Penetration Testing mailing list archives
RE: USB delivered attacks
From: "Steven A. Fletcher" <sfletcher () integrityts com>
Date: Tue, 1 Jun 2004 00:49:59 -0500
My only question is, if the USB drive or a CD-ROM drive where to autorun on a locked workstation, what access to the machine would the autorun process have? I'm assuming that it would have the same level of access as the currently logged in user, but I'm curious. If it is the same as the current user, it would be trivial to make a copy of their home directory, etc. Really kind of scary, when you think about all of the possibilities....... Steve Fletcher Senior Network Engineer, MCSE, Master ASE, CCNA Integrity Technology Solutions Phone: (309)664-8129 Toll Free: (888) 764-8100 ext. 129 Fax: (309) 662-6421 sfletcher () integrityts com -----Original Message----- From: Balaji Prasad [mailto:bp1974 () comcast net] Sent: Monday, May 31, 2004 5:09 PM To: Jerry Shenk; pen-test () securityfocus com Subject: Re: USB delivered attacks USB by design is meant to autodetect and autorun. I think the security is compromised when you connect untrusted devices to your computer. I can think of atleast 1 service (terminal services) that allow you to run processes with the screen locked. I presume "autorun" will work under a locked screen. A more generic solution would be to have all removable storage devices mounted as "non-executable". It is trivially done in unix. Not sure how to do this in Windows. ----- Original Message ----- From: "Jerry Shenk" <jshenk () decommunications com> To: <pen-test () securityfocus com> Sent: Thursday, May 27, 2004 7:06 PM Subject: USB delivered attacks
I recently inserted some guy's USB drive into a machine and was a but surprised when it went into an auto-run sequence. I think turning off auto-run is a REALLY good idea. On a USB drive, it seems like it
could
be really dangerous. Has anybody messed with this? One possible scenario: - Have a USB drive with a few tools on it. - Have an auto-run configured to run pwdump and dump the SAM to the
USB
drive It seems that this attack would work with a machine that was locked
from
the console. Does 'autorun' still work under a locked screen? With this USB drive being writeable, it would seem that some scripted
attack
to extract information from a machine could be amazingly
fruitful....the
possibilities are almost endless.
Current thread:
- Re: USB delivered attacks Balaji Prasad (May 31)
- Re: USB delivered attacks Antonio Fontes 'Saphyr' (Jun 01)
- Re: USB delivered attacks Gadi Evron (Jun 01)
- <Possible follow-ups>
- RE: USB delivered attacks Steven A. Fletcher (Jun 01)
- Re: USB delivered attacks Gadi Evron (Jun 01)
- RE: USB delivered attacks Steven A. Fletcher (Jun 01)
- RE: USB delivered attacks Jerry Shenk (Jun 01)
- Re: USB delivered attacks H D Moore (Jun 02)
- Re: USB delivered attacks PID4x (Jun 02)
- Re: USB delivered attacks Fred Gravel (Jun 02)
- Re: USB delivered attacks mak_pen (Jun 04)
- Re: USB delivered attacks R. DuFresne (Jun 04)
- RE: USB delivered attacks Brian Taylor (Jun 07)
- Re: USB delivered attacks R. DuFresne (Jun 04)
- Re: USB delivered attacks randori _/_ (Jun 04)
- RE: USB delivered attacks Rob Shein (Jun 04)
- Re: USB delivered attacks Gadi Evron (Jun 07)
- RE: USB delivered attacks Rob Shein (Jun 04)
(Thread continues...)
- Re: USB delivered attacks Antonio Fontes 'Saphyr' (Jun 01)