Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: USB delivered attacks

From: <mak_pen () hotmail com>
Date: 3 Jun 2004 19:38:44 -0000
In-Reply-To: <40BCBB44.7050202 () linuxbox org>

the mere fact that its usb has nothing to do with the attack its self. what is to blame is that autorun is enabled by 
default on windows XP. that is why the attack works. usb makes it convenient to stick the memmory stick in any computer 
and have the user just open the memmory stick and the attack works and no antivirus or anything detects this till now.

in short, 
usb = convenience
autorun = culprit (so to speak)



Received: (qmail 25692 invoked from network); 1 Jun 2004 18:40:52 -0000
Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
 by mail.securityfocus.com with SMTP; 1 Jun 2004 18:40:52 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
      by outgoing2.securityfocus.com (Postfix) with QMQP
      id AC217143788; Tue,  1 Jun 2004 20:31:57 -0600 (MDT)
Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <pen-test.list-id.securityfocus.com>
List-Post: <mailto:pen-test () securityfocus com>
List-Help: <mailto:pen-test-help () securityfocus com>
List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com>
List-Subscribe: <mailto:pen-test-subscribe () securityfocus com>
Delivered-To: mailing list pen-test () securityfocus com
Delivered-To: moderator for pen-test () securityfocus com
Received: (qmail 7550 invoked from network); 1 Jun 2004 16:09:32 -0000
Message-ID: <40BCBB44.7050202 () linuxbox org>
Date: Tue, 01 Jun 2004 19:22:12 +0200
From: Gadi Evron <ge () linuxbox org>
User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502)
X-Accept-Language: en
MIME-Version: 1.0
To: "Antonio Fontes 'Saphyr'" <saphyr () nxtg net>
Cc: pen-test () securityfocus com
Subject: Re: USB delivered attacks
References: <002401c44458$53b94c80$9701010a@JASEVO> <000c01c4475b$e1ed7c50$6401a8c0@phoenix> 
<007101c447b7$55ffa0e0$c1fc17d4@shania>
In-Reply-To: <007101c447b7$55ffa0e0$c1fc17d4@shania>
X-Enigmail-Version: 0.84.0.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
      version=2.63
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on linuxbox.org


In order to put some 'practice' on this attack, I ve been trying this night
to effectively use autorun mechanisms and see what could be possible.

After reading the MSDN specs about autorun.inf file creation, I added
an autorun.inf into my USB device along with a little batch script whose
purpose was to copy the 'SAM' table and copy of the 'SET' command
result into a specific folder on the usb device.

Nothing happens... Even after being sure auto-run is enabled. Something
should be missing... are there specific operating systems that disable
auto-run by default ? (I am using windows 2000)

However, burning the batch + autorun file onto a cd-rom and inserting
it into the tray makes the auto-run sequence loading...

So 2-cents question: which os'es do really use USB devices auto-run
and on which USB devices does it work ? (not a usb hard-disk key it
seems)...


USB devices install a driver, nothing to do with autorun.inf that I know 
of.. You mis-understood.

As your test suggested, it does work when using a CD.
:)

      Gadi.

-- 
Email: ge () linuxbox org.  Work: gadie () cbs gov il. Backup: ge () warp mx dk.
Phone: +972-50-428610 (Cell).

PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
GPG key for encrypted email: 
http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450
Previous By Date Next
Previous By Thread Next

Current thread: