Penetration Testing mailing list archives
RE: USB delivered attacks
From: "Rob Shein" <shoten () starpower net>
Date: Fri, 4 Jun 2004 15:40:34 -0400
The driver for USB drives is not on the USB drive. It's native to XP/2000, and loads dynamically from the O/S. Look at it this way; if the driver were needed to access files on the USB drive, then how could the driver be stored on the device to be used to access files? If you could pull the driver off the USB drive, why would you need the driver at all? To further see what I mean, put in your USB drive and wait for it to connect. Then look in Device Manager, and check the driver details. Look and see whose driver it is. If you've got multiple drives from multiple companies, try them one at a time, and look to see if the driver changes. Bet you it doesn't. :)
-----Original Message----- From: randori _/_ [mailto:randori82 () hotmail com] Sent: Thursday, June 03, 2004 2:52 PM To: pid4x () dodo com au; pen-test () securityfocus com Subject: Re: USB delivered attacks I have been unable to get any autorun to come up at all from my USB drives. I am able though, to change the icon of the drive though (thank God for that!). Does anyone know how to access the onboard drivers for these drives? I wondering if possibly inserting the previously mentioned autorun driver for CD autorunning and tweaking it a bit to allow for the USB. Basically, the biggest security risk I see is being able to throw something onto a locked desktop and be able to remove information while it is locked. Many times people will leave their comptuer unnattended but locked. If this is possible, obviously autorun should be disabled, but users should also be notified to log off, just not lock their desktops. Anyone able to get autorun working on their USB? If so, would you mind sending the guts of the autorun.inf? Thanks in advance ____________________________________________________________ "If ignorant both of your enemy and yourself, you are certain to be in peril." -Sun Tzu [randori] XXXXXXXFrom: "PID4x" <pid4x () dodo com au> To: <pen-test () securityfocus com> Subject: Re: USB delivered attacks Date: Thu, 3 Jun 2004 04:36:07 +1000 MIME-Version: 1.0 Received: from outgoing3.securityfocus.com ([205.206.231.27]) by mc6-f24.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713);Thu, 3 Jun 200407:34:40 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing3.securityfocus.com (Postfix)with QMQPidA8CB92370DB; Wed, 2 Jun 2004 20:51:51 -0600 (MDT) Received: (qmail 22810 invoked from network); 2 Jun 200418:23:36 -0000X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <pen-test.list-id.securityfocus.com> List-Post: <mailto:pen-test () securityfocus com> List-Help: <mailto:pen-test-help () securityfocus com> List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com> List-Subscribe: <mailto:pen-test-subscribe () securityfocus com> Delivered-To: mailing list pen-test () securityfocus com Delivered-To: moderator for pen-test () securityfocus com Message-ID: <009e01c448d0$78b2aeb0$82a5dccb@Hamilton> References: <002401c44458$53b94c80$9701010a@JASEVO> <200406011839.28884@M3T4> X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Return-Path: pen-test-return-1078474734-randori82=hotmail.com () securityfocus com X-OriginalArrivalTime: 03 Jun 2004 14:34:40.0505 (UTC) FILETIME=[E7610E90:01C44977] Under winXP i had the same results as others, and it hasbeen explainedwhy. On win98 i use to test my auto run apps on my d: drive (hard drive partition) before i burnt them to cd , so that leads me toassume thatautorun.inf's may work on usb drives under win9x as well (currently dont have my laptop at this house, so i couldnt test it). I was playing with this idea with a combination of a cdrom and usb drive - inserting the usb drive, then puting in a cd withthe commandsto run and dump to my usb drive, but you would have to know some variables, like the drive letter of your usb drive, etc (or as i did made a simple small c app to accept the drive letter to dumpto, thenrun the commands i wanted to run, both with hard coding the commands into the c app, and as well as telling it to run"x:\start.bat" where'x' was the drive letter entered). It works, even if it kind of defeats the purpose (hitting win+r then runing the bat file/commands would probably be just as fast). Hope this gives some ideas to anyone out there. Reguards, Philip ----- Original Message ----- From: "H D Moore" <sflist () digitaloffense net> To: <pen-test () securityfocus com> Sent: Wednesday, June 02, 2004 9:39 AM Subject: Re: USB delivered attacksSome friends and I looked into this a while back as a wayto bypassthe security of kiosk machines. We discovered thatWindows 2000 (andpossiblyXP as well) will not execute AutoRun scripts on USB or other "removable storage" media types. Even though there is aregistry keythat can be changed that "enables" AutoRun, it does not work. "Autoplay is triggered by a Media Change Notification(MCN) messagefrom the CD-ROM driver. If the Windows 2000 interface does not receive this message, Autoplay does not operate,regardless of thevalue of this" http://www.tburke.net/info/regentry/topics/91525.htm http://www.tburke.net/info/regentry/topics/30300.htm -HD On Thursday 27 May 2004 21:06, Jerry Shenk wrote:I recently inserted some guy's USB drive into a machineand was abut surprised when it went into an auto-run sequence. I think turning off auto-run is a REALLY good idea. On a USB drive, it seems like itcould_________________________________________________________________ Get fast, reliable Internet access with MSN 9 Dial-up - now 3 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/
Current thread:
- Re: USB delivered attacks, (continued)
- Re: USB delivered attacks Gadi Evron (Jun 01)
- RE: USB delivered attacks Steven A. Fletcher (Jun 01)
- RE: USB delivered attacks Jerry Shenk (Jun 01)
- Re: USB delivered attacks H D Moore (Jun 02)
- Re: USB delivered attacks PID4x (Jun 02)
- Re: USB delivered attacks Fred Gravel (Jun 02)
- Re: USB delivered attacks mak_pen (Jun 04)
- Re: USB delivered attacks R. DuFresne (Jun 04)
- RE: USB delivered attacks Brian Taylor (Jun 07)
- Re: USB delivered attacks R. DuFresne (Jun 04)
- Re: USB delivered attacks randori _/_ (Jun 04)
- RE: USB delivered attacks Rob Shein (Jun 04)
- Re: USB delivered attacks Gadi Evron (Jun 07)
- Re: USB delivered attacks Kurt Seifried (Jun 04)
- RE: USB delivered attacks Rob Shein (Jun 04)
- Re:USB delivered attacks Peter Harmsen (Jun 07)