At 12:07 AM 2/18/00 -0500, Eric Stevens wrote:
>...
>--the meat and an example--
>The vulnerability is that it is somewhat arbitrary for a programmer to throw
>together a small executable that checks the current user, and possibly that
>user's permissions on the local machine. This executable could be a file
>that detects user privileges, and if the user does not possess
>administrative privileges, then it invokes Explorer on that directory to
>open the directory like normal. If administrative privileges are possessed,
>then it can invoke some other executable, such as a trojan horse virus, or
>it could itself be a trojan
>horse which implements whatever it's little virus heart desires, such as
>promoting privileges on the originating user.
>
>--more on the example--
>When an administrator logs on locally, they may double click that drive (it
>can be done to all of them), and run the malicious executable, with out
>their knowledge. Our little trojan may even continue on to open Explorer to
>keep the administrator blissfully unaware that they have just been
>compromised.
>
>--the limitation--
>This exploit requires write access to the root directory of a local drive in
>order to work. That's not all that uncommon a permission to have,
>especially for a non-C: drive. Similarly, any exploit allowing the
>uploading of arbitrary files to the root directory of any drive makes this a
>very real exploit; no directory guessing, i.e. did they name the WIN
>directory Windows or Winnt?
>
>--the workaround--
>Disable the autorun feature. There's a key for it somewhere in the
>registry.
To disable the autoinsert notification:
Win9x - HKEY_LOCAL_MACHINE\Enum\SCSI\Name_of_cdrom\MF&...(nasty long key)\
AutoInsertNotification (binary value, default 01) set to 00
WinNT - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\
Autorun (hex DWORD value, default 0x00000001) set to 0x00000000
>--possible difficulties with the workaround--
>There are actually two levels of autorun to disable. One is where it no
>longer checks newly inserted media for an autorun, one is where it never
>checks for an autorun file at all...
Secondary workaround:
Win9x -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun (binary value, default 95 00 00 00) set to 9d 00 00 00
WinNT -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun (hex DWORD, default 0x00000095) set to 0x0000009d
in both values, the high 24 bits should be left at 0, and the low 8 bits
affect autorun settings (1 disables) on the following specific types of
drives:
0 - Unknown Drive Type
1 - Drive without Root Directory
2 - Removable Drive
3 - Fixed Drive
4 - Network Drive
5 - CDROM Drive
6 - RAMDisk Drive
7 - Undefined Drive Type
By default, windows sets this value to 95h, which is 10010101 in binary.
This disables autorun on unknown, removable, network, and undefined drive
types. The quickest workaround for this issue is to turn on bit 3, thereby
disabling autorun on all fixed drives.
NB:
for anyone that doesn't know, TweakUI is part of the Win95 power toys, and
can be downloaded from:
http://www.microsoft.com/windows/downloads/bin/W95powertoy.exe
Cheers,
jeremy
