Nasser Heidari

2009-01-24

Microsoft Windows Does Not Disable AutoRun Properly !

Filed under: Microsoft Windows — Nasser Heidari @ 02:06

Source: Technical Cyber Security Alert TA09-020A

Microsoft Windows Does Not Disable AutoRun Properly

Original release date: January 20, 2009
Last revised: —
Source: US-CERT

Systems Affected

* Microsoft Windows

Overview

Disabling AutoRun on Microsoft Windows systems can help prevent the
spread of malicious code. However, Microsoft’s guidelines for
disabling AutoRun are not fully effective, which could be
considered a vulnerability.

I. Description

Microsoft Windows includes an AutoRun feature, which can
automatically run code when removable devices are connected to the
computer. AutoRun (and the closely related AutoPlay) can
unexpectedly cause arbitrary code execution in the following
situations:

* A removable device is connected to a computer. This includes, but
is not limited to, inserting a CD or DVD, connecting a USB or
Firewire device, or mapping a network drive. This connection can
result in code execution without any additional user interaction.

* A user clicks the drive icon for a removable device in Windows
Explorer. Rather than exploring the drive’s contents, this action
can cause code execution.

* The user selects an option from the AutoPlay dialog that is
displayed when a removable device is connected.  Malicious
software, such as W32.Downadup, is using AutoRun to
spread. Disabling AutoRun, as specified in the CERT/CC
Vulnerability Analysis blog, is an effective way of helping to
prevent the spread of malicious code.

The Autorun and NoDriveTypeAutorun registry values are both
ineffective for fully disabling AutoRun capabilities on Microsoft
Windows systems. Setting the Autorun registry value to 0 will not
prevent newly connected devices from automatically running code
specified in the Autorun.inf file. It will, however, disable Media
Change Notification (MCN) messages, which may prevent Windows from
detecting when a CD or DVD is changed. According to Microsoft,
setting the NoDriveTypeAutorun registry value to 0xFF “disables
Autoplay on all types of drives.” Even with this value set, Windows
may execute arbitrary code when the user clicks the icon for the
device in Windows Explorer.

II. Impact

By placing an Autorun.inf file on a device, an attacker may be able
to automatically execute arbitrary code when the device is
connected to a Windows system. Code execution may also take place
when the user attempts to browse to the software location with
Windows Explorer.

III. Solution

Disable AutoRun in Microsoft Windows

To effectively disable AutoRun in Microsoft Windows, import the
following registry value:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”

To import this value, perform the following steps:

* Copy the text
* Paste the text into Windows Notepad
* Save the file as autorun.reg
* Navigate to the file location
* Double-click the file to import it into the Windows registry

Microsoft Windows can also cache the AutoRun information from
mounted devices in the MountPoints2 registry key. We recommend
restarting Windows after making the registry change so that any
cached mount points are reinitialized in a way that ignores the
Autorun.inf file. Alternatively, the following registry key may be
deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Once these changes have been made, all of the AutoRun code
execution scenarios described above will be mitigated because
Windows will no longer parse Autorun.inf files to determine which
actions to take. Further details are available in the
CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin
Atac for providing the workaround.

IV. References

* The Dangers of Windows AutoRun –
<http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html>

* US-CERT Vulnerability Note VU#889747 –
<http://www.kb.cert.org/vuls/id/889747>

* Nick Brown’s blog: Memory stick worms –
<http://nick.brown.free.fr/blog/2007/10/memory-stick-worms>

* TR08-004 Disabling Autorun –
<http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx>

* How to Enable or Disable Automatically Running CD-ROMs –
<http://support.microsoft.com/kb/155217>

* NoDriveTypeAutoRun –
<http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx>

* Autorun.inf Entries –
<http://msdn.microsoft.com/en-us/library/bb776823(VS.85).aspx>

* W32.Downadup –
<http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99>

* MS08-067 Worm, Downadup/Conflicker –
<http://www.f-secure.com/weblog/archives/00001576.html>

* Social Engineering Autoplay and Windows 7 –
<http://www.f-secure.com/weblog/archives/00001586.html>

2009-01-05

Hide password entry in bash shell script

Filed under: Linux — Nasser Heidari @ 07:14

stty_save=$(stty -g)
stty -echo
read -p “Please enter your password: ” secret
stty $stty_save

2009-01-03

FreeBSD Memory Statistics

Filed under: freebsd — Nasser Heidari @ 09:23

# cd /usr/ports/sysutils/muse
# make install clean && rehash
# muse -m
Active:       44.953 MB
Inactive:    335.492 MB
Wired:       138.852 MB
Reserved:      2.797 MB
Cache:         6.094 MB
Kernel:        0.133 MB
Interrupt:     0.008 MB
Buffer:      112.188 MB

Total:      1999.109 MB
Free:       1472.758 MB

Blog at WordPress.com.