RE: U3 TEchnology was RE: strange new virus

Thor, et al

Question regarding autorun on USB flash disks (I never like the term
"thumbdrive"):

If you have a file in the root called "autorun.inf" and it contains a valid
syntax for an icon file, the icon will appear as the drive icon in Windows
Explorer. This most certainly works with XPSP2+patches.

The OS is clearly executing something, just not your arbitrary code.

The question is, would it be possible to take advantage of the icon
functionality (presumably within explorer.exe) to hijack the process and run
your own code? I'm thinking buffer overflow as the most likely scenario, but
I'm also thinking that following MS "trustworthy computing initiative" and
XPSP2, the existence of buffer overflow possibilities in the OS is pretty
minimal these days.

Thoughts?
Cheers

James D. Stallard



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: 15 December 2006 17:10
To: Focus-MS
Subject: Re: U3 TEchnology was RE: strange new virus

Right-- I should have stated that in my earlier message- the "autorun"
capabilities of u3 thumb drives function because the hardware is
specifically designed to provide that (and other) functionality. The device
specifically presents itself as a media device that supports auto-run (like
a CD or DVD drive would) upon insertion.

A "standard" thumb drive would not invoke autorun unless you have software
on the system to do that (it's out there). Unfortunately, you can find many
references in posts and blogs around the net where people talk about putting
autorun on a thumb drive and rootkit'ing people's boxes at banks, insurance
agencies, etc, but it's bunk. I've even seen detailed explanations of how to
encrypt drive contents on "any old thumbdrive" and to use autorun to
immediately execute code, but they dance right over the fact that you have
to go out of your way to autorun a thumb drive.

The most important thing is the last point you made about least privilege.
Even if someone went out of HIS way (There, Shinder- That better??? ;) to
autorun a usb (or if it was u3) the user would still have to be an
administrator to do anything.

Again, in Vista, even with autorun supported media insertion, it asks if you
want to run autorun by default. If you want to, (depending on what the
autorun does) UAC requires you to then enter the admin password to execute
code or such. If you've turned off UAC, nothing would happen unless you
were an admin. And in this day and age, no one should ever be running an
interactive session as admin, unless you're a Scot in Bermuda (inside joke
;)

t


On 12/15/06 5:40 AM, "Henry Troup" <HenryT@xxxxxxxxxxxxx> spoketh to all:

Ah, the Bruce Schneier blog comments have the very valuable comment:

The removable media device setting is a flag contained within the
SCSI Inquiry
Data response to the SCSI Inquiry command. Bit 7 of byte 1 (indexed
from 0) is
the Removable Media Bit (RMB). A RMB set to zero indicates that the
device is not
a removable media device. A RMB of one indicates that the device is
a removable
media device. Drivers obtain this information by using the
StorageDeviceProperty
request.

So U3 is a different hardware spec, and U3 function can't be copied to
non-U3 media. That's good. But the remarks about custom USB hardware
there make me want to reach for the ol' glue gun! Of course, the real
problem is still failure to adhere to least privilege.

Thanks for the link, Bill.

Henry Troup
Watchfire Corporation
henryt@xxxxxxxxxxxxx


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Bill Call
Subject: RE: strange new virus

I wouldn't be so sure about that. Check out:

http://www.schneier.com/blog/archives/2006/06/hacking_compute.html

----------------------------------------------------------------------
-----
----------------------------------------------------------------------
-----






---------------------------------------------------------------------------
---------------------------------------------------------------------------





---------------------------------------------------------------------------
---------------------------------------------------------------------------

Relevant Pages

  • Re: U3 TEchnology was RE: strange new virus
    ... capabilities of u3 thumb drives function because the hardware is ... A "standard" thumb drive would not invoke autorun unless you have software ... The removable media device setting is a flag contained within the ... So U3 is a different hardware spec, and U3 function can't be copied to ...
    (Focus-Microsoft)
  • Re: Controlling specific USB devices on Windows XP
    ... I saw it first hand with a USB device bought from Best Buy that had a hard coded partition which mimicked a CD-ROM. ... When inserted, that partition would be recognized as a CD-ROM device, and would autorun the content. ... While the device will not execute autorun.inf upon insertion, there is another means by which autorun can be used to accomplish this task fairly simply. ... I get the Autoplay window that asks me what I want to do: Copy pictures, View a slideshow, Open a folder, or take no action. ...
    (Focus-Microsoft)
  • RE: Security with USB Devices
    ... Couldn't one just as easily make a CD with autorun on it and put ... both that and a USB stick into the target machine. ... The views expressed in this email are not necessarily those held by VNL, ... This email has been scanned for all known viruses by the MessageLabs Email Security System. ...
    (Pen-Test)
  • weird virus auto duplicate whenever usb inserted
    ... portable HD to my own PC, its infected, im sure its infects via USB ... DOES THIS WORK IN SAFE MODE? ... IS HARDDISK AFFECTED BY THIS AUTORUN? ...
    (microsoft.public.windowsxp.help_and_support)
  • RE: weird virus auto duplicate whenever usb inserted
    ... portable HD to my own PC, its infected, im sure its infects via USB ... DOES THIS WORK IN SAFE MODE? ... IS HARDDISK AFFECTED BY THIS AUTORUN? ...
    (microsoft.public.windowsxp.help_and_support)