RE: USB delivered attacks - lessons learned/summary (so far)

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 06/10/04

  • Next message: Yonatan Bokovza: "RE: Multiple IP on the same server howo to idenfity" 
    Date: Wed, 9 Jun 2004 17:04:41 -0700 (PDT)
To: pen-test@securityfocus.com

    Jerry,

    > That leads me to believe that if the autorun.inf
    > file was correctly
    > (incorrectly?) set up, it could very well be
    > possible to have an
    > 'autorun USB device'. I posted details earlier.

    You posted possibilities, which I read. However, the
    fact remains that even if the autorun.inf file is
    accessed and read, nothing is done with whatever's in
    the line that starts with "open=". However, given the
    information I presented in my previous post, it
    doesn't look as if incorrectly setting up the
    autorun.inf file is going to lead to anything useful.
    Additional experimentation would prove or disprove
    this.

    > About your assertion that autorun will not be parsed
    > at the root of any
    > removable device. That's just plain incorrect. I
    > have CDs with an
    > autorun.inf in the root that seem to fire off just
    > about anything you put in it.

    One thing about security lists...many (not all)
    security people are more interested in jumping down
    someone's throat and proving them wrong than they are
    finding out what's right. I'd like to direct your
    attention to one of the KnowledgeBase articles I
    provided in my previous post:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;136214

    From that article, the Registry key in question
    ("NoDriveTypeAutoRun") has a value set up as follows:

    Type Bit
    DRIVE_UNKNOWN 0
    DRIVE_NO_ROOT_DIR 1
    DRIVE_REMOVABLE 2
    DRIVE_FIXED 3
    DRIVE_REMOTE 4
    DRIVE_CDROM 5
    DRIVE_RAMDISK 6
                                    
    Notice that a CD-ROM is a different bit within the
    byte than removeable devices.

    So...given that...how does this affect your statement
    "That's just plain incorrect. I have CDs with an
    autorun.inf in the root that seem to fire off just
    about anything you put in it." Is it still "just
    plain incorrect", and for the same reason?

    > Obviously it may be possible to modify the registry
    > to get the USB to do something abnormal.

    Possible? Based on the KB article and
    experimentation, I'd say that it's far more likely
    than "possible" to change the default behaviour.

  • Next message: Yonatan Bokovza: "RE: Multiple IP on the same server howo to idenfity"