>There is a small, but potentially very dangerous vulnerability in Windows >(all versions as far as I know, should be 95,98,NT4 SP*, but only really >dangerous on NT machines) regarding an autorun.inf file. This is actually a known issue. I believe I reported it about two years ago to NTBugTraq. The issue is that AutoRun can be enabled on a drive-by-drive or a drive-type by drive-type basis. There are two registry values that controls for what drives Explorer looks for the autorun.inf when they are mapped. The first does it on a drive-type basis: Hive: HKEY_CURRENT_USER Key: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Value: NoDriveTypeAutoRun Type: REG_BINARY or REG_DWORD (you must put in the hex value to use a REG_DWORD) There is also a value called NoDriveAutoRun, that controls the drives. The first byte of the NoDriveTypeAutoRun value is a bit-mask that defines what drive types are autorun. Here are the values: Type Bit DRIVE_UNKNOWN 0 DRIVE_NO_ROOT_DIR 1 DRIVE_REMOVABLE 2 DRIVE_FIXED 3 DRIVE_REMOTE 4 DRIVE_CDROM 5 DRIVE_RAMDISK 6 If a bit is set to 0, that drive type is autorun, if it is set to 1, you prevent it from autorunning. By ORing these values you can make all kinds of drive types autorun. The default value is 0x95, which translates into 10010101. That means that NoRootDir, Fixed drives, CDRoms and RamDisks are autorun. Bit 7 is used to cover future devices. For some reason, sometimes a network drive is recognized as something else, most likely a NO_ROOT_DIR drive. So, if you set the value to 10010111 or 0x97 instead, I bet the problem would disappear. For more information on this, see Q136214 (available on MSDN) and the article on Enabling and Disabling AutoPlay, also on MSDN. The NoDriveAutoRun value is used to set specific drive letters to not autorun. Each bit represents a drive letter, with the first bit being A:, the second being B: and so on. It's a DWORD, so to disable autoplay on A: and C:, set it to 0x00000005 (translates to 101). A 1 means "don't autoplay" 0 means "go right ahead and run anything you want!" Since this is set under HKCU, the only way to effectively change this is to use a policy. I would use a policy to disable autorun in at least these two ways (NoDriveAutoRun, NoDriveTypeAutoRun) for all Administrative accounts. The problem is that Windows 2000 does not like it much if AutoRun is turned off altogether. As a matter of fact, it runs it anyway. I have it turned off, and when I insert the Windows 2000 CD, I get a little dialog box that says "We really think you should enable autorun." Pretty scary actually. I hope this helps. Jesper M. Johansson
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:07 PDT