Re: U3 TEchnology was RE: strange new virus
- From: "Robert Chuvala" <chuvalr@xxxxxxx>
- Date: Mon, 18 Dec 2006 15:25:31 -0500
The icon can be changed to whatever you want it to be, as long as it
fits the correct size.
http://www.dailycupoftech.com/usb-drive-autoruninf-tweaking/
Quick example of what I think James means
Hey James... inline:"Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> 12/18/2006 12:10 PM
On 12/15/06 5:07 PM, "James D. Stallard" <james@xxxxxxxxxxxxx> spoketh
to
all:
Thor, et alvalid
Question regarding autorun on USB flash disks (I never like the term
"thumbdrive"):
If you have a file in the root called "autorun.inf" and it contains a
syntax for an icon file, the icon will appear as the drive icon inWindows
Explorer. This most certainly works with XPSP2+patches.
Actually, you'll get a drive icon whether it has an autorun.inf or
not...
That's just Windows identifying the device as a mountable drive. The
autorun doesn't do anything... Even with it present (on my systems) it
doesn't even ask you to run it.
The OS is clearly executing something, just not your arbitrary code.and run
The question is, would it be possible to take advantage of the icon
functionality (presumably within explorer.exe) to hijack the process
your own code? I'm thinking buffer overflow as the most likelyscenario, but
I'm also thinking that following MS "trustworthy computinginitiative" and
XPSP2, the existence of buffer overflow possibilities in the OS ispretty
minimal these days.
Well, that's the trick... Explorer.exe is just saying "This device
mounted
as a drive letter, and here it is." Yes, it's "running code"
(Actually, I
would guess that the code is already running and that it just renums
available drives by type) but as you said, it's not running any code on
the
device itself.
Sure you could hijack the process, but that would mean that the OS was
already compromised in some way, or that you've already got code on the
box
to do that (a rootkit could easily do this. Well, "easily" if you know
how
;). But at that point, it's moot. I don't see how you could do that
with
any data that requires it be loaded from the device to then exploit
some
vector, even if such vector exists. But even if you could, and you
really
wanted to go down that path, I think it would be easier to just get
yourself
a U3 drive so that stuff like autorun would work by design.
t
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Prev by Date: Re: U3 TEchnology was RE: strange new virus
- Next by Date: RE: U3 TEchnology was RE: strange new virus
- Previous by thread: RE: U3 TEchnology was RE: strange new virus
- Next by thread: RE: U3 TEchnology was RE: strange new virus
- Index(es):
Relevant Pages
|
