Flash drive/CD autoplay command execution

Added: 04/07/2009

Background

This tool allows you to create a USB flash drive which, when inserted into a Windows computer, prompts a user to run a program which creates a command connection. The program is disguised as the "Open Folder" option in the AutoPlay dialog to entice the user to run it.

This tool can also be used to create a CD-ROM which, when inserted into a Windows computer, creates a command connection.

Resolution

First install the update for Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008.

Second, disable Autorun functionality by editing the Group Policy settings as described in Microsoft article 967715 or by setting the following registry key:

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Value: NoDriveTypeAutoRun
Value Data: 0xff

References

http://www.us-cert.gov/cas/techalerts/TA09-020A.html

Limitations

This tool requires a user to insert the flash drive or CD and click on the program in the AutoPlay dialog in order to succeed.

The target field must be a licensed target but is unused.

Exploit will not display the exploit AutoRun entry in the AutoPlay menu from ordinary USB flash drives on Microsoft Windows 7 and newer systems, nor on Windows XP/Vista and Windows Server 2003/2008 systems that have installed the patch for Microsoft Security Advisory 971029 (made available via autoupdate on February 8, 2011), because Microsoft disabled Autorun for non-optical devices.

Platforms

Windows

Back to exploit index