Introducing the USB Stick of Death(j00ru.vexillium.org) |
Introducing the USB Stick of Death(j00ru.vexillium.org) |
It's like the various autorun exploits, but better because you don't need an additional privilege escalation vulnerability and you get to execute your attack even if autorun is turned off completely.
Being able to compromise a system via a mundane and apparently benign action is never low-severity.
If you have physical access and a local user, it's much easier to use any Linux boot CD and one of the myriad "password recovery" systems.
I used Petter N Hagen's http://pogostick.net/~pnh/ntpasswd/
back in my tech support days (several years ago).
The current tech support guy swears by Hiren's BootCD
Many newer USB sticks even have preloaded binaries for the supporting software (SanDisk volume utilities come to mind) - this would be a perfectly innocuous location to load this sort of attack.
"andrewaylett:
But it's not an autorun vulnerability, that wouldn't be newsworthy -- the problem is that simply mounting the filesystem exploits bugs in the filesystem driver."
Nowerdays there are viruses that spread by USB memory stick - and lie dormant on the computer infecting every USB memory stick that gets plugged in. Needless to say, lecture hall computers quickly became infected - even without any malicious intent on the part of the physically present user.
http://en.wikipedia.org/wiki/Hiren%27s_BootCD
Wikipedia links to this download location:
http://www.hirensbootcd.org/download/
My coworker says he found it on Argentinean site Taringa! ( http://www.taringa.net ), which has had it's brushes with copyright infringement in the past as well.
Is kernel memory mapped into user processes on Windows?
(I noticed it first when I was working with the jump drive and had the system grind to a halt. Removed the drive and it immediately unfroze. further testing confirmed)
He explains that: "With the ability to replace arbitrary kernel memory with arbitrary data, one has lots of options to choose from in order to hijack ring-0 code execution flow." and then goes on to mention "I decided to go with HalDispatchTable, being the easiest and most commonly used technique."
Something has to be run locally that exploits the ntfs filesystem driver bug (introduced by the usb stick) and uses that to write arbitrary data to kernel memory, but then has to divert ring-0 code execution flow (he chooses to overwriting the nt!HalDispatchTable+sizeof(void*) function pointer).
Check out the video to verify
Did you watch the video before retorting?
In the video he has to run "ntfs_exploit.exe" in order to exploit the vulnerability. That's why a local account, as well as the ability to insert the USB dongle, is needed in order to leverage the exploit. So simply mounting the filesystem is not sufficient to trigger the exploit
To "trigger" the vulnerability is to deliver your exploit code. This USB stick can be inserted into any Windows 7 system and, voila you have your rootkit on that machine, without any user interaction required. No running of .exe files anywhere. You could put some pictures on the usb drive for the user to look at while his system is compromised. (Rootkitted is that a word? Backdoored is.)
Social engineering only gets you both if you can autorun the executable upon insertion of the usb stick.
I would be more demure. This way, it wouldn't look this bad when I'm wrong.