[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40D42D5F.2070303@softhome.net>
Date: Sun, 20 Jun 2004 00:11:11 +1200
From: Jp Wise <jpwise@...thome.net>
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Re: USB risks (continued)
Hi All, this isn't a subject I claim to know anything about, but has
anyone previously looked at using the partition table, and it's various
codes for the filesystems? A USB or PCMCIA drive for that matter has
it's own partition table (I believe). The OS then reads the table, and
loads the approprate filesystem driver to attempt mounting the
filesystem. fastfat.sys ntfs.sys and possibly even cdfs.sys
If there's a bug or a buffer overflow that can be accessed via the
filesystem driver itself then it may be exploitable. I believe the
filesystem drivers are probably a Ring0 driver aswell, so if it was
exploited it's straight into the bottom level of the OS.
If 2k or XP will install the device while the workstation is still
locked it leads that you might be able to gain admin even on a locked
workstation (or server). Although I don't have a usb drive so can't test
if it installs or not.
Just an idea.
Jp.
Harlan Carvey wrote:
>I agree, the use of USB-connected devices is nothing
>new. They make a very unobtrusive delivery system, as
>well as a great way to load vast amounts of data into
>an extremely small space to get information out of an
>organization.
>
>But you know something, that's not really the point.
>Yes, this is an old concern. It goes right up there
>w/ digital camera-enabled cell phones and variety of
>other security risks.
>
>I've been after one thing from the
>beginning...information. Evil Wrangler said that
>information should be free, but when I asked him some
>questions, all I got back was, "what...never heard of
>hacking??"
>
>In his 2600 article, EW stated that he plugged a USB
>device into a friend's computer, and the autorun.inf
>file was automatically parsed and commands within the
>"open=" line of that file were automatically run.
>
>According to documentation at MS, by default, this
>should not be possible. The NoDriveTypeAutorun key
>within the Registry allows CDs to run the autorun.inf
>file, but not removeable drive types, such as floppies
>and USB thumb drives.
>
>I have asked for specifics such as manufacturer and
>model number of the device used, specific information
>regarding drivers loaded, etc. After all, EW says
>that "information should be free", but I certainly
>don't see him freeing any information. If anyone has
>any information that can be used in repeatable
>experiments, I'd appreciate hearing from you.
>
>Thanks,
>
>Harlan
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists