RE: USB delivered attacks - lessons learned/summary (so far)

From: Harlan Carvey (keydet89@yahoo.com)
Date: Wed Jun 09 2004 - 20:04:41 EDT

• Next message: Amin Tora: "RE: Multiple IP on the same server howo to idenfity"
• Previous message: Romes, Randall J.: "Lotus Notes .id file pw recover (Was Cached NT/W2k passwords)"
• In reply to: Jerry Shenk: "RE: USB delivered attacks - lessons learned/summary (so far)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Jerry,

> That leads me to believe that if the autorun.inf
> file was correctly
> (incorrectly?) set up, it could very well be
> possible to have an
> 'autorun USB device'. I posted details earlier.

You posted possibilities, which I read. However, the
fact remains that even if the autorun.inf file is
accessed and read, nothing is done with whatever's in
the line that starts with "open=". However, given the
information I presented in my previous post, it
doesn't look as if incorrectly setting up the
autorun.inf file is going to lead to anything useful.
Additional experimentation would prove or disprove
this.

> About your assertion that autorun will not be parsed
> at the root of any
> removable device. That's just plain incorrect. I
> have CDs with an
> autorun.inf in the root that seem to fire off just
> about anything you put in it.

One thing about security lists...many (not all)
security people are more interested in jumping down
someone's throat and proving them wrong than they are
finding out what's right. I'd like to direct your
attention to one of the KnowledgeBase articles I
provided in my previous post:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;136214

>From that article, the Registry key in question
("NoDriveTypeAutoRun") has a value set up as follows:

Type Bit
DRIVE_UNKNOWN 0
DRIVE_NO_ROOT_DIR 1
DRIVE_REMOVABLE 2
DRIVE_FIXED 3
DRIVE_REMOTE 4
DRIVE_CDROM 5
DRIVE_RAMDISK 6
                                
Notice that a CD-ROM is a different bit within the
byte than removeable devices.

So...given that...how does this affect your statement
"That's just plain incorrect. I have CDs with an
autorun.inf in the root that seem to fire off just
about anything you put in it." Is it still "just
plain incorrect", and for the same reason?

> Obviously it may be possible to modify the registry
> to get the USB to do something abnormal.

Possible? Based on the KB article and
experimentation, I'd say that it's far more likely
than "possible" to change the default behaviour.

• Next message: Amin Tora: "RE: Multiple IP on the same server howo to idenfity"
• Previous message: Romes, Randall J.: "Lotus Notes .id file pw recover (Was Cached NT/W2k passwords)"
• In reply to: Jerry Shenk: "RE: USB delivered attacks - lessons learned/summary (so far)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT