Hey all Back in December 2006 Harlan C, Thor HoG and I had an interesting conversation about the possible use of a buffer overflow attack against the explorer process that scans a new drive and processes the content of AutoRun and .ICO files. I said at the time that I don't have the skills necessary to write the exploit code, but I was pretty sure someone would.
For those interested, the subject line was "RE: U3 TEchnology was RE: strange new virus"; for reasons that will become apparent to the reader :) Sure enough, at the end of March 2007, someone thinking along the same lines worked out "Microsoft Windows Cursor And Icon ANI Format Handling Remote Code Execution Vulnerability", BuqTraq ID: 23194. I'm hoping that the same will happen again here... If a windows service or driver set to start at boot (ie "Automatic") fails to start for whatever reason, a message is displayed at the console. The message also appears on top of the logon prompt, and is therefore running in the system context. The "service or driver failed to start" message is a generic event sink for a variety of failures (including, oddly enough "file not found"). It occurs to me that this event sink could probably be compromised, such that it would drop your exploit code out to executable RAM, and in the system context. System context under Windows 2003 is even more dangerous than it was under NT/2000, as under certain circumstances it allows access to the Active Directory Domain as well. Thoughts? Incidentally, Ant F? If you're reading this, stop working and eat more lunch :) Cheers James James D. Stallard, MIoD Infrastructure Technical Architect Web: www.leafgrove.com LinkedIn: www.linkedin.com/in/jamesdstallard Mobile: +44 (0) 7979 49 8880 Skype: JamesDStallard
