Bugtraq mailing list archives
Re: AUTORUN Vulnerability - Round 2
From: "Jesper M. Johansson" <jjohanss () BU EDU>
Date: Sat, 17 Feb 2001 07:18:53 -0500
When Domain Admin mount the user's shared then he'll execute the "arbitary code".This isn't true. Or at least it needs clarification. Let's say that you
have
a share, \\evilserver\nastytrojans. Now I as an admin access that share somehow. What happens depends on how I access it.
Right, and at least with NT4, what happened was not always deterministic. If you map a drive letter to it using Explorer, the Autorun may or may not run. I was never able to determine why it would or would not. On Win2K it does not run at all, on the default setting; see below for the reason.
I do note that I have NoDriveTypeAutoRun = 0x95 set in HKCU (I didn't
change
this myself). I don't recall exactly what this implies (perhaps Jesper has this info handy). Apparently, even if the poor admin is indeed stupid, he
is
safe from this attack if he happens to be running Win2k.
0x95, which is the default setting in HKCU, turns off autorun for unknown drive types (0x1 and 0x80), floppy drives (0x4) and network drives (0x10) so that should explain why it never ran in your test lab. In Win2K it apparently does enforce that setting consistently. On NT4, in my testing, it was not consistent. When mapping a shared drive to a drive letter, it would search for an autorun.inf about half the time for some reason. I analyzed some network traces about two and a half years ago, and was never able to figure out why it did that in some cases but not in others. Jesper M. Johansson
Current thread:
- AUTORUN Vulnerability - Round 2 Nelson Brito (Feb 16)
- Re: AUTORUN Vulnerability - Round 2 David LeBlanc (Feb 19)
- Re: AUTORUN Vulnerability - Round 2 Jesper M. Johansson (Feb 19)
- Re: AUTORUN Vulnerability - Round 2 Matthew Leeds (Feb 20)
- Re: AUTORUN Vulnerability - Round 2 Nick FitzGerald (Feb 20)
- Re: AUTORUN Vulnerability - Round 2 David LeBlanc (Feb 19)