Hacker News new | ask | show | jobs
by GFischer 4987 days ago
As a security vulnerability, it's interesting but, as they stated, low-severity.

If you have physical access and a local user, it's much easier to use any Linux boot CD and one of the myriad "password recovery" systems.

I used Petter N Hagen's http://pogostick.net/~pnh/ntpasswd/

back in my tech support days (several years ago).

The current tech support guy swears by Hiren's BootCD

http://www.hiren.info/pages/bootcd
5 comments
Permit 4987 days ago
I've always assumed the attack vector was to leave the sticks lying around. If I'm not mistaken, some people have left them at banks in hopes that the employees will plug them into one of the computers there to see what's on it. Almost everyone I know has plugged a USB stick they don't own into their computer at one point or another.
link
robk 4987 days ago
Many PCs are patched now so there's no default autorun.inf (or similar) functionality. So you'd have to run a binary on it to trigger this exploit it seems. Doable of course, but one step harder.
link
andrewaylett 4987 days ago
But it's not an autorun vulnerability, that wouldn't be newsworthy -- the problem is that simply mounting the filesystem exploits bugs in the filesystem driver.
link
amckenna 4987 days ago
No - more needs to be done than simply mounting the filesystem.

He explains that: "With the ability to replace arbitrary kernel memory with arbitrary data, one has lots of options to choose from in order to hijack ring-0 code execution flow." and then goes on to mention "I decided to go with HalDispatchTable, being the easiest and most commonly used technique."

Something has to be run locally that exploits the ntfs filesystem driver bug (introduced by the usb stick) and uses that to write arbitrary data to kernel memory, but then has to divert ring-0 code execution flow (he chooses to overwriting the nt!HalDispatchTable+sizeof(void*) function pointer).

Check out the video to verify

link
robk 4987 days ago
Severity isn't that low. If you hand out a USB stick to a friend and they run a .exe on it, you could surely trigger this exploit invisibly. It's probably not a broad vector attack, but surely would fit very well into a spearphishing scenario. Hand this to a less-than-savvy user and either auto-run via .inf (on older OSes) or dupe them into running some arbitrary binary to "unencrypt the volume" or something they wouldn't understand.

Many newer USB sticks even have preloaded binaries for the supporting software (SanDisk volume utilities come to mind) - this would be a perfectly innocuous location to load this sort of attack.

link
Rastafarian 4987 days ago
Buddy, did you even read the article before commenting??

"andrewaylett:

But it's not an autorun vulnerability, that wouldn't be newsworthy -- the problem is that simply mounting the filesystem exploits bugs in the filesystem driver."

link
amckenna 4987 days ago
@Rastafarian

Did you watch the video before retorting?

In the video he has to run "ntfs_exploit.exe" in order to exploit the vulnerability. That's why a local account, as well as the ability to insert the USB dongle, is needed in order to leverage the exploit. So simply mounting the filesystem is not sufficient to trigger the exploit

link
robk 4987 days ago
Understood, but to fully _exploit_ the vulnerability one would need to actually execute more code than just triggering the vulnerability presumably.
link
chuppo 4987 days ago
You appear to not understand the concepts you are attempting to participate in a discussion about.

To "trigger" the vulnerability is to deliver your exploit code. This USB stick can be inserted into any Windows 7 system and, voila you have your rootkit on that machine, without any user interaction required. No running of .exe files anywhere. You could put some pictures on the usb drive for the user to look at while his system is compromised. (Rootkitted is that a word? Backdoored is.)

link
elarkin 4987 days ago
In his demo video, he needs to run a specially crafted program to actually achieve privilege escalation. That's why you need both physical access and a local user account.

Social engineering only gets you both if you can autorun the executable upon insertion of the usb stick.

link
StavrosK 4987 days ago
> You appear to not understand the concepts you are attempting to participate in a discussion about.

I would be more demure. This way, it wouldn't look this bad when I'm wrong.

link
barrkel 4987 days ago
Most systems that are physically available with local users (e.g. libraries, college computer labs, etc.) will have booting from anything other than the hard drive disabled, and the BIOS password protected. You'd need to open up the machine and reset the CMOS to use this approach.
link
michaelt 4987 days ago
While I was at university, every lecture hall data projector had a PC connected to it. Often people would bring their presentations from home on USB memory sticks.

Nowerdays there are viruses that spread by USB memory stick - and lie dormant on the computer infecting every USB memory stick that gets plugged in. Needless to say, lecture hall computers quickly became infected - even without any malicious intent on the part of the physically present user.

link
mikemarotti 4987 days ago
Hiren's BootCD is exactly the kind of tool I've been looking for - but I can't find the download link on that page. Am I an idiot, or does he not host his own boot cd on his site?
link
GFischer 4987 days ago
He probably doesn't because it contains non-free software.

http://en.wikipedia.org/wiki/Hiren%27s_BootCD

Wikipedia links to this download location:

http://www.hirensbootcd.org/download/

My coworker says he found it on Argentinean site Taringa! ( http://www.taringa.net ), which has had it's brushes with copyright infringement in the past as well.

link
dhugiaskmak 4987 days ago
Working Wikipedia link: http://en.wikipedia.org/wiki/Hiren%27s_BootCD
link
GFischer 4987 days ago
Thanks, edited the original.
link