RE: USB delivered attacks - lessons learned/summary (so far)

From: Jerry Shenk (jshenk@decommunications.com)
Date: Wed Jun 09 2004 - 19:50:36 EDT

• Next message: Andrew A. Vladimirov: "Re: WEP attacks based on IV Collisions"
• Previous message: Frank Knobbe: "Re: Traceroutes to Cisco Routers"
• In reply to: H Carvey: "Re: USB delivered attacks - lessons learned/summary (so far)"
• Next in thread: Harlan Carvey: "RE: USB delivered attacks - lessons learned/summary (so far)"
• Reply: Harlan Carvey: "RE: USB delivered attacks - lessons learned/summary (so far)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Actually, the autorun.inf file is parsed....at least to some degree.
For example, if the autorun.inf is not there, an explorer window pops
up. If the file is there and it has an open= config line, then the
window does not pop up. It is also possible to change the icon
associated with that explorer window my modifying the autorun.inf file.
That leads me to believe that if the autorun.inf file was correctly
(incorrectly?) set up, it could very well be possible to have an
'autorun USB device'. I posted details earlier.

About your assertion that autorun will not be parsed at the root of any
removable device. That's just plain incorrect. I have CDs with an
autorun.inf in the root that seem to fire off just about anything you
put in it.

Obviously it may be possible to modify the registry to get the USB to do
something abnormal. That's not really what my goal was. My goal was to
determine what can and what can't be done.

Playing...it's all fun and games till someone looses an eye...or maybe a
password hash file;)

-----Original Message-----
From: H Carvey [mailto:keydet89@yahoo.com]
Sent: Tuesday, June 08, 2004 4:31 PM
To: pen-test@securityfocus.com
Subject: Re: USB delivered attacks - lessons learned/summary (so far)

In-Reply-To: <016501c44847$e686ac40$6701010a@JASEVO>

>USB devices don't use autorun -

More specifically, parsing and execution of the autorun.inf file at the
root of the device is not enabled for removeable drive types.

XP - http://support.microsoft.com/default.aspx?scid=kb;en-us;314855

2K - http://support.microsoft.com/default.aspx?scid=kb;EN-US;173584

This KB article describes the Registry key in question:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;136214

Hope that helps...

>Somebody said that 2600 had something about this type of thing in the

>current 2600 magazine. That would suggest that a few other people have

>been playing with this idea. Somebody with more brains, ideas or time

>than I is likely to come up with something pretty nasty.

I think "playing" is the key term. I don't have a USB hard drive to
test with, but using a thumb drive shows that taking advantage of the
autorun functionality on such devices is a loosing proposition in
situations where the target Registry key has NOT been modified.

• Next message: Andrew A. Vladimirov: "Re: WEP attacks based on IV Collisions"
• Previous message: Frank Knobbe: "Re: Traceroutes to Cisco Routers"
• In reply to: H Carvey: "Re: USB delivered attacks - lessons learned/summary (so far)"
• Next in thread: Harlan Carvey: "RE: USB delivered attacks - lessons learned/summary (so far)"
• Reply: Harlan Carvey: "RE: USB delivered attacks - lessons learned/summary (so far)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:56 EDT