Beyond AutoRun: Exploiting software vulnerabilities with removable storage presented at BlackHatDC 2011

by Jon Larimer,


Summary : Malware has been using the AutoRun functionality in Windows for years to spread through removable storage devices. That feature is easy to disable, but the Stuxnet worm was able to spread through USB drives by exploiting a vulnerability in Windows. In this talk, Ill examine different ways that attackers can abuse operating system functionality to execute malicious payloads from USB mass storage devices without relying on AutoRun. Theres a lot of code that runs between the USB drivers themselves and the desktop software that renders icons and thumbnails for documents, providing security researchers and hackers with a rich set of targets to exploit. Since the normal exploit payloads of remote shells arent totally useful when performing an attack locally from a USB drive, well look at alternative payloads that can give attackers immediate access to the system. To show that these vulnerabilities arent just limited Windows systems, Ill provide a demonstration showing how I can unlock a locked Linux desktop system just by inserting a USB thumb drive into the PC.

Jon Larimer: Jon Larimer is a senior researcher on IBM's X-Force Advanced Research team. Jon has been working in the security industry for over 12 years at companies including Internet Security Systems, nCircle Network Security, and now IBM. He has been involved in an array of security fields such as penetration testing, vulnerability research, security software development, and malware analysis.