Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: USB delivered attacks - lessons learned/summary (so far)

From: "Jerry Shenk" <jshenk () decommunications com>
Date: Wed, 9 Jun 2004 19:50:36 -0400
Actually, the autorun.inf file is parsed....at least to some degree.
For example, if the autorun.inf is not there, an explorer window pops
up.  If the file is there and it has an open= config line, then the
window does not pop up.  It is also possible to change the icon
associated with that explorer window my modifying the autorun.inf file.
That leads me to believe that if the autorun.inf file was correctly
(incorrectly?) set up, it could very well be possible to have an
'autorun USB device'.  I posted details earlier.

About your assertion that autorun will not be parsed at the root of any
removable device.  That's just plain incorrect.  I have CDs with an
autorun.inf in the root that seem to fire off just about anything you
put in it.

Obviously it may be possible to modify the registry to get the USB to do
something abnormal.  That's not really what my goal was.  My goal was to
determine what can and what can't be done.  

Playing...it's all fun and games till someone looses an eye...or maybe a
password hash file;)

-----Original Message-----
From: H Carvey [mailto:keydet89 () yahoo com] 
Sent: Tuesday, June 08, 2004 4:31 PM
To: pen-test () securityfocus com
Subject: Re: USB delivered attacks - lessons learned/summary (so far)


In-Reply-To: <016501c44847$e686ac40$6701010a@JASEVO>




USB devices don't use autorun - 




More specifically, parsing and execution of the autorun.inf file at the
root of the device is not enabled for removeable drive types.



XP - http://support.microsoft.com/default.aspx?scid=kb;en-us;314855

2K - http://support.microsoft.com/default.aspx?scid=kb;EN-US;173584



This KB article describes the Registry key in question:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;136214



Hope that helps...




Somebody said that 2600 had something about this type of thing in the



current 2600 magazine.  That would suggest that a few other people have



been playing with this idea.  Somebody with more brains, ideas or time



than I is likely to come up with something pretty nasty.




I think "playing" is the key term.  I don't have a USB hard drive to
test with, but using a thumb drive shows that taking advantage of the
autorun functionality on such devices is a loosing proposition in
situations where the target Registry key has NOT been modified.
Previous By Date Next
Previous By Thread Next

Current thread: