0sx9e7uySeen on
wss://relay.mostr.pubPublished at
2025-04-12 04:27:03Event JSON
{
"id": "516793b7d6f611ec1ea016dd74c4711e3c6972a678b1e863e3814492d4391dde",
"pubkey": "c043dd0dc7eb1f350a58d13a3e6fd67cf6bb5bb56f81d8466d23e000c9222f1f",
"created_at": 1744432023,
"kind": 1,
"tags": [
[
"proxy",
"https://notnow.dev/objects/edd104b2-5a73-4181-b333-ffb68da9953b",
"activitypub"
],
[
"client",
"Mostr",
"31990:6be38f8c63df7dbf84db7ec4a6e6fbbd8d19dca3b980efad18585c46f04b26f9:mostr",
"wss://relay.mostr.pub"
]
],
"content": "I think I understand why the USB exploit analyzed by Amnesty International uses both a virtual Extigy sound card and a FastTrackPro sound card.\n\nhttps://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/\n\nIt took me 6 weeks to notice: in the logs, the Extigy and the FastTrackPro sound cards are not two virtual devices.\n\nThey're one device with two interfaces.\n\nWhich explains why the device \"morphs\":\n- it first returns Extigy as the USB VID/PID in its device descriptor\n- the Extigy quirk causes Linux to re-fetch the device descriptor\n- the Amnesty analysis points out that you can return a bigger bNumConfigurations in the new device descriptor to cause an out-of-bound read+free on disconnect\n- but you can also return a different VID/PID - say, the FastTrackPro VID/PID\n- and Linux will use that VID/PID to probe the next audio interface:\nhttps://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/sound/usb/card.c;l=773;drc=bc9dca02d645353bd4ff789c5a3a20064923889b\n\nNow you have a device with both a corrupted bNumConfigurations - and with VID/PID set to FastTrackPro, which now triggers FastTrackPro quirks.\n\nThe original writeup identifies that, like the Extigy, the FastTrackPro has quirks that are only run for that VID/PID.\n\nAmnesty speculates that the attacker uses the FastTrackPro \"to confirm that the memory corruption primitive CVE-2024-53197 is functional\".\n\nThe writeup looks at the skip_setting quirk:\n\nhttps://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/sound/usb/quirks.c;l=1598;drc=bc9dca02d645353bd4ff789c5a3a20064923889b\n\nbut there's also this boot quirk, which switches the device's configuration:\n\nhttps://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/sound/usb/quirks.c;l=1652;drc=bc9dca02d645353bd4ff789c5a3a20064923889b\n\nThis calls to usb_set_configuration(dev, 2), which reads bNumConfigurations and looks for configuration #2.\n\nhttps://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/drivers/usb/core/message.c;l=2007;drc=9f2a3933beeaeead53829d3a7be53770e41e7869\n\nSo if you wanted to confirm that your heap manipulation worked, in your fake `struct usb_host_config`, set 2 as your bConfigurationValue.\n\nusb_set_configuration will read the corrupted bNumConfigurations and start reading `struct usb_host_config`s out of bounds.\n\nIf it finds configuration #2, it means your fake is located in the right place, right after the Extigy/FastTrackPro's own `struct usb_host_config`s.\n\nAnd since the search doesn't dereference anything, you can't crash.",
"sig": "e67b34b57df51e5ffee64c82c306a4e51ce024d5d50d7e2a2bd1fd3d1395596dea9cc2220215d6f876d10b85d6f8f67f242af5c6aa87ddb3e4ce47993aeacfe8"
}