Penetration Testing mailing list archives
RE: USB delivered attacks - lessons learned/summary (so far)
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 9 Jun 2004 17:04:41 -0700 (PDT)
Jerry,
That leads me to believe that if the autorun.inf file was correctly (incorrectly?) set up, it could very well be possible to have an 'autorun USB device'. I posted details earlier.
You posted possibilities, which I read. However, the fact remains that even if the autorun.inf file is accessed and read, nothing is done with whatever's in the line that starts with "open=". However, given the information I presented in my previous post, it doesn't look as if incorrectly setting up the autorun.inf file is going to lead to anything useful. Additional experimentation would prove or disprove this.
About your assertion that autorun will not be parsed at the root of any removable device. That's just plain incorrect. I have CDs with an autorun.inf in the root that seem to fire off just about anything you put in it.
One thing about security lists...many (not all) security people are more interested in jumping down someone's throat and proving them wrong than they are finding out what's right. I'd like to direct your attention to one of the KnowledgeBase articles I provided in my previous post: http://support.microsoft.com/default.aspx?scid=kb;EN-US;136214
From that article, the Registry key in question
("NoDriveTypeAutoRun") has a value set up as follows: Type Bit DRIVE_UNKNOWN 0 DRIVE_NO_ROOT_DIR 1 DRIVE_REMOVABLE 2 DRIVE_FIXED 3 DRIVE_REMOTE 4 DRIVE_CDROM 5 DRIVE_RAMDISK 6 Notice that a CD-ROM is a different bit within the byte than removeable devices. So...given that...how does this affect your statement "That's just plain incorrect. I have CDs with an autorun.inf in the root that seem to fire off just about anything you put in it." Is it still "just plain incorrect", and for the same reason?
Obviously it may be possible to modify the registry to get the USB to do something abnormal.
Possible? Based on the KB article and experimentation, I'd say that it's far more likely than "possible" to change the default behaviour.
Current thread:
- USB delivered attacks - lessons learned/summary (so far) Jerry Shenk (Jun 02)
- <Possible follow-ups>
- RE: USB delivered attacks - lessons learned/summary (so far) Jerry Shenk (Jun 02)
- Re: USB delivered attacks - lessons learned/summary (so far) H Carvey (Jun 09)
- RE: USB delivered attacks - lessons learned/summary (so far) Jerry Shenk (Jun 10)
- RE: USB delivered attacks - lessons learned/summary (so far) Harlan Carvey (Jun 10)
- RE: USB delivered attacks - lessons learned/summary (so far) Jerry Shenk (Jun 10)