Re: U3 TEchnology was RE: strange new virus



Ah- I see what you are saying. I didn't know that - I didn't know you could
introduce content that way (i.e., via icon file), but it makes perfect
sense. I'm glad you took the time to reply in detail...

And yes, I remember the JPEG issues, so you raise a good point. But since
explorer.exe runs in the user context, I'm not sure levering a potential
vector like that would "buy" you anything you wouldn't already get (and more
easily) from a U3 drive.

That being said, it is a good thing to keep in the back of our heads. If
something came along (similar to the JPEG issue) that would yield Admin or
SYSTEM, and you could do it from any old ghetto usb drive, that would really
be quite cool. I mean, that would be very bad ;)

Interesting stuff...

t


On 12/18/06 9:58 AM, "James D. Stallard" <james@xxxxxxxxxxxxx> spoketh to
all:

Thor

I'm not sure I explained myself that well.

My theory is that if the Autorun.inf file is present, then the enumeration
process reads it and although it ignores the "open=" statement on media
marked as removable, it still processes the "icon=" statement - on my system
apparently regardless of whether autoplay is switched on or off.

A malformed .ICO file could conceivably cause the buffer overflow, and might
allow the situation to be taken advantage of - IE run arbitrary code on the
USB flashdisk.

It would not be the first time a buffer overflow was used to take advantage
of duff processing of a graphics file, remember the GDI+ vulnerability
MS04-028 that did similar with JPEG files in late 2004?

The JPEG GDI+ vuln depended upon the content of the comment field within the
JGPEG file (described here:
http://marc.theaimsgroup.com/?l=bugtraq&m=109524346729948&q=raw).

As the autorun "ico=" statement is also capable of pulling icons directly
out of an executable, it seems plenty possible to hijack it - provided the
buffer overflow is unchecked.
Cheers

James







-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: 18 December 2006 17:11
To: James D. Stallard; Focus-MS
Subject: Re: U3 TEchnology was RE: strange new virus

Hey James... inline:


On 12/15/06 5:07 PM, "James D. Stallard" <james@xxxxxxxxxxxxx> spoketh to
all:

Thor, et al

Question regarding autorun on USB flash disks (I never like the term
"thumbdrive"):

If you have a file in the root called "autorun.inf" and it contains a
valid syntax for an icon file, the icon will appear as the drive icon
in Windows Explorer. This most certainly works with XPSP2+patches.

Actually, you'll get a drive icon whether it has an autorun.inf or not...
That's just Windows identifying the device as a mountable drive. The
autorun doesn't do anything... Even with it present (on my systems) it
doesn't even ask you to run it.

The OS is clearly executing something, just not your arbitrary code.

The question is, would it be possible to take advantage of the icon
functionality (presumably within explorer.exe) to hijack the process
and run your own code? I'm thinking buffer overflow as the most likely
scenario, but I'm also thinking that following MS "trustworthy
computing initiative" and XPSP2, the existence of buffer overflow
possibilities in the OS is pretty minimal these days.

Well, that's the trick... Explorer.exe is just saying "This device mounted
as a drive letter, and here it is." Yes, it's "running code" (Actually, I
would guess that the code is already running and that it just renums
available drives by type) but as you said, it's not running any code on the
device itself.

Sure you could hijack the process, but that would mean that the OS was
already compromised in some way, or that you've already got code on the box
to do that (a rootkit could easily do this. Well, "easily" if you know how
;). But at that point, it's moot. I don't see how you could do that with
any data that requires it be loaded from the device to then exploit some
vector, even if such vector exists. But even if you could, and you really
wanted to go down that path, I think it would be easier to just get yourself
a U3 drive so that stuff like autorun would work by design.

t









---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • RE: U3 TEchnology was RE: strange new virus
    ... A malformed .ICO file could conceivably cause the buffer overflow, ... Question regarding autorun on USB flash disks (I never like the term ... valid syntax for an icon file, the icon will appear as the drive icon ... available drives by type) but as you said, it's not running any code on the ...
    (Focus-Microsoft)
  • Re: U3 TEchnology was RE: strange new virus
    ... Question regarding autorun on USB flash disks (I never like the term ... syntax for an icon file, the icon will appear as the drive icon in Windows ... the existence of buffer overflow possibilities in the OS is pretty ... available drives by type) but as you said, it's not running any code on the ...
    (Focus-Microsoft)
  • Re: U3 TEchnology was RE: strange new virus
    ... The icon can be changed to whatever you want it to be, ... Question regarding autorun on USB flash disks (I never like the term ... available drives by type) but as you said, it's not running any code on ... Sure you could hijack the process, but that would mean that the OS was ...
    (Focus-Microsoft)
  • Re: "Safely remove hardware" icon is missinbg
    ... their drives after all, and they suggested ... indicate the unplug option or icon. ... Open Add/Remove Hardware in Control Panel. ... and then double-click the appropriate icon. ...
    (microsoft.public.win2000.new_user)
  • Re: "Safely remove hardware" icon is missinbg
    ... their drives after all, and they suggested that you search MSKB for the answer! ... indicate the unplug option or icon. ... Open Add/Remove Hardware in Control Panel. ...
    (microsoft.public.win2000.new_user)