Full Disclosure mailing list archives
Re: Re: USB risks (continued)
From: Jp Wise <jpwise () softhome net>
Date: Sun, 20 Jun 2004 00:11:11 +1200
Hi All, this isn't a subject I claim to know anything about, but has anyone previously looked at using the partition table, and it's various codes for the filesystems? A USB or PCMCIA drive for that matter has it's own partition table (I believe). The OS then reads the table, and loads the approprate filesystem driver to attempt mounting the filesystem. fastfat.sys ntfs.sys and possibly even cdfs.sys
If there's a bug or a buffer overflow that can be accessed via the filesystem driver itself then it may be exploitable. I believe the filesystem drivers are probably a Ring0 driver aswell, so if it was exploited it's straight into the bottom level of the OS.
If 2k or XP will install the device while the workstation is still locked it leads that you might be able to gain admin even on a locked workstation (or server). Although I don't have a usb drive so can't test if it installs or not.
Just an idea. Jp. Harlan Carvey wrote:
I agree, the use of USB-connected devices is nothing new. They make a very unobtrusive delivery system, as well as a great way to load vast amounts of data into an extremely small space to get information out of an organization.But you know something, that's not really the point. Yes, this is an old concern. It goes right up therew/ digital camera-enabled cell phones and variety ofother security risks.I've been after one thing from the beginning...information. Evil Wrangler said that information should be free, but when I asked him some questions, all I got back was, "what...never heard of hacking??" In his 2600 article, EW stated that he plugged a USB device into a friend's computer, and the autorun.inf file was automatically parsed and commands within the "open=" line of that file were automatically run. According to documentation at MS, by default, this should not be possible. The NoDriveTypeAutorun key within the Registry allows CDs to run the autorun.inf file, but not removeable drive types, such as floppies and USB thumb drives. I have asked for specifics such as manufacturer and model number of the device used, specific information regarding drivers loaded, etc. After all, EW says that "information should be free", but I certainly don't see him freeing any information. If anyone has any information that can be used in repeatable experiments, I'd appreciate hearing from you. Thanks, Harlan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- USB Auto run function martin paul (Jun 17)
- Re: USB Auto run function Harlan Carvey (Jun 17)
- Re: USB Auto run function Lan Guy (Jun 17)
- Re: USB Auto run function Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 17)
- <Possible follow-ups>
- Re: USB Auto run function Oscar Fajardo Sanchez (Jun 18)
- Re: USB Auto run function Harlan Carvey (Jun 18)
- USB risks (continued) Gadi Evron (Jun 18)
- Re: USB risks (continued) RSnake (Jun 19)
- Re: Re: USB risks (continued) Harlan Carvey (Jun 19)
- Re: Re: USB risks (continued) Jp Wise (Jun 19)
- Re: USB risks (continued) Kevin Davis (Jun 19)
- Re: USB risks (continued) Chris Withers (Jun 28)
- Re: Re: USB risks (continued) RSnake (Jun 28)
- Re: Re: USB risks (continued) Sam (Jun 28)
- Re: USB Auto run function Harlan Carvey (Jun 18)