[Permit]

I've always assumed the attack vector was to leave the sticks lying around. If I'm not mistaken, some people have left them at banks in hopes that the employees will plug them into one of the computers there to see what's on it. Almost everyone I know has plugged a USB stick they don't own into their computer at one point or another.

[robk]

Many PCs are patched now so there's no default autorun.inf (or similar) functionality. So you'd have to run a binary on it to trigger this exploit it seems. Doable of course, but one step harder.

[andrewaylett]

But it's not an autorun vulnerability, that wouldn't be newsworthy -- the problem is that simply mounting the filesystem exploits bugs in the filesystem driver.

[amckenna]

No - more needs to be done than simply mounting the filesystem.

He explains that: "With the ability to replace arbitrary kernel memory with arbitrary data, one has lots of options to choose from in order to hijack ring-0 code execution flow." and then goes on to mention "I decided to go with HalDispatchTable, being the easiest and most commonly used technique."

Something has to be run locally that exploits the ntfs filesystem driver bug (introduced by the usb stick) and uses that to write arbitrary data to kernel memory, but then has to divert ring-0 code execution flow (he chooses to overwriting the nt!HalDispatchTable+sizeof(void*) function pointer).

Check out the video to verify