Thor, et al Question regarding autorun on USB flash disks (I never like the term "thumbdrive"):
If you have a file in the root called "autorun.inf" and it contains a valid syntax for an icon file, the icon will appear as the drive icon in Windows Explorer. This most certainly works with XPSP2+patches. The OS is clearly executing something, just not your arbitrary code. The question is, would it be possible to take advantage of the icon functionality (presumably within explorer.exe) to hijack the process and run your own code? I'm thinking buffer overflow as the most likely scenario, but I'm also thinking that following MS "trustworthy computing initiative" and XPSP2, the existence of buffer overflow possibilities in the OS is pretty minimal these days. Thoughts? Cheers James D. Stallard -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thor (Hammer of God) Sent: 15 December 2006 17:10 To: Focus-MS Subject: Re: U3 TEchnology was RE: strange new virus Right-- I should have stated that in my earlier message- the "autorun" capabilities of u3 thumb drives function because the hardware is specifically designed to provide that (and other) functionality. The device specifically presents itself as a media device that supports auto-run (like a CD or DVD drive would) upon insertion. A "standard" thumb drive would not invoke autorun unless you have software on the system to do that (it's out there). Unfortunately, you can find many references in posts and blogs around the net where people talk about putting autorun on a thumb drive and rootkit'ing people's boxes at banks, insurance agencies, etc, but it's bunk. I've even seen detailed explanations of how to encrypt drive contents on "any old thumbdrive" and to use autorun to immediately execute code, but they dance right over the fact that you have to go out of your way to autorun a thumb drive. The most important thing is the last point you made about least privilege. Even if someone went out of HIS way (There, Shinder- That better??? ;) to autorun a usb (or if it was u3) the user would still have to be an administrator to do anything. Again, in Vista, even with autorun supported media insertion, it asks if you want to run autorun by default. If you want to, (depending on what the autorun does) UAC requires you to then enter the admin password to execute code or such. If you've turned off UAC, nothing would happen unless you were an admin. And in this day and age, no one should ever be running an interactive session as admin, unless you're a Scot in Bermuda (inside joke ;) t On 12/15/06 5:40 AM, "Henry Troup" <[EMAIL PROTECTED]> spoketh to all: > Ah, the Bruce Schneier blog comments have the very valuable comment: > > The removable media device setting is a flag contained within the > SCSI Inquiry > Data response to the SCSI Inquiry command. Bit 7 of byte 1 (indexed > from 0) is > the Removable Media Bit (RMB). A RMB set to zero indicates that the > device is not > a removable media device. A RMB of one indicates that the device is > a removable > media device. Drivers obtain this information by using the > StorageDeviceProperty > request. > > So U3 is a different hardware spec, and U3 function can't be copied to > non-U3 media. That's good. But the remarks about custom USB hardware > there make me want to reach for the ol' glue gun! Of course, the real > problem is still failure to adhere to least privilege. > > Thanks for the link, Bill. > > Henry Troup > Watchfire Corporation > [EMAIL PROTECTED] > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Bill Call > Subject: RE: strange new virus > > I wouldn't be so sure about that. Check out: > > http://www.schneier.com/blog/archives/2006/06/hacking_compute.html > > ---------------------------------------------------------------------- > ----- > ---------------------------------------------------------------------- > ----- > > > --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
