Windows Autorun.Inf Vulnerability

Reported February 18, 2000 by Eric Stevens

VERSIONS AFFECTED

Microsoft Windows 95, 98, NT 4.0, and possibly Win2K

DESCRIPTION

Eric reported an interesting discovery regarding AUTORUN.INF files on Windows platforms. According to Eric's report, "Autorun.inf is a file that is primarily used on CDs containing information basically on what to do when a new CD is entered into the drive. The type of information that this file can contain, to the best of my knowledge, is an icon to display for the drive, and executables to run, the executable can actually be broken down by platform if needs be.

Descriptive introduction. The vulnerability exists because the autorun.inf file does not apply only to CD drives, or even removable media. Actually, this file can be placed on any drive, with exactly the same effects (a refresh of the drive list may be in order). I"ve used it to place cute little icons on my drives. If no icon is specified, the system default icon for that drive is used."

DEMONSTRATION

Quoting from Eric"s report,

The Meat and an Example. The vulnerability is that it is somewhat arbitrary for a programmer to throw together a small executable that checks the current user, and possibly that user"s permissions on the local machine. This executable could be a file that detects user privileges, and if the user does not possess administrative privileges, then it invokes Explorer on that directory to open the directory like normal. If administrative privileges are possessed, then it can invoke some other executable, such as a trojan horse virus, or it could itself be a trojan
horse which implements whatever it"s little virus heart desires, such as promoting privileges on the originating user.

More on the Example. When an administrator logs on locally, they may double click that drive (it can be done to all of them), and run the malicious executable, with out their knowledge. Our little trojan may even continue on to open Explorer to keep the administrator blissfully unaware that they have just been compromised.

The Limitation. This exploit requires write access to the root directory of a local drive in order to work. That"s not all that uncommon a permission to have, especially for a non-C: drive. Similarly, any exploit allowing the uploading of arbitrary files to the root directory of any drive makes this a very real exploit; no directory guessing, i.e. did they name the WIN directory Windows or Winnt?"

DEFENSE

Quoting from Eric"s report,

The Workaround. Disable the autorun feature. There"s a key for it somewhere in the registry.

Possible difficulties with the Workaround. There are actually two levels of autorun to disable. One is where it no longer checks newly inserted media for an autorun, one is where it never checks for an autorun file at all. The first one still leaves the vulnerability open, as a refresh of the drive list will detect the autorun file, making autorun the default action, but not actually running it. VMWare disables autorun (or at least provides an option to) but this is actually the first, insecure one. I believe, but am not certain, that TweakUI will disable autorun file detection. To test it, disable the playing of data CD"s in Tweak, log out and back in, drop a CD with autorun into the drive, open My Computer, hit refresh (F5), double click the CD drive. If the autorun plays, you"ve not implemented the workaround properly.

How to know if you"re Affected. You can tell if a drive has an autorun file on it if you right click the drive, and see Autorun as the primary (bolded) function."

VENDOR RESPONSE

Microsoft is aware of this issue, however no comment was available at the time of this writing.

CREDITS

Discovered by Eric Stevens