RE: USB delivered attacks

["Rob Shein" <shoten () starpower net>]

The driver for USB drives is not on the USB drive.  It's native to XP/2000,
and loads dynamically from the O/S.

Look at it this way; if the driver were needed to access files on the USB
drive, then how could the driver be stored on the device to be used to
access files?  If you could pull the driver off the USB drive, why would you
need the driver at all?

To further see what I  mean, put in your USB drive and wait for it to
connect.  Then look in Device Manager, and check the driver details.  Look
and see whose driver it is.  If you've got multiple drives from multiple
companies, try them one at a time, and look to see if the driver changes.
Bet you it doesn't. :)

> -----Original Message-----
> From: randori _/_ [mailto:randori82 () hotmail com] 
> Sent: Thursday, June 03, 2004 2:52 PM
> To: pid4x () dodo com au; pen-test () securityfocus com
> Subject: Re: USB delivered attacks
>
>
> I have been unable to get any autorun to come up at all from 
> my USB drives.  
> I am able though, to change the icon of the drive though 
> (thank God for 
> that!).
> Does anyone know how to access the onboard drivers for these 
> drives?  I 
> wondering if possibly inserting the previously mentioned 
> autorun driver for 
> CD autorunning and tweaking it a bit to allow for the USB.
>
> Basically, the biggest security risk I see is being able to 
> throw something 
> onto a locked desktop and be able to remove information while 
> it is locked.  
> Many times people will leave their comptuer unnattended but 
> locked.  If this 
> is possible, obviously autorun should be disabled, but users 
> should also be 
> notified to log off, just not lock their desktops.
>
> Anyone able to get autorun working on their USB?  If so, 
> would you mind 
> sending the guts of the autorun.inf?
>
> Thanks in advance
>
> ____________________________________________________________
> "If ignorant both of your enemy and yourself, you are certain 
> to be in 
> peril."
> -Sun Tzu
>
> [randori]
> XXXXXXX
>
>
>
>
>
> > From: "PID4x" <pid4x () dodo com au>
> > To: <pen-test () securityfocus com>
> > Subject: Re: USB delivered attacks
> > Date: Thu, 3 Jun 2004 04:36:07 +1000
> > MIME-Version: 1.0
> > Received: from outgoing3.securityfocus.com ([205.206.231.27]) by
> > mc6-f24.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); 
> Thu, 3 Jun 2004 
> > 07:34:40 -0700
> > Received: from lists.securityfocus.com (lists.securityfocus.com 
> > [205.206.231.19])by outgoing3.securityfocus.com (Postfix) 
> with QMQPid 
> > A8CB92370DB; Wed,  2 Jun 2004 20:51:51 -0600 (MDT)
> > Received: (qmail 22810 invoked from network); 2 Jun 2004 
> 18:23:36 -0000
> > X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD
> > Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm
> > Precedence: bulk
> > List-Id: <pen-test.list-id.securityfocus.com>
> > List-Post: <mailto:pen-test () securityfocus com>
> > List-Help: <mailto:pen-test-help () securityfocus com>
> > List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com>
> > List-Subscribe: <mailto:pen-test-subscribe () securityfocus com>
> > Delivered-To: mailing list pen-test () securityfocus com
> > Delivered-To: moderator for pen-test () securityfocus com
> > Message-ID: <009e01c448d0$78b2aeb0$82a5dccb@Hamilton>
> > References: <002401c44458$53b94c80$9701010a@JASEVO> 
> > <200406011839.28884@M3T4>
> > X-MSMail-Priority: Normal
> > X-Mailer: Microsoft Outlook Express 6.00.2800.1409
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> > Return-Path: 
> > pen-test-return-1078474734-randori82=hotmail.com () securityfocus com
> > X-OriginalArrivalTime: 03 Jun 2004 14:34:40.0505 (UTC) 
> > FILETIME=[E7610E90:01C44977]
> >
> > Under winXP i had the same results as others, and it has 
> been explained
> > why.
> >
> > On win98 i use to test my auto run apps on my d: drive (hard drive
> > partition) before i burnt them to cd , so that leads me to 
> assume that 
> > autorun.inf's may work on usb drives under win9x as well (currently 
> > dont have my laptop at this house, so i couldnt test it).
> >
> > I was playing with this idea with a combination of a cdrom and usb 
> > drive - inserting the usb drive, then puting in a cd with 
> the commands 
> > to run and dump to my usb drive, but you would have to know some 
> > variables, like the drive letter of your usb drive, etc (or as i did 
> > made a simple small c app to accept the drive letter to dump 
> to, then 
> > run the commands i wanted to run, both with hard coding the commands 
> > into the c app, and as well as telling it to run 
> "x:\start.bat" where 
> > 'x' was the drive letter entered).
> >
> > It works, even if it kind of defeats the purpose (hitting win+r then 
> > runing the bat file/commands would probably be just as fast).
> >
> > Hope this gives some ideas to anyone out there.
> >
> > Reguards,
> > Philip
> >
> > ----- Original Message -----
> > From: "H D Moore" <sflist () digitaloffense net>
> > To: <pen-test () securityfocus com>
> > Sent: Wednesday, June 02, 2004 9:39 AM
> > Subject: Re: USB delivered attacks
> >
> >
> > > Some friends and I looked into this a while back as a way 
> to bypass 
> > > the security of kiosk machines. We discovered that 
> Windows 2000 (and
> > possibly
> > > XP as well) will not execute AutoRun scripts on USB or other 
> > > "removable storage" media types. Even though there is a 
> registry key 
> > > that can be changed that "enables" AutoRun, it does not work.
> > >
> > > "Autoplay is triggered by a Media Change Notification 
> (MCN) message 
> > > from the CD-ROM driver. If the Windows 2000 interface does not 
> > > receive this message, Autoplay does not operate, 
> regardless of the 
> > > value of this"
> > >
> > > http://www.tburke.net/info/regentry/topics/91525.htm
> > > http://www.tburke.net/info/regentry/topics/30300.htm
> > >
> > > -HD
> > >
> > > On Thursday 27 May 2004 21:06, Jerry Shenk wrote:
> > > > I recently inserted some guy's USB drive into a machine 
> and was a 
> > > > but surprised when it went into an auto-run sequence.  I think 
> > > > turning off auto-run is a REALLY good idea.  On a USB drive, it 
> > > > seems like it
> > could
> > >
>
> _________________________________________________________________
> Get fast, reliable Internet access with MSN 9 Dial-up - now 3 
> months FREE! 
> http://join.msn.click-url.com/go/onm00200361ave/direct/01/