AUTORUN.INF Vulnerability

[ejsteven () CS MILLERSV EDU (Eric Stevens)]

--introduction--
There is a small, but potentially very dangerous vulnerability in Windows
(all versions as far as I know, should be 95,98,NT4 SP*, but only really
dangerous on NT machines) regarding an autorun.inf file.

--background--
Autorun.inf is a file that is primarily used on CD's containing information
basically on what to do when a new CD is entered into the drive.  The type
of information that this file can contain, to the best of my knowledge, is
an icon to display for the drive, and executables to run, the executable can
actually be broken down by platform if needs be.

--descriptive introduction--
The vulnerability exists because the autorun.inf file does not apply only to
CD drives, or even removable media.  Actually, this file can be placed on
any drive, with exactly the same effects (a refresh of the drive list may be
in order).  I've used it to place cute little icons on my drives.  If no
icon is specified, the system default icon for that drive is used.

--the meat and an example--
The vulnerability is that it is somewhat arbitrary for a programmer to throw
together a small executable that checks the current user, and possibly that
user's permissions on the local machine.  This executable could be a file
that detects user privileges, and if the user does not possess
administrative privileges, then it invokes Explorer on that directory to
open the directory like normal.  If administrative privileges are possessed,
then it can invoke some other executable, such as a trojan horse virus, or
it could itself be a trojan
horse which implements whatever it's little virus heart desires, such as
promoting privileges on the originating user.

--more on the example--
When an administrator logs on locally, they may double click that drive (it
can be done to all of them), and run the malicious executable, with out
their knowledge.  Our little trojan may even continue on to open Explorer to
keep the administrator blissfully unaware that they have just been
compromised.

--the limitation--
This exploit requires write access to the root directory of a local drive in
order to work.  That's not all that uncommon a permission to have,
especially for a non-C: drive.  Similarly, any exploit allowing the
uploading of arbitrary files to the root directory of any drive makes this a
very real exploit; no directory guessing, i.e. did they name the WIN
directory Windows or Winnt?

--the workaround--
Disable the autorun feature.  There's a key for it somewhere in the
registry.

--possible difficulties with the workaround--
There are actually two levels of autorun to disable. One is where it no
longer checks newly inserted media for an autorun, one is where it never
checks for an autorun file at all.  The first one still leaves the
vulnerability open, as a refresh of the drive list will detect the autorun
file, making autorun the default action, but not actually running it.
VMWare disables autorun (or at least provides an option to) but this is
actually the first, insecure one.  I believe, but am not certain, that
TweakUI will disable autorun file detection.  To test it, disable the
playing of data CD's in Tweak, log out and back in, drop a CD with autorun
into the drive, open My Computer, hit refresh (F5), double click the CD
drive.  If the autorun plays, you've not implemented the workaround
properly.

--how to know if you're affected--
You can tell if a drive has an autorun file on it if you right click the
drive, and see Autorun as the primary (bolded) function.

--appology--
Sorry if any of this is incoherent, sleep need I more, yes?