OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: USB delivered attacks - lessons learned/summary (so far)

From: Jerry Shenk (jshenkdecommunications.com)
Date: Wed Jun 02 2004 - 13:25:09 CDT


NO. At least not in my testing. I didn't try multiple versions and
multiple service packs s there could be times when it does but in my
testing, when a CD was inserted with the screensaver locked, it never
ran autorun unless the CD was re-inserted after unlocking the screen.

-----Original Message-----
From: Jon McClintock [mailto:jammerweak.org]
Sent: Wednesday, June 02, 2004 2:20 PM
To: Jerry Shenk
Subject: Re: USB delivered attacks - lessons learned/summary (so far)

Hi there,

Question on the autorun and screensavers...if I drop a CD in your
screensaver-locked desktop, does the autorun kick in when you unlock
the screensaver?

-Jon

On Tue, Jun 01, 2004 at 10:18:29PM -0400, Jerry Shenk wrote:
> Well, I'm doing messing with this....at least for the moment. Here's
> what I've found out. All my testing so far has been done on a Windows
> XP laptop. I was planning to try other versions but for now, I'll
> leave it go at this. Here's a summaryy of what I've discovered:
>
> USB devices don't use autorun - well, they seem to do something with
it
> 'cuz if there's an "open=" statement in the autorun.inf, they don't
pop
> up an explorer window. If there is an "icon=" statement in the
> autorun.inf file, the icon for the explorer windows will be the
> specified icon. This leads me to believe that autorun is at least
> looking at the USB drive. Maybe if the right stuff is in that file,
> there might be a way to run something. I tried pulling the .ico file
> off my web server but that didn't work...yet;)
>
> Autorun under XP doesn't work if the screensaver has the screen
locked.
> I didn't try this with multiple OS'.
>
> The USB devices I tried were a flashdrive and an SD card reader with a
> 128 meg card from my camera. I didn't try my 120 gig USB hard drive
> 'cuz it's formatted for the wrong OS at the moment....that kindof
blows
> the clandestine nature of a thumbdrive....need for power, a rather
large
> device....
>
> Somebody said that 2600 had something about this type of thing in the
> current 2600 magazine. That would suggest that a few other people
have
> been playing with this idea. Somebody with more brains, ideas or time
> than I is likely to come up with something pretty nasty.
>
> Nearly every post stated something about the dangers of autorun. One
> post suggested just using a CD. Most people have autorun turned on so
> if there's an internet connection or a computer in the office that can
> receive data....well, that'll work just as well as USB. If the CD is
> labeled with something "interesting", perhaps a few people will check
it
> out.
>
> Another poster suggested that this is all just a good reminder of the
> basics of security, you wouldn't let some stranger come up and swap
> drives in your machine, why assume that his USB thumbdrive is so
> innocuous just 'cuz it's small and trendy.
>
> Here's the autorun.inf file I was playing with
> [autorun]
> ;OPEN=ping.exe 10.1.1.5
> icon=http://www.website.org/blue.ico
> ;icon=\icons\red.ico