lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 20 Jun 2004 00:11:11 +1200
From: Jp Wise <jpwise@...thome.net>
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Re: USB risks (continued)


Hi All, this isn't a subject I claim to know anything about, but has 
anyone previously looked at using the partition table, and it's various 
codes for the filesystems? A USB or PCMCIA drive for that matter has 
it's own partition table (I believe). The OS then reads the table, and 
loads the approprate filesystem driver to attempt mounting the 
filesystem. fastfat.sys ntfs.sys and possibly even cdfs.sys

If there's a bug or a buffer overflow that can be accessed via the 
filesystem driver itself then it may be exploitable. I believe the 
filesystem drivers are probably a Ring0 driver aswell, so if it was 
exploited it's straight into the bottom level of the OS.

If 2k or XP will install the device while the workstation is still 
locked it leads that you might be able to gain admin even on a locked 
workstation (or server). Although I don't have a usb drive so can't test 
if it installs or not.

Just an idea.

Jp.

Harlan Carvey wrote:

>I agree, the use of USB-connected devices is nothing
>new.  They make a very unobtrusive delivery system, as
>well as a great way to load vast amounts of data into
>an extremely small space to get information out of an
>organization.
>
>But you know something, that's not really the point. 
>Yes, this is an old concern.  It goes right up there
>w/ digital camera-enabled cell phones and variety of
>other security risks.  
>
>I've been after one thing from the
>beginning...information.  Evil Wrangler said that
>information should be free, but when I asked him some
>questions, all I got back was, "what...never heard of
>hacking??"
>
>In his 2600 article, EW stated that he plugged a USB
>device into a friend's computer, and the autorun.inf
>file was automatically parsed and commands within the
>"open=" line of that file were automatically run.
>
>According to documentation at MS, by default, this
>should not be possible.  The NoDriveTypeAutorun key
>within the Registry allows CDs to run the autorun.inf
>file, but not removeable drive types, such as floppies
>and USB thumb drives.
>
>I have asked for specifics such as manufacturer and
>model number of the device used, specific information
>regarding drivers loaded, etc.  After all, EW says
>that "information should be free", but I certainly
>don't see him freeing any information.  If anyone has
>any information that can be used in repeatable
>experiments, I'd appreciate hearing from you.
>
>Thanks,
>
>Harlan
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>  
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ