RE: USB delivered attacks

["Steven A. Fletcher" <sfletcher () integrityts com>]

Recently, I heard someone mention and interesting way to get people to
insert such a CD.  He said that he would leave a CD lying around in the
bathroom that was labeled something like "Quarter 4 Raises" or "Quarter
4 Layoffs".  Of course, this tempted people and someone would eventually
pick up the CD and put it in their computer.

In some ways, I'm sort of disappointed to hear that locking the screen
prevents autorun from happening.  That would have been an interesting
way to show people just how insecure their computers really are.  :)

Steve
 

-----Original Message-----
From: Jerry Shenk [mailto:jshenk () decommunications com] 
Sent: Tuesday, June 01, 2004 6:38 AM
To: Steven A. Fletcher; pen-test () securityfocus com
Subject: RE: USB delivered attacks

Well, I've gotten quite a response on this.  There seems to be an
overwhelming agreement that autorun should be turned off;)  Yeah, I
think that's fair.

I did a little bit of testing this AM.  I don't have a USB flash-drive
so I built a CD with 1 file, autorun.inf which had the following
contents:
[AutoRun]
OPEN=ping.exe 10.1.1.5

I then turned autorun on my XP laptop and started tcpdump on a linux box
watching specifically for icmp from my laptop (tcpdump icmp and host
192.168.23.1).

When I inserted the CD while logged on, I saw the ping screen pop up and
I saw tcpdump capture the icmp traffic on the linux box.

I then waited for the screensaver to lock my laptop and then I inserted
the CD - nothing.  I tried a 2nd time, still nothing.  Then I unlocked
the screen and re-inserted the CD to doublecheck that the complicated
setup ;) was still working...and it was.

This preliminary testing seems to indicate that the user needs to be
logged in.  Additional testing could prove that there would be ways to
get around this but initially, it seems like having the screensaver lock
the machine stops autorun.

Obviously, we still have some other social engineering problems....had
the CD been built with some code to extract data from the machine and
shoot it to another machine (perhaps a waiting tftp server or netcan
listener).  One e-mail suggested putting a document on a CD and asking a
secretary or somebody to print it out...he didn't really care about the
printout, what he wanted was the results from autorun on his USB
thumbdrive.

One problem also is that the screen pops up with the application.  I
suppose there are ways to get that to start without a screen.

-----Original Message-----
From: Steven A. Fletcher [mailto:sfletcher () integrityts com] 
Sent: Tuesday, June 01, 2004 1:50 AM
To: Balaji Prasad; Jerry Shenk; pen-test () securityfocus com
Subject: RE: USB delivered attacks


My only question is, if the USB drive or a CD-ROM drive where to autorun
on a locked workstation, what access to the machine would the autorun
process have?  I'm assuming that it would have the same level of access
as the currently logged in user, but I'm curious.  

If it is the same as the current user, it would be trivial to make a
copy of their home directory, etc.  Really kind of scary, when you think
about all of the possibilities.......

Steve Fletcher
Senior Network Engineer, MCSE, Master ASE, CCNA
Integrity Technology Solutions
Phone: (309)664-8129
Toll Free: (888) 764-8100 ext. 129
Fax: (309) 662-6421
sfletcher () integrityts com

-----Original Message-----
From: Balaji Prasad [mailto:bp1974 () comcast net] 
Sent: Monday, May 31, 2004 5:09 PM
To: Jerry Shenk; pen-test () securityfocus com
Subject: Re: USB delivered attacks

USB by design is meant to autodetect and autorun. I think the security
is
compromised when you connect untrusted devices to your computer.
I can think of atleast 1 service (terminal services) that allow you to
run
processes with the screen locked. I presume "autorun" will work under a
locked screen.
A more generic solution would be to have all removable storage devices
mounted as "non-executable". It is trivially done in unix. Not sure how
to
do this in Windows.

----- Original Message ----- 
From: "Jerry Shenk" <jshenk () decommunications com>
To: <pen-test () securityfocus com>
Sent: Thursday, May 27, 2004 7:06 PM
Subject: USB delivered attacks


> I recently inserted some guy's USB drive into a machine and was a but
> surprised when it went into an auto-run sequence.  I think turning off
> auto-run is a REALLY good idea.  On a USB drive, it seems like it
could
> be really dangerous.  Has anybody messed with this?
>
> One possible scenario:
> - Have a USB drive with a few tools on it.
> - Have an auto-run configured to run pwdump and dump the SAM to the
USB
> drive
>
> It seems that this attack would work with a machine that was locked
from
> the console.  Does 'autorun' still work under a locked screen?  With
> this USB drive being writeable, it would seem that some scripted
attack
> to extract information from a machine could be amazingly
fruitful....the
> possibilities are almost endless.