Introducing the USB Stick of Death (opens in new tab)

Yeah, the severity rating seems rather oblivious to simple social engineering. Leave a USB stick on a desk with a sticky note attached to it saying "Urgent, please review", and guess what is going to happen to that USB stick.

Being able to compromise a system via a mundane and apparently benign action is never low-severity.

You have to be running an exploit program while you play with the USB stick.

I've always assumed the attack vector was to leave the sticks lying around. If I'm not mistaken, some people have left them at banks in hopes that the employees will plug them into one of the computers there to see what's on it. Almost everyone I know has plugged a USB stick they don't own into their computer at one point or another.

Severity isn't that low. If you hand out a USB stick to a friend and they run a .exe on it, you could surely trigger this exploit invisibly. It's probably not a broad vector attack, but surely would fit very well into a spearphishing scenario. Hand this to a less-than-savvy user and either auto-run via .inf (on older OSes) or dupe them into running some arbitrary binary to "unencrypt the volume" or something they wouldn't understand.

Many newer USB sticks even have preloaded binaries for the supporting software (SanDisk volume utilities come to mind) - this would be a perfectly innocuous location to load this sort of attack.

Most systems that are physically available with local users (e.g. libraries, college computer labs, etc.) will have booting from anything other than the hard drive disabled, and the BIOS password protected. You'd need to open up the machine and reset the CMOS to use this approach.

While I was at university, every lecture hall data projector had a PC connected to it. Often people would bring their presentations from home on USB memory sticks.

Nowerdays there are viruses that spread by USB memory stick - and lie dormant on the computer infecting every USB memory stick that gets plugged in. Needless to say, lecture hall computers quickly became infected - even without any malicious intent on the part of the physically present user.

Hiren's BootCD is exactly the kind of tool I've been looking for - but I can't find the download link on that page. Am I an idiot, or does he not host his own boot cd on his site?

Under Linux, if you get a stack trace they can fix this: they love fuzzing errors.

Boot Linux, disable automount, make a raw copy using dd, upload somewhere?

Post a stacktrace? You can take a photo for us of the kernel panic.