Penetration Testing mailing list archives
RE: USB delivered attacks - lessons learned/summary (so far)
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Wed, 9 Jun 2004 19:50:36 -0400
Actually, the autorun.inf file is parsed....at least to some degree. For example, if the autorun.inf is not there, an explorer window pops up. If the file is there and it has an open= config line, then the window does not pop up. It is also possible to change the icon associated with that explorer window my modifying the autorun.inf file. That leads me to believe that if the autorun.inf file was correctly (incorrectly?) set up, it could very well be possible to have an 'autorun USB device'. I posted details earlier. About your assertion that autorun will not be parsed at the root of any removable device. That's just plain incorrect. I have CDs with an autorun.inf in the root that seem to fire off just about anything you put in it. Obviously it may be possible to modify the registry to get the USB to do something abnormal. That's not really what my goal was. My goal was to determine what can and what can't be done. Playing...it's all fun and games till someone looses an eye...or maybe a password hash file;) -----Original Message----- From: H Carvey [mailto:keydet89 () yahoo com] Sent: Tuesday, June 08, 2004 4:31 PM To: pen-test () securityfocus com Subject: Re: USB delivered attacks - lessons learned/summary (so far) In-Reply-To: <016501c44847$e686ac40$6701010a@JASEVO>
USB devices don't use autorun -
More specifically, parsing and execution of the autorun.inf file at the root of the device is not enabled for removeable drive types. XP - http://support.microsoft.com/default.aspx?scid=kb;en-us;314855 2K - http://support.microsoft.com/default.aspx?scid=kb;EN-US;173584 This KB article describes the Registry key in question: http://support.microsoft.com/default.aspx?scid=kb;EN-US;136214 Hope that helps...
Somebody said that 2600 had something about this type of thing in the
current 2600 magazine. That would suggest that a few other people have
been playing with this idea. Somebody with more brains, ideas or time
than I is likely to come up with something pretty nasty.
I think "playing" is the key term. I don't have a USB hard drive to test with, but using a thumb drive shows that taking advantage of the autorun functionality on such devices is a loosing proposition in situations where the target Registry key has NOT been modified.
Current thread:
- USB delivered attacks - lessons learned/summary (so far) Jerry Shenk (Jun 02)
- <Possible follow-ups>
- RE: USB delivered attacks - lessons learned/summary (so far) Jerry Shenk (Jun 02)
- Re: USB delivered attacks - lessons learned/summary (so far) H Carvey (Jun 09)
- RE: USB delivered attacks - lessons learned/summary (so far) Jerry Shenk (Jun 10)
- RE: USB delivered attacks - lessons learned/summary (so far) Harlan Carvey (Jun 10)
- RE: USB delivered attacks - lessons learned/summary (so far) Jerry Shenk (Jun 10)