Re: AUTORUN Vulnerability - Round 2

["Jesper M. Johansson" <jjohanss () BU EDU>]

> > When Domain Admin mount the user's shared then he'll execute the
> > "arbitary code".
>
> This isn't true. Or at least it needs clarification. Let's say that you
have
> a share, \\evilserver\nastytrojans. Now I as an admin access that share
> somehow. What happens depends on how I access it.

Right, and at least with NT4, what happened was not always deterministic. If
you map a drive letter to it using Explorer, the Autorun may or may not run.
I was never able to determine why it would or would not. On Win2K it does
not run at all, on the default setting; see below for the reason.

> I do note that I have NoDriveTypeAutoRun = 0x95 set in HKCU (I didn't
change
> this myself). I don't recall exactly what this implies (perhaps Jesper has
> this info handy). Apparently, even if the poor admin is indeed stupid, he
is
> safe from this attack if he happens to be running Win2k.

0x95, which is the default setting in HKCU, turns off autorun for unknown
drive types (0x1 and 0x80), floppy drives (0x4) and network drives (0x10) so
that should explain why it never ran in your test lab. In Win2K it
apparently does enforce that setting consistently. On NT4, in my testing, it
was not consistent. When mapping a shared drive to a drive letter, it would
search for an autorun.inf about half the time for some reason. I analyzed
some network traces about two and a half years ago, and was never able to
figure out why it did that in some cases but not in others.

Jesper M. Johansson