Hi, I tested it but it will only work when the user has admin rights. With a normal user it will not work because it cannot change properties of users or make a new user.
Sam ----- Original Message ----- From: "RSnake" <[EMAIL PROTECTED]> To: "Chris Withers" <[EMAIL PROTECTED]> Cc: "Gadi Evron" <[EMAIL PROTECTED]>; "Harlan Carvey" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, June 28, 2004 6:03 PM Subject: Re: [Full-Disclosure] Re: USB risks (continued) > > Of course it's not. That's just Microsoft's explination. There's no > good reason, just a vague distinction. My only point is that it isn't a > reliable attack vector, unlike an onboard CDROMs (the media, not the device > must be removable). Here is how Microsoft defines it on their usbfaq page > (sorry, the links are broken, I just cut and pasted from > http://www.microsoft.com/whdc/device/storage/usbfaq.mspx): > > Q: What must I do to trigger Autorun on my USB storage device? > If you need to make a USB storage device that executes Autorun, the following > two conditions must both be true: > > . Media must be marked as removable. > > . The device can be set to either static or removable. > > We associate the "removable" nature of a device with the bus that it resides > on. This means that a disk on an Integrated Device Electronics (IDE) or SCSI > bus would be considered fixed, whereas a disk on a USB or IEEE 1394 bus would > be regarded as removable by default. PnP uses a bit in the DEVICE_CAPABILITIES > structure to determine this. For more information, see the DEVICE_CAPABILITIES > Plug and Play Structure in the Windows DDK, located at > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/hh/kmarch/k112_22r6.asp. > > The "removable" nature of media is a property of the device. For example, in > the case of a CD-ROM or a ZIP drive, the medium can be removed without the > device itself going away, but on the other hand the medium and the disk cannot > be separated on static storage PC cards. We obtain this information by using > the StorageDeviceProperty request. For more information, see the > STORAGE_DEVICE_DESCRIPTOR Storage Structure in the Windows DDK, located at > http://msdn.microsoft.com/library/en-us/storage/hh/storage/k306_00qa.asp. > > > On Mon, 28 Jun 2004, Chris Withers wrote: > > | Date: Mon, 28 Jun 2004 11:59:11 +0100 > | From: Chris Withers <[EMAIL PROTECTED]> > | To: RSnake <[EMAIL PROTECTED]> > | Cc: Gadi Evron <[EMAIL PROTECTED]>, > | Harlan Carvey <[EMAIL PROTECTED]>, [EMAIL PROTECTED], > | [EMAIL PROTECTED] > | Subject: [Full-Disclosure] Re: USB risks (continued) > | > | RSnake wrote: > | > writeable, but the drives aren't removeable on CDs. That of course isn't true > | > if you have a USB drive, but I think part of the deal there is that you need to > | > install special drivers to even read USB CD drives. > | > | ...that's not true ;-) > | > | Chris > | > | -- > | Simplistix - Content Management, Zope & Python Consulting > | - http://www.simplistix.co.uk > | > | _______________________________________________ > | Full-Disclosure - We believe in it. > | Charter: http://lists.netsys.com/full-disclosure-charter.html > | > > -R > > The information in this email is confidential and may be legally > privileged. It is intended solely for the addressee. Access to > this email by anyone else is unauthorized. If you are not the > intended recipient, any disclosure, copying, distribution or any > action taken or omitted to be taken in reliance on it is > expressly prohibited and may be unlawful. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
