Penetration Testing mailing list archives

RE: USB delivered attacks

From: "Steven A. Fletcher" <sfletcher () integrityts com>
Date: Tue, 1 Jun 2004 00:49:59 -0500

My only question is, if the USB drive or a CD-ROM drive where to autorun
on a locked workstation, what access to the machine would the autorun
process have?  I'm assuming that it would have the same level of access
as the currently logged in user, but I'm curious.  

If it is the same as the current user, it would be trivial to make a
copy of their home directory, etc.  Really kind of scary, when you think
about all of the possibilities.......

Steve Fletcher
Senior Network Engineer, MCSE, Master ASE, CCNA
Integrity Technology Solutions
Phone: (309)664-8129
Toll Free: (888) 764-8100 ext. 129
Fax: (309) 662-6421
sfletcher () integrityts com

-----Original Message-----
From: Balaji Prasad [mailto:bp1974 () comcast net] 
Sent: Monday, May 31, 2004 5:09 PM
To: Jerry Shenk; pen-test () securityfocus com
Subject: Re: USB delivered attacks

USB by design is meant to autodetect and autorun. I think the security
is
compromised when you connect untrusted devices to your computer.
I can think of atleast 1 service (terminal services) that allow you to
run
processes with the screen locked. I presume "autorun" will work under a
locked screen.
A more generic solution would be to have all removable storage devices
mounted as "non-executable". It is trivially done in unix. Not sure how
to
do this in Windows.

----- Original Message ----- 
From: "Jerry Shenk" <jshenk () decommunications com>
To: <pen-test () securityfocus com>
Sent: Thursday, May 27, 2004 7:06 PM
Subject: USB delivered attacks

I recently inserted some guy's USB drive into a machine and was a but
surprised when it went into an auto-run sequence.  I think turning off
auto-run is a REALLY good idea.  On a USB drive, it seems like it

could

be really dangerous.  Has anybody messed with this?

One possible scenario:
- Have a USB drive with a few tools on it.
- Have an auto-run configured to run pwdump and dump the SAM to the

USB

drive

It seems that this attack would work with a machine that was locked

from

the console.  Does 'autorun' still work under a locked screen?  With
this USB drive being writeable, it would seem that some scripted

attack

to extract information from a machine could be amazingly

fruitful....the

possibilities are almost endless.

Current thread:

Re: USB delivered attacks Balaji Prasad (May 31)
- Re: USB delivered attacks Antonio Fontes 'Saphyr' (Jun 01)
  - Re: USB delivered attacks Gadi Evron (Jun 01)
- <Possible follow-ups>
- RE: USB delivered attacks Steven A. Fletcher (Jun 01)
  - Re: USB delivered attacks Gadi Evron (Jun 01)
- RE: USB delivered attacks Steven A. Fletcher (Jun 01)
  - RE: USB delivered attacks Jerry Shenk (Jun 01)
- Re: USB delivered attacks H D Moore (Jun 02)
  - Re: USB delivered attacks PID4x (Jun 02)
- Re: USB delivered attacks Fred Gravel (Jun 02)
- Re: USB delivered attacks mak_pen (Jun 04)
  - Re: USB delivered attacks R. DuFresne (Jun 04)
    - RE: USB delivered attacks Brian Taylor (Jun 07)
- Re: USB delivered attacks randori _/_ (Jun 04)
  - RE: USB delivered attacks Rob Shein (Jun 04)
    - Re: USB delivered attacks Gadi Evron (Jun 07)

(Thread continues...)