Re: [Full-Disclosure] Re: USB risks (continued)

[Jp Wise]

Hi All, this isn't a subject I claim to know anything about, but has 
anyone previously looked at using the partition table, and it's various 
codes for the filesystems? A USB or PCMCIA drive for that matter has 
it's own partition table (I believe). The OS then reads the table, and 
loads the approprate filesystem driver to attempt mounting the 
filesystem. fastfat.sys ntfs.sys and possibly even cdfs.sys

If there's a bug or a buffer overflow that can be accessed via the 
filesystem driver itself then it may be exploitable. I believe the 
filesystem drivers are probably a Ring0 driver aswell, so if it was 
exploited it's straight into the bottom level of the OS.

If 2k or XP will install the device while the workstation is still 
locked it leads that you might be able to gain admin even on a locked 
workstation (or server). Although I don't have a usb drive so can't test 
if it installs or not.

Just an idea.
Jp.
Harlan Carvey wrote:
I agree, the use of USB-connected devices is nothing
new.  They make a very unobtrusive delivery system, as
well as a great way to load vast amounts of data into
an extremely small space to get information out of an
organization.
But you know something, that's not really the point. 
Yes, this is an old concern.  It goes right up there
w/ digital camera-enabled cell phones and variety of
other security risks.  

I've been after one thing from the
beginning...information.  Evil Wrangler said that
information should be free, but when I asked him some
questions, all I got back was, "what...never heard of
hacking??"
In his 2600 article, EW stated that he plugged a USB
device into a friend's computer, and the autorun.inf
file was automatically parsed and commands within the
"open=" line of that file were automatically run.
According to documentation at MS, by default, this
should not be possible.  The NoDriveTypeAutorun key
within the Registry allows CDs to run the autorun.inf
file, but not removeable drive types, such as floppies
and USB thumb drives.
I have asked for specifics such as manufacturer and
model number of the device used, specific information
regarding drivers loaded, etc.  After all, EW says
that "information should be free", but I certainly
don't see him freeing any information.  If anyone has
any information that can be used in repeatable
experiments, I'd appreciate hearing from you.
Thanks,
Harlan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html