Re: AUTORUN Vulnerability - Round 2

[Nick FitzGerald <nick () virus-l demon co uk>]

David LeBlanc replied to Nelson Brito:

> > When Domain Admin mount the user's shared then he'll execute the
> > "arbitary code".
>
> This isn't true. Or at least it needs clarification. Let's say that you have
> a share, \\evilserver\nastytrojans. Now I as an admin access that share
> somehow. What happens depends on how I access it. "mount" is not a precise
> term, as there are many possible ways to access a remote share - you can
> assign a drive letter to it or not, and you could browse the share using a
> command line (for example, a batch file), or you could use Explorer. So if
> you are going to say that something happens when an admin accesses the
> share, you have to specify how this is done.
>
> If I do this:
<<snip>>
> Now say I go to Explorer, and type in the path \\evilserver\nastytrojans,
<<snip>>
> OK, now I try the following -
<<snip>>
> Now, I have just tested the exact same thing remotely (while logged in as
<<snip>>
> Also, for good measure, I have tried:
<<snip>>

In short -- all which failed...

> So apparently (at least on Win2k), there are several ways for me to access a
> share that has an autorun.exe and autorun.inf that I have verified to work
> (just popped the CD in and out, it ran), and I cannot seem to get it to work
> using every way I know how an admin might access the share.
>
> Perhaps the problem could be specific to NT 4.0 systems, or it could be that
> I am missing something. In fact, I just copied these files to a local hard
> drive, and it still did not fire. It seems that it only works for removable
> media on my systems (and then only when I remove and reinsert the media). I
> don't have any NT 4.0 systems currently running on my home network, so it
> wasn't practical to do a full test matrix.
<<snip>>

I can't easily re-test all this just now either, but last time I
posted on this subject explaining all the ways it failed, someone
replied pointing out I had not tried double-clicking the icon
representing the mapped drive in the right panel of the "real"
Explorer interface (and I think I had already pointed out that it
seemed to work fine if you double-clicked the drive icon in the
"simple" Explorer interface that is the default for My Computer...)

Did you try those options?

Also, note from MS:

   http://msdn.microsoft.com/library/psdk/shellcc/shell/Shell_basics/Autoplay_reg.htm


   Normally, AutoRun starts automatically, but it can also be started
   manually. If the device meets the criteria listed above, the drive
   letter's context menu will include an AutoPlay command. To run
   AutoRun manually, either right-click the drive icon and select
   AutoPlay from the context menu or double-click the drive icon. If
   the drivers are not AutoRun-compatible, the context menu will not
   have an AutoPlay item and AutoRun can not be started.

   AutoRun-compatible drivers are provided with some floppy disk
   drives, as well as some other types of removable media such as
   Compact Flash cards. AutoRun also works with network drives that
   are mapped to a drive letter with Windows Explorer or mounted with
   the Microsoft Management Console (MMC). As with mounted hardware,
   a mounted network drive must have an Autorun.inf file in its root
   directory, and must not be disabled through the registry.


--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854