Penetration Testing mailing list archives
RE: USB delivered attacks
From: "Steven A. Fletcher" <sfletcher () integrityts com>
Date: Tue, 1 Jun 2004 07:30:13 -0500
Recently, I heard someone mention and interesting way to get people to insert such a CD. He said that he would leave a CD lying around in the bathroom that was labeled something like "Quarter 4 Raises" or "Quarter 4 Layoffs". Of course, this tempted people and someone would eventually pick up the CD and put it in their computer. In some ways, I'm sort of disappointed to hear that locking the screen prevents autorun from happening. That would have been an interesting way to show people just how insecure their computers really are. :) Steve -----Original Message----- From: Jerry Shenk [mailto:jshenk () decommunications com] Sent: Tuesday, June 01, 2004 6:38 AM To: Steven A. Fletcher; pen-test () securityfocus com Subject: RE: USB delivered attacks Well, I've gotten quite a response on this. There seems to be an overwhelming agreement that autorun should be turned off;) Yeah, I think that's fair. I did a little bit of testing this AM. I don't have a USB flash-drive so I built a CD with 1 file, autorun.inf which had the following contents: [AutoRun] OPEN=ping.exe 10.1.1.5 I then turned autorun on my XP laptop and started tcpdump on a linux box watching specifically for icmp from my laptop (tcpdump icmp and host 192.168.23.1). When I inserted the CD while logged on, I saw the ping screen pop up and I saw tcpdump capture the icmp traffic on the linux box. I then waited for the screensaver to lock my laptop and then I inserted the CD - nothing. I tried a 2nd time, still nothing. Then I unlocked the screen and re-inserted the CD to doublecheck that the complicated setup ;) was still working...and it was. This preliminary testing seems to indicate that the user needs to be logged in. Additional testing could prove that there would be ways to get around this but initially, it seems like having the screensaver lock the machine stops autorun. Obviously, we still have some other social engineering problems....had the CD been built with some code to extract data from the machine and shoot it to another machine (perhaps a waiting tftp server or netcan listener). One e-mail suggested putting a document on a CD and asking a secretary or somebody to print it out...he didn't really care about the printout, what he wanted was the results from autorun on his USB thumbdrive. One problem also is that the screen pops up with the application. I suppose there are ways to get that to start without a screen. -----Original Message----- From: Steven A. Fletcher [mailto:sfletcher () integrityts com] Sent: Tuesday, June 01, 2004 1:50 AM To: Balaji Prasad; Jerry Shenk; pen-test () securityfocus com Subject: RE: USB delivered attacks My only question is, if the USB drive or a CD-ROM drive where to autorun on a locked workstation, what access to the machine would the autorun process have? I'm assuming that it would have the same level of access as the currently logged in user, but I'm curious. If it is the same as the current user, it would be trivial to make a copy of their home directory, etc. Really kind of scary, when you think about all of the possibilities....... Steve Fletcher Senior Network Engineer, MCSE, Master ASE, CCNA Integrity Technology Solutions Phone: (309)664-8129 Toll Free: (888) 764-8100 ext. 129 Fax: (309) 662-6421 sfletcher () integrityts com -----Original Message----- From: Balaji Prasad [mailto:bp1974 () comcast net] Sent: Monday, May 31, 2004 5:09 PM To: Jerry Shenk; pen-test () securityfocus com Subject: Re: USB delivered attacks USB by design is meant to autodetect and autorun. I think the security is compromised when you connect untrusted devices to your computer. I can think of atleast 1 service (terminal services) that allow you to run processes with the screen locked. I presume "autorun" will work under a locked screen. A more generic solution would be to have all removable storage devices mounted as "non-executable". It is trivially done in unix. Not sure how to do this in Windows. ----- Original Message ----- From: "Jerry Shenk" <jshenk () decommunications com> To: <pen-test () securityfocus com> Sent: Thursday, May 27, 2004 7:06 PM Subject: USB delivered attacks
I recently inserted some guy's USB drive into a machine and was a but surprised when it went into an auto-run sequence. I think turning off auto-run is a REALLY good idea. On a USB drive, it seems like it
could
be really dangerous. Has anybody messed with this? One possible scenario: - Have a USB drive with a few tools on it. - Have an auto-run configured to run pwdump and dump the SAM to the
USB
drive It seems that this attack would work with a machine that was locked
from
the console. Does 'autorun' still work under a locked screen? With this USB drive being writeable, it would seem that some scripted
attack
to extract information from a machine could be amazingly
fruitful....the
possibilities are almost endless.
Current thread:
- Re: USB delivered attacks Balaji Prasad (May 31)
- Re: USB delivered attacks Antonio Fontes 'Saphyr' (Jun 01)
- Re: USB delivered attacks Gadi Evron (Jun 01)
- <Possible follow-ups>
- RE: USB delivered attacks Steven A. Fletcher (Jun 01)
- Re: USB delivered attacks Gadi Evron (Jun 01)
- RE: USB delivered attacks Steven A. Fletcher (Jun 01)
- RE: USB delivered attacks Jerry Shenk (Jun 01)
- Re: USB delivered attacks H D Moore (Jun 02)
- Re: USB delivered attacks PID4x (Jun 02)
- Re: USB delivered attacks Fred Gravel (Jun 02)
- Re: USB delivered attacks mak_pen (Jun 04)
- Re: USB delivered attacks R. DuFresne (Jun 04)
- RE: USB delivered attacks Brian Taylor (Jun 07)
- Re: USB delivered attacks R. DuFresne (Jun 04)
- Re: USB delivered attacks randori _/_ (Jun 04)
(Thread continues...)
- Re: USB delivered attacks Antonio Fontes 'Saphyr' (Jun 01)