Re: Security with USB Devices

From: Calum Power (calum@server101.com)
Date: Tue Jul 26 2005 - 19:48:28 EDT


As Michael said below, there is a vulnerability in the USB driver that
runs on Windows systems. The "original source" (if there is such a thing
in today's internet journalism) is eweek:
http://www.eweek.com/article2/0,1895,1840141,00.asp

As for AutoRun.ini's, they don't work from any physically removable
source. Windows will only search for autoruns if it detects the device
as a CD-ROM drive. You could possibly exploit this buy using a usb-based
removable USB drive, but I wouldn't hold my breath.

Good Luck!

Calum

--
Calum Power
Systems Administrator
Server101.com
calum@server101.com
Michael Parker wrote:
>There was recently (Monday of this week) a vulnerability disclosed with regards to a flaw in the USB driver that affected Windows systems (verified) and *nix systems (suspected). I don't have a directlink but it was on slashdot. 
>
>
>
>Michael Parker, BA (Hon), GSEC, MBCS
>
>Information Security Coordinator
>Research In Motion
>
>Phone: 519.888.7465
>Cell: 519.573.4782
>mparker@rim.com
>
>
>
>-----Original Message-----
>From: NewYork User <newyorkuser@gmail.com>
>To: pen-test@securityfocus.com <pen-test@securityfocus.com>
>Sent: Tue Jul 26 10:51:40 2005
>Subject: Security with USB Devices
>
>List, 
>
>Does any one know a good program to "autorun" from USB drive on a
>windows 2000 or an XP machine? I have tried the traditional
>Autorun.inf but didn't have any luck. I looked up in google but
>couldn't find any useful stuff. I saw some commercial programs to use
>for backup etc..But its not of any use if I want to prove my point
>that data can be vulnerable if use of USB drives is not restricted
>either by using a program or any kind of security control. I created a
>simple batch file to open up a Netcat listener. It is pretty common
>for the users lock their machines and leave their desks. I'm looking
>for any kind of scripts that can run a batch file automatically or can
>copy the data automatically. Any ideas?
>
>Thanks for your help.
>
>
>
>
>---------------------------------------------------------------------
>This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
>
>  
>


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:38 EDT