Re: AUTORUN Vul still work.

[Nelson Brito <nelson () SECUNET COM BR>]

"Jesper M. Johansson" wrote:

[...]

> That's not to say that this is not an issue. It is, and it has been known
> and discussed for at least two years. MS does not seem to consider it a real
> serious problem because "administrators should not be mapping shares that

Like I said, C$ em ADMIN$, by default instalation, is "write access" by
ordinary users.

So, think about this scenario:
1 - malicious user has placed both file(autorun2.exe and autorun.inf) on
the Server's C$;
2 - the dumb Admin will mount this share to do something *dumb*;
3 - so, the malicious user can do the dumb Admin execute the arbritary
code(?) as obscurity as possible.
4 - BINGO, the dumb Admin have added a new user or add the malicious
user to Administrators/Domain Admins's group.

Well, I can put a lot of other scenarios, but, is it necessary? I don't
think so.

When a malicious user realy want, he can do a lot of things to get Admin
access on Windows NT enviroment.

> ordinary users have write privilege to anyway." If that, rather
> unreasonable, assumption holds, then this is not a problem. In most cases,
> this is simply expected behavior, and it is up to us, as responsible admins,
> to work around it.

[...]

> Hive: HKLM if you want to apply it to all users on a system, HKCU if you
> only want to apply it to some users
> Key: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
> Value: NoDriveTypeAutoRun
> Data 0xFF
>
> Jesper M. Johansson

Like we can see at BID 993.

Sem mais,
--
Nelson Brito
"Windows NT can also be protected from nmap OS detection scans thanks
to *Nelson Brito* ..."
              Trecho do livro "Hack Proofing your Network", página 93