RE: USB delivered attacks

From: Steven A. Fletcher (sfletcher@integrityts.com)
Date: Tue Jun 01 2004 - 01:49:59 EDT

• Next message: Jerry Shenk: "RE: USB delivered attacks"
• Previous message: Balaji Prasad: "Re: USB delivered attacks"
• Maybe in reply to: Jerry Shenk: "USB delivered attacks"
• Next in thread: Jerry Shenk: "RE: USB delivered attacks"
• Reply: Jerry Shenk: "RE: USB delivered attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

My only question is, if the USB drive or a CD-ROM drive where to autorun
on a locked workstation, what access to the machine would the autorun
process have? I'm assuming that it would have the same level of access
as the currently logged in user, but I'm curious.

If it is the same as the current user, it would be trivial to make a
copy of their home directory, etc. Really kind of scary, when you think
about all of the possibilities.......

Steve Fletcher
Senior Network Engineer, MCSE, Master ASE, CCNA
Integrity Technology Solutions
Phone: (309)664-8129
Toll Free: (888) 764-8100 ext. 129
Fax: (309) 662-6421
sfletcher@integrityts.com

-----Original Message-----
From: Balaji Prasad [mailto:bp1974@comcast.net]
Sent: Monday, May 31, 2004 5:09 PM
To: Jerry Shenk; pen-test@securityfocus.com
Subject: Re: USB delivered attacks

USB by design is meant to autodetect and autorun. I think the security
is
compromised when you connect untrusted devices to your computer.
I can think of atleast 1 service (terminal services) that allow you to
run
processes with the screen locked. I presume "autorun" will work under a
locked screen.
A more generic solution would be to have all removable storage devices
mounted as "non-executable". It is trivially done in unix. Not sure how
to
do this in Windows.

----- Original Message -----
From: "Jerry Shenk" <jshenk@decommunications.com>
To: <pen-test@securityfocus.com>
Sent: Thursday, May 27, 2004 7:06 PM
Subject: USB delivered attacks

> I recently inserted some guy's USB drive into a machine and was a but
> surprised when it went into an auto-run sequence. I think turning off
> auto-run is a REALLY good idea. On a USB drive, it seems like it
could
> be really dangerous. Has anybody messed with this?
>
> One possible scenario:
> - Have a USB drive with a few tools on it.
> - Have an auto-run configured to run pwdump and dump the SAM to the
USB
> drive
>
> It seems that this attack would work with a machine that was locked
from
> the console. Does 'autorun' still work under a locked screen? With
> this USB drive being writeable, it would seem that some scripted
attack
> to extract information from a machine could be amazingly
fruitful....the
> possibilities are almost endless.
>
>

• Next message: Jerry Shenk: "RE: USB delivered attacks"
• Previous message: Balaji Prasad: "Re: USB delivered attacks"
• Maybe in reply to: Jerry Shenk: "USB delivered attacks"
• Next in thread: Jerry Shenk: "RE: USB delivered attacks"
• Reply: Jerry Shenk: "RE: USB delivered attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT