Announcement

Collapse
No announcement yet.

Autorun default settings

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Autorun default settings

    Default autorun setting for Win95-Win7 (0x91 and 0x95 are not accurate IMO as you can see) . I made 2 VM
    1) Windows Advanced Server 2000 sp4 + update (AD)
    2) Windows XP SP2

    On Windows XP SP2 I test Autorun.inf vulnerability and I was SHCKED. I mounted share C$ from AD with autorun.inf on it and it runned payload silently on XPSP2 in domain (I guess its the same for out-of-the box XP). I could find anything related to DRIVE_REMOTE only that it suppose to be turned off by default on all windows versions and that NoDriveTypeAutorun doesnt handle that sometimes (there is KB update).

    What about FIXED drives ? I read that untill SP1 autorun.inf runned silently on them aswell. On SP2 its just double-click vuln but thats dangerous too...

    Im thinking about installing Win2000 final to test it also. If anyone has some checked info please let me now.

    So long-story short that 0x91 in XPSP2 is actually 0x81 and on Win2000 AdvServ 0x95 is 0xDF on my configuration. Feel free to correct me.

    Regards.

    EDIT:
    Windows2000 ADVSRV has doubleclick issue on LocalDisk (DRIVE_FIXED). I mounted virtual logic drive with subst command and payload started when I double clicked on drive. (context menu is untouched ... not like in XPSP2)
    Last edited by phanatic; 21st February 2009, 22:00.

  • #2
    Re: Autorun default settings

    Originally posted by phanatic View Post
    So long-story short that 0x91 in XPSP2 is actually 0x81 and on Win2000 AdvServ 0x95 is 0xDF on my configuration. Feel free to correct me.
    No not exactly, 0x91 is not threated like 0x81, the right registry value actually does get read.
    The vulnerability is a bug in Shell32.dll. The registry value is checked only once when the drive is mouning, and not any more when you open it with explorer.

    So the autorun.inf can still run silently when opening explorer and therefore can be and is used to spread worms over the network.
    I think this problem is solved in Windows 7, there is already a patch for Windows Vista and Server 2008.

    You might also want to read this KB article: http://support.microsoft.com/kb/953252 !


    To disable the functionality of autorun.inf files thoroughly I found this hack by nick.brown:
    "a one-shot, quick way to prevent AUTORUN.INF files from being used on a PC, from any medium = is to map autorun.inf as a 'IniFileMapping' to the Registry. This hack tells Windows how to treat AUTORUN.INF. In this case it says "whenever you have to handle a file called AUTORUN.INF, don't use the values from the file. You'll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." And since that key, er, does not exist, it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action."
    You can implement this by using the following batch code in a Computer Startup script:
    Code:
    Reg.exe Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /ve /d "@SYS:DoesNotExist" /f
    technet article explaining the 'IniFileMapping' entries: http://technet.microsoft.com/en-us/l.../cc722567.aspx


    \Rems

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: Autorun default settings

      I see, Its fixed in Vista (beware: any changing of that settings brings the trouble on your back) -- but its fixed out-of-the box. Win7 is the same, at least in beta.

      Now, that what you are saying now makes sense. For ex. if you want to re-enable settings for autorun you need to reboot (unload shell32.dll). So thats the bad guy.

      On the other hand, alot of windows systems has same settings BUT act differenlty so If anyone has something to share about specific OS or SP ... please do .

      EDIT:

      @Rems
      The registry value is checked only once when the drive is mouning, and not any more when you open it with explorer.
      How its read?, as I pointed out Autorun.inf on Network Disk should not be read at all, but instead it executes payload silently. (feel free to check, XP SP2 joined to domain but its doesnt count I guess)
      Last edited by phanatic; 23rd February 2009, 09:21.

      Comment


      • #4
        Re: Autorun default settings

        It might require a reboot for the changes to take effect.
        But however, the setting did just disable the Media Change Notification (MCN) message (that triggers media features, such as Autoplay).


        Registry entries:
        Drive-Autorun is also known as AutoPlay and can be controlled by the entries 'NoDriveTypeAutoRun' in HKCU/HKLM or 'Autorun' in HKCU ('AutoRunAlwaysDisable' in HKLM), the last two are for the MCN for particular CD/DVD drives. The "NoDriveTypeAutoRun" value can change the behavior of the other entries.
        There can also exist a registry entry called 'NoDriveAutoRun' however this entry does not exist by default. With this entry you can disable or enable the AutoRun feature on individual drives (the value 0x3FFFFFF disables the AutoRun feature on drives A: to Z: ). The data value is taken to be 0x0 if the entry is not present.

        From the entries mensioned above only 'NoDriveTypeAutoRun' is associated with a Group Policy.

        _
        If AutoPlay or AutoRun is disabled, 'autorun.inf' might not operate when the drive is plugged-in but.. still, a dialog from shell32.dll can be showed.
        The "social engineering trick" used by "AutoRun Worms" is that it can replace the text in the window for the option 'Install or run program' with a button what says 'view files' or 'browse folders'. The same results btw for both Windows Vista and Windows 7 Beta.
        And the worms using some more tricks, such as variable size, to help avoid detection of the malicious autorun.inf file(s).


        Available Security updates:
        The security updates that were released on Jul/Aug 2008 are fixes for which address the Double Click, Contextual Menu and AutoPlay functionality.
        Furthermore, on Windows XP and Server 2003 computers a new registry item 'HonorAutorunSetting' is created (with a value 1 and by default created only under the HKLM hive). This entry allow for reverting to the previous functionality on a per-machine and per-user by changing its value to 0(unsecured).
        The security update and the configuration recommendations published September 2008, and a patch from Oct 2008 Will however still not prevent users from launching autorun.inf files.

        It is still unclear whether also issues with devices that previously were mounted are fixed with these updates. Usb-drives that have been mapped before are by design mapped persistent and administrated in one of the subkeys under the key HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2
        There is no Microsoft documentation available on these entries in the registry.

        _
        All mensioned above could also explain why different machines (with the same OS) you tested the AutoPlay function on, were acting differently.

        And also the default value for NoDriveTypeAutoRun varies for different Windows-based operating systems.
        0x91 (= 0x80 + 0x10 + 0x1) -> Windows Server 2008, Windows Vista and Windows XP
        0x95 (= 0x80 + 0x10 + 0x4 + 0x1) -> Windows Server 2000/2003 and Windows 2000 professional

        The recommended value for all Windows versions is 0xFF. This can be set through a GPO (best to use a computer configuration).

        The above value is the sum of the selected options from the list below:
        - Disable AutoPlay on drives of unknown type = 0x1
        - Disable AutoPlay on removable drives = 0x4
        - Disable AutoPlay on fixed drives = 0x8
        - Disable AutoPlay on network drives = 0x10
        - Disable AutoPlay on CD-ROM drives = 0x20
        - Disable AutoPlay on RAM disks = 0x40
        - Disable AutoPlay on drives of unknown type = 0x80
        - Disable AutoPlay on all kinds of drives = 0xFF
        (I m not sure why 0xFF could not just be 0xA3. And I don't know why there is no option associated with 0x2)

        _
        In responce to what you said "beware: any changing of that settings brings the trouble on your back":
        The 'NoDriveTypeAutoRun' and 'HonorAutorunSetting' value are both policies, normal users cannot change policies on their computer. Furthermore if AutoPlay policy is configured under the computer configuration section, then this setting will take precedence over Current_User and Default_User autoplay configurations on the computer.

        To keep your computers on the network protected against Autorun worms, install the latest patches and follow the instructions provided by Microsoft - but also consider to install the registry hack (a mitigation strategie developed by Nick Brown in December 2007 and since recommended and re-published by several CERT organisations -> Recently posted at US-CERT gov: Technical Cyber Security Alert: "Microsoft Windows Does Not Disable AutoRun Properly").

        There was a batch example in my previous post,
        here is a VBscript sample how to install the registry hack:
        Code:
        '# Registry hack to Block AutoRun.inf files thoroughly #
        '# by: nick.brown.free.fr/blog/2007/10/memory-stick-worms.html
        '#
        '# TESTED Solutions for disabling autorun:
        '# www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx
        '#
        '# this vbscript must be runned as a computer startup script.
        
        Const HKEY_LOCAL_MACHINE = &H80000002
        
        strComputer = "."
        
        Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
           & strComputer & "\root\default:StdRegProv")
        
        
        strKey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf"
        sValue = "@SYS:DoesNotExist"
        oReg.CreateKey HKEY_LOCAL_MACHINE, strKey
        Success = oReg.SetStringValue _
               (HKEY_LOCAL_MACHINE, strKey, , sValue)
        
        wscript.quit

        \Rems
        Last edited by Rems; 28th February 2009, 21:30. Reason: fixed: Const HKEY_LOCAL_MACHINE was not declared

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment

        Working...
        X