Bugtraq mailing list archives
Re: AUTORUN Vulnerability - Round 2
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 21 Feb 2001 10:26:43 +1300
David LeBlanc replied to Nelson Brito:
When Domain Admin mount the user's shared then he'll execute the "arbitary code".This isn't true. Or at least it needs clarification. Let's say that you have a share, \\evilserver\nastytrojans. Now I as an admin access that share somehow. What happens depends on how I access it. "mount" is not a precise term, as there are many possible ways to access a remote share - you can assign a drive letter to it or not, and you could browse the share using a command line (for example, a batch file), or you could use Explorer. So if you are going to say that something happens when an admin accesses the share, you have to specify how this is done. If I do this:
<<snip>>
Now say I go to Explorer, and type in the path \\evilserver\nastytrojans,
<<snip>>
OK, now I try the following -
<<snip>>
Now, I have just tested the exact same thing remotely (while logged in as
<<snip>>
Also, for good measure, I have tried:
<<snip>> In short -- all which failed...
So apparently (at least on Win2k), there are several ways for me to access a share that has an autorun.exe and autorun.inf that I have verified to work (just popped the CD in and out, it ran), and I cannot seem to get it to work using every way I know how an admin might access the share. Perhaps the problem could be specific to NT 4.0 systems, or it could be that I am missing something. In fact, I just copied these files to a local hard drive, and it still did not fire. It seems that it only works for removable media on my systems (and then only when I remove and reinsert the media). I don't have any NT 4.0 systems currently running on my home network, so it wasn't practical to do a full test matrix.
<<snip>> I can't easily re-test all this just now either, but last time I posted on this subject explaining all the ways it failed, someone replied pointing out I had not tried double-clicking the icon representing the mapped drive in the right panel of the "real" Explorer interface (and I think I had already pointed out that it seemed to work fine if you double-clicked the drive icon in the "simple" Explorer interface that is the default for My Computer...) Did you try those options? Also, note from MS: http://msdn.microsoft.com/library/psdk/shellcc/shell/Shell_basics/Autoplay_reg.htm Normally, AutoRun starts automatically, but it can also be started manually. If the device meets the criteria listed above, the drive letter's context menu will include an AutoPlay command. To run AutoRun manually, either right-click the drive icon and select AutoPlay from the context menu or double-click the drive icon. If the drivers are not AutoRun-compatible, the context menu will not have an AutoPlay item and AutoRun can not be started. AutoRun-compatible drivers are provided with some floppy disk drives, as well as some other types of removable media such as Compact Flash cards. AutoRun also works with network drives that are mapped to a drive letter with Windows Explorer or mounted with the Microsoft Management Console (MMC). As with mounted hardware, a mounted network drive must have an Autorun.inf file in its root directory, and must not be disabled through the registry. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Current thread:
- AUTORUN Vulnerability - Round 2 Nelson Brito (Feb 16)
- Re: AUTORUN Vulnerability - Round 2 David LeBlanc (Feb 19)
- Re: AUTORUN Vulnerability - Round 2 Jesper M. Johansson (Feb 19)
- Re: AUTORUN Vulnerability - Round 2 Matthew Leeds (Feb 20)
- Re: AUTORUN Vulnerability - Round 2 Nick FitzGerald (Feb 20)
- Re: AUTORUN Vulnerability - Round 2 David LeBlanc (Feb 19)