Bugtraq mailing list archives

Re: AUTORUN.INF Vulnerability

From: skreeble () PRIMENET COM (jeremy logan)
Date: Fri, 18 Feb 2000 19:53:15 -0700


At 12:07 AM 2/18/00 -0500, Eric Stevens wrote:

...
--the meat and an example--
The vulnerability is that it is somewhat arbitrary for a programmer to throw
together a small executable that checks the current user, and possibly that
user's permissions on the local machine.  This executable could be a file
that detects user privileges, and if the user does not possess
administrative privileges, then it invokes Explorer on that directory to
open the directory like normal.  If administrative privileges are possessed,
then it can invoke some other executable, such as a trojan horse virus, or
it could itself be a trojan
horse which implements whatever it's little virus heart desires, such as
promoting privileges on the originating user.

--more on the example--
When an administrator logs on locally, they may double click that drive (it
can be done to all of them), and run the malicious executable, with out
their knowledge.  Our little trojan may even continue on to open Explorer to
keep the administrator blissfully unaware that they have just been
compromised.

--the limitation--
This exploit requires write access to the root directory of a local drive in
order to work.  That's not all that uncommon a permission to have,
especially for a non-C: drive.  Similarly, any exploit allowing the
uploading of arbitrary files to the root directory of any drive makes this a
very real exploit; no directory guessing, i.e. did they name the WIN
directory Windows or Winnt?

--the workaround--
Disable the autorun feature.  There's a key for it somewhere in the
registry.


To disable the autoinsert notification:

Win9x - HKEY_LOCAL_MACHINE\Enum\SCSI\Name_of_cdrom\MF&...(nasty long key)\
AutoInsertNotification (binary value, default 01) set to 00

WinNT - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\
Autorun (hex DWORD value, default 0x00000001) set to 0x00000000

--possible difficulties with the workaround--
There are actually two levels of autorun to disable. One is where it no
longer checks newly inserted media for an autorun, one is where it never
checks for an autorun file at all...


Secondary workaround:

Win9x -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun (binary value, default 95 00 00 00) set to 9d 00 00 00

WinNT -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun (hex DWORD, default 0x00000095) set to 0x0000009d

in both values, the high 24 bits should be left at 0, and the low 8 bits
affect autorun settings (1 disables) on the following specific types of
drives:

0 - Unknown Drive Type
1 - Drive without Root Directory
2 - Removable Drive
3 - Fixed Drive
4 - Network Drive
5 - CDROM Drive
6 - RAMDisk Drive
7 - Undefined Drive Type

By default, windows sets this value to 95h, which is 10010101 in binary.
This disables autorun on unknown, removable, network, and undefined drive
types. The quickest workaround for this issue is to turn on bit 3, thereby
disabling autorun on all fixed drives.

NB:
for anyone that doesn't know, TweakUI is part of the Win95 power toys, and
can be downloaded from:
http://www.microsoft.com/windows/downloads/bin/W95powertoy.exe

Cheers,
        jeremy

Current thread:

Re: AUTORUN.INF Vulnerability jeremy logan (Feb 18)
- <Possible follow-ups>
- Re: AUTORUN.INF Vulnerability Philip Hannay (Feb 22)