COMMAND
autorun.inf
SYSTEMS AFFECTED
Win 95, 98, NT(?)
PROBLEM
Matt Hallacy found that autorun runs even when passworded
screensaver is active. Scenario is following. Burn a CD-ROM with
whatever program you want to run on the passworded machine, put
it in autorun.inf, and just put it in the machine, this can be
used to run and do just about anything. Windows NT will not
perform the AutoRun function while the screen saver is active.
This is actually not an exploit, but it's exploitable on 80% of
the machines running Windows since not a whole lot of people turn
autorun off, a few friends had a great time going to wal-mart,
popping the CD in, removing the screen savers and a password
utility they had on there, then having full access. This could
easily be used to walk over to a machine, pop a disk in drive A,
have it autorun a batch file on the CD to copy say, Turbo Tax
documents, Quicken, (you get the idea).
There are commercial products that exploit this feature to unlock
workstations. For example:
http://www.ips-corp.com/ssunlock.htm
Matt Hallacy points out that the Windows 95 screen saver password
is easily decrypted. You can find several programs that will
print out the password. For example:
ftp://null.angel.nu/projects/95sscrk.zip
He also points out the most of the time the screen saver password
is identical to the login password to the machine and other
services.
Eric Stevens mentioned few more tips. The vulnerability exists
because the autorun.inf file does not apply only to CD drives, or
even removable media. Actually, this file can be placed on any
drive, with exactly the same effects (a refresh of the drive list
may be in order). He used it to place cute little icons on his
drives. If no icon is specified, the system default icon for
that drive is used.
The vulnerability is that it is somewhat arbitrary for a
programmer to throw together a small executable that checks the
current user, and possibly that user's permissions on the local
machine. This executable could be a file that detects user
privileges, and if the user does not possess administrative
privileges, then it invokes Explorer on that directory to open
the directory like normal. If administrative privileges are
possessed, then it can invoke some other executable, such as a
trojan horse virus, or it could itself be a trojan horse which
implements whatever it's little virus heart desires, such as
promoting privileges on the originating user. When an
administrator logs on locally, they may double click that drive
(it can be done to all of them), and run the malicious executable,
with out their knowledge. Our little trojan may even continue on
to open Explorer to keep the administrator blissfully unaware that
they have just been compromised.
This exploit requires write access to the root directory of a
local drive in order to work. That's not all that uncommon a
permission to have, especially for a non-C: drive. Similarly,
any exploit allowing the uploading of arbitrary files to the root
directory of any drive makes this a very real exploit; no
directory guessing, i.e. did they name the WIN directory Windows
or Winnt?
SOLUTION
Disable autorun feature that is somewhere in registry. You may
use WinHacker utility for download Tweak UI from microsoft site
that among the other options gives you this one. Another
approach:
1) Get to the "System" Control panel. This is accessible by right
clicking on the "My Computer" icon and selecting "Properties"
or by selecting "System" from the control panel.
2) Choose the "Device Manager" tab in the System Properties window
and Expand the "CDROM" branch by clicking on the + next to it.
This will display all CD-ROM devices attached to your computer.
3) Select a CD-ROM drive, then click on the "Properties" button.
This brings up the "CD-ROM Properties" window. Select the
"Settings" Tab.
4) The Checkbox labeled "AutoInsert Notification" is what controls
AutoRun. Make sure it is unchecked, then click OK, then Click
OK again in the System Properties window. When you restart,
your CD-ROM Should not AutoRun anymore.
For NT simply set
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cdrom\Autorun
to 0 to disable autorun on NT.
Another registry value that controls for what drives Explorer
looks for the autorun.inf when they are mapped is:
Hive: HKEY_CURRENT_USER
Key: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value: NoDriveTypeAutoRun
Type: REG_BINARY or REG_DWORD (you must put in the hex value to use a REG_DWORD)
There is also a value called NoDriveAutoRun, that controls the
drives. The first byte of the NoDriveTypeAutoRun value is a
bit-mask that defines what drive types are autorun. Here are the
values:
Type Bit
DRIVE_UNKNOWN 0
DRIVE_NO_ROOT_DIR 1
DRIVE_REMOVABLE 2
DRIVE_FIXED 3
DRIVE_REMOTE 4
DRIVE_CDROM 5
DRIVE_RAMDISK 6
If a bit is set to 0, that drive type is autorun, if it is set to
1, you prevent it from autorunning. By ORing these values you can
make all kinds of drive types autorun. The default value is 0x95,
which translates into 10010101. That means that NoRootDir, Fixed
drives, CDRoms and RamDisks are autorun. Bit 7 is used to cover
future devices. For some reason, sometimes a network drive is
recognized as something else, most likely a NO_ROOT_DIR drive.
So, if you set the value to 10010111 or 0x97 instead, bet the
problem would disappear. For more information on this, see
Q136214 (available on MSDN) and the article on Enabling and
Disabling AutoPlay, also on MSDN.
The NoDriveAutoRun value is used to set specific drive letters to
not autorun. Each bit represents a drive letter, with the first
bit being A:, the second being B: and so on. It's a DWORD, so to
disable autoplay on A: and C:, set it to 0x00000005 (translates
to 101). A 1 means "don't autoplay" 0 means "go right ahead and
run anything you want!"
Since this is set under HKCU, the only way to effectively change
this is to use a policy. Use a policy to disable autorun in at
least these two ways (NoDriveAutoRun, NoDriveTypeAutoRun) for
all Administrative accounts. The problem is that Windows 2000
does not like it much if AutoRun is turned off altogether. As a
matter of fact, it runs it anyway.
An alternative method for NT, which seems to have disabled autorun
completely, is to change the all the security settings on the
HKEY_CLASSES_ROOT\AutoRun key to read-only.