Re: AUTORUN Vulnerability - Round 2

[David LeBlanc <dleblanc () mindspring com>]

> -----Original Message-----
> From: Nelson Brito

> Well, like Ben told me, people are confused.

> OK, I'll try to make myself more clear.

OK

> When Domain Admin mount the user's shared then he'll execute the
> "arbitary code".

This isn't true. Or at least it needs clarification. Let's say that you have
a share, \\evilserver\nastytrojans. Now I as an admin access that share
somehow. What happens depends on how I access it. "mount" is not a precise
term, as there are many possible ways to access a remote share - you can
assign a drive letter to it or not, and you could browse the share using a
command line (for example, a batch file), or you could use Explorer. So if
you are going to say that something happens when an admin accesses the
share, you have to specify how this is done.

If I do this:

net use \\evilserver\nastytrojans /user:domain\domain admin password

Then nothing happens. I can read the share, and everything is fine.

Now say I go to Explorer, and type in the path \\evilserver\nastytrojans,
then I still read the share and autorun.exe does not run. So now we have two
ways for the admin to access the share where autorun.exe doesn't fire.

OK, now I try the following -

net use z: \\evilserver\nastytrojans /user:domain\domain admin password

and I then browse the new z:\ drive, and again the autorun.exe does not
fire.

This testing is done using a CD that has a legitimate autorun.exe and
autorun.inf, which I have "mounted" in various ways.

Now, I have just tested the exact same thing remotely (while logged in as
domain admin here on my home domain), and I cannot seem to get the
autorun.exe to fire at all (unless I double-click on it). Note that both
systems are Win2k Server at SP1 + various patches. I am certain the domain
controller is an default installation.

Also, for good measure, I have tried:

dir \\evilserver\nastytrojans

from the command line, and again, nothing happens.

So apparently (at least on Win2k), there are several ways for me to access a
share that has an autorun.exe and autorun.inf that I have verified to work
(just popped the CD in and out, it ran), and I cannot seem to get it to work
using every way I know how an admin might access the share.

Perhaps the problem could be specific to NT 4.0 systems, or it could be that
I am missing something. In fact, I just copied these files to a local hard
drive, and it still did not fire. It seems that it only works for removable
media on my systems (and then only when I remove and reinsert the media). I
don't have any NT 4.0 systems currently running on my home network, so it
wasn't practical to do a full test matrix.

I do note that I have NoDriveTypeAutoRun = 0x95 set in HKCU (I didn't change
this myself). I don't recall exactly what this implies (perhaps Jesper has
this info handy). Apparently, even if the poor admin is indeed stupid, he is
safe from this attack if he happens to be running Win2k.

If I am missing something here, corrections are quite welcome.