--introduction-- There is a small, but potentially very dangerous vulnerability in Windows (all versions as far as I know, should be 95,98,NT4 SP*, but only really dangerous on NT machines) regarding an autorun.inf file. --background-- Autorun.inf is a file that is primarily used on CD's containing information basically on what to do when a new CD is entered into the drive. The type of information that this file can contain, to the best of my knowledge, is an icon to display for the drive, and executables to run, the executable can actually be broken down by platform if needs be. --descriptive introduction-- The vulnerability exists because the autorun.inf file does not apply only to CD drives, or even removable media. Actually, this file can be placed on any drive, with exactly the same effects (a refresh of the drive list may be in order). I've used it to place cute little icons on my drives. If no icon is specified, the system default icon for that drive is used. --the meat and an example-- The vulnerability is that it is somewhat arbitrary for a programmer to throw together a small executable that checks the current user, and possibly that user's permissions on the local machine. This executable could be a file that detects user privileges, and if the user does not possess administrative privileges, then it invokes Explorer on that directory to open the directory like normal. If administrative privileges are possessed, then it can invoke some other executable, such as a trojan horse virus, or it could itself be a trojan horse which implements whatever it's little virus heart desires, such as promoting privileges on the originating user. --more on the example-- When an administrator logs on locally, they may double click that drive (it can be done to all of them), and run the malicious executable, with out their knowledge. Our little trojan may even continue on to open Explorer to keep the administrator blissfully unaware that they have just been compromised. --the limitation-- This exploit requires write access to the root directory of a local drive in order to work. That's not all that uncommon a permission to have, especially for a non-C: drive. Similarly, any exploit allowing the uploading of arbitrary files to the root directory of any drive makes this a very real exploit; no directory guessing, i.e. did they name the WIN directory Windows or Winnt? --the workaround-- Disable the autorun feature. There's a key for it somewhere in the registry. --possible difficulties with the workaround-- There are actually two levels of autorun to disable. One is where it no longer checks newly inserted media for an autorun, one is where it never checks for an autorun file at all. The first one still leaves the vulnerability open, as a refresh of the drive list will detect the autorun file, making autorun the default action, but not actually running it. VMWare disables autorun (or at least provides an option to) but this is actually the first, insecure one. I believe, but am not certain, that TweakUI will disable autorun file detection. To test it, disable the playing of data CD's in Tweak, log out and back in, drop a CD with autorun into the drive, open My Computer, hit refresh (F5), double click the CD drive. If the autorun plays, you've not implemented the workaround properly. --how to know if you're affected-- You can tell if a drive has an autorun file on it if you right click the drive, and see Autorun as the primary (bolded) function. --appology-- Sorry if any of this is incoherent, sleep need I more, yes?
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:58 PDT