Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: U3 TEchnology was RE: strange new virus

from [James D. Stallard] Network Security [Permanent Link]
Subject: RE: U3 TEchnology was RE: strange new virus
Date: Sat, 16 Dec 2006 01:07:35 -0000 
Thor, et al

Question regarding autorun on USB flash disks (I never like the term
"thumbdrive"):

If you have a file in the root called "autorun.inf" and it contains a valid
syntax for an icon file, the icon will appear as the drive icon in Windows
Explorer. This most certainly works with XPSP2+patches.

The OS is clearly executing something, just not your arbitrary code.

The question is, would it be possible to take advantage of the icon
functionality (presumably within explorer.exe) to hijack the process and run
your own code? I'm thinking buffer overflow as the most likely scenario, but
I'm also thinking that following MS "trustworthy computing initiative" and
XPSP2, the existence of buffer overflow possibilities in the OS is pretty
minimal these days.

Thoughts?
Cheers

James D. Stallard



-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Thor (Hammer of God)
Sent: 15 December 2006 17:10
To: Focus-MS
Subject: Re: U3 TEchnology was RE: strange new virus

Right-- I should have stated that in my earlier message- the "autorun"
capabilities of u3 thumb drives function because the hardware is
specifically designed to provide that (and other) functionality.  The device
specifically presents itself as a media device that supports auto-run (like
a CD or DVD drive would) upon insertion.

A "standard" thumb drive would not invoke autorun unless you have software
on the system to do that (it's out there). Unfortunately, you can find many
references in posts and blogs around the net where people talk about putting
autorun on a thumb drive and rootkit'ing people's boxes at banks, insurance
agencies, etc, but it's bunk. I've even seen detailed explanations of how to
encrypt drive contents on "any old thumbdrive" and to use autorun to
immediately execute code, but they dance right over the fact that you have
to go out of your way to autorun a thumb drive.

The most important thing is the last point you made about least privilege.
Even if someone went out of HIS way (There, Shinder- That better??? ;) to
autorun a usb (or if it was u3) the user would still have to be an
administrator to do anything.

Again, in Vista, even with autorun supported media insertion, it asks if you
want to run autorun by default.  If you want to, (depending on what the
autorun does) UAC requires you to then enter the admin password to execute
code or such.  If you've turned off UAC, nothing would happen unless you
were an admin.  And in this day and age, no one should ever be running an
interactive session as admin, unless you're a Scot in Bermuda (inside joke
;)

t


On 12/15/06 5:40 AM, "Henry Troup" <HenryT@watchfire.com> spoketh to all:


Ah, the Bruce Schneier blog comments have the very valuable comment:

   The removable media device setting is a flag contained within the 
SCSI Inquiry
   Data response to the SCSI Inquiry command. Bit 7 of byte 1 (indexed 
from 0) is
   the Removable Media Bit (RMB). A RMB set to zero indicates that the 
device is not
   a removable media device. A RMB of one indicates that the device is 
a removable
   media device. Drivers obtain this information by using the 
StorageDeviceProperty
   request.

So U3 is a different hardware spec, and U3 function can't be copied to
non-U3 media.  That's good.  But the remarks about custom USB hardware 
there make me want to reach for the ol' glue gun! Of course, the real 
problem is still failure to adhere to least privilege.

Thanks for the link, Bill.

Henry Troup
Watchfire Corporation
henryt@watchfire.com


-----Original Message-----
From: listbounce@securityfocus.com 
[mailto:listbounce@securityfocus.com]
On Behalf Of Bill Call
Subject: RE: strange new virus

I wouldn't be so sure about that.  Check out:

http://www.schneier.com/blog/archives/2006/06/hacking_compute.html

----------------------------------------------------------------------
-----
----------------------------------------------------------------------
-----







---------------------------------------------------------------------------
---------------------------------------------------------------------------





---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re[2]: strange new virus, Deafcon
Next by Date:  Re: U3 TEchnology was RE: strange new virus, Thor (Hammer of God)
Previous by Thread:  Re: U3 TEchnology was RE: strange new virus, Thor (Hammer of God)
Next by Thread:  Re: U3 TEchnology was RE: strange new virus, Thor (Hammer of God)
Indexes:  [Date] [Thread] [Top] [All Lists]