Re: AUTORUN.INF Vulnerability

[jjohanss () BU EDU (Jesper M. Johansson)]

> There is a small, but potentially very dangerous vulnerability in Windows
> (all versions as far as I know, should be 95,98,NT4 SP*, but only really
> dangerous on NT machines) regarding an autorun.inf file.

This is actually a known issue. I believe I reported it about two years ago
to NTBugTraq. The issue is that AutoRun can be enabled on a drive-by-drive
or a drive-type by drive-type basis.

There are two registry values that controls for what drives Explorer looks
for the autorun.inf when they are mapped. The first does it on a drive-type
basis:

Hive: HKEY_CURRENT_USER
Key: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value: NoDriveTypeAutoRun
Type: REG_BINARY or REG_DWORD (you must put in the hex value to use a
REG_DWORD)

There is also a value called NoDriveAutoRun, that controls the drives.

The first byte of the NoDriveTypeAutoRun value is a bit-mask that defines
what drive types are autorun. Here are the values:

Type                Bit
DRIVE_UNKNOWN       0
DRIVE_NO_ROOT_DIR   1
DRIVE_REMOVABLE     2
DRIVE_FIXED         3
DRIVE_REMOTE        4
DRIVE_CDROM         5
DRIVE_RAMDISK       6

If a bit is set to 0, that drive type is autorun, if it is set to 1, you
prevent it from autorunning. By ORing these values you can make all kinds of
drive types autorun. The default value is 0x95, which translates into
10010101. That means that NoRootDir, Fixed drives, CDRoms and RamDisks are
autorun. Bit 7 is used to cover future devices.

For some reason, sometimes a network drive is recognized as something else,
most likely a NO_ROOT_DIR drive. So, if you set the value to 10010111 or
0x97 instead, I bet the problem would disappear. For more information on
this, see Q136214 (available on MSDN) and the article on Enabling and
Disabling AutoPlay, also on MSDN.

The NoDriveAutoRun value is used to set specific drive letters to not
autorun. Each bit represents a drive letter, with the first bit being A:,
the second being B: and so on. It's a DWORD, so to disable autoplay on A:
and C:, set it to 0x00000005 (translates to 101). A 1 means "don't autoplay"
0 means "go right ahead and run anything you want!"

Since this is set under HKCU, the only way to effectively change this is to
use a policy. I would use a policy to disable autorun in at least these two
ways (NoDriveAutoRun, NoDriveTypeAutoRun) for all Administrative accounts.
The problem is that Windows 2000 does not like it much if AutoRun is turned
off altogether. As a matter of fact, it runs it anyway. I have it turned
off, and when I insert the Windows 2000 CD, I get a little dialog box that
says "We really think you should enable autorun." Pretty scary actually.

I hope this helps.

Jesper M. Johansson