undefined | Better HN

0 pointsrobk13y ago0 comments

Many PCs are patched now so there's no default autorun.inf (or similar) functionality. So you'd have to run a binary on it to trigger this exploit it seems. Doable of course, but one step harder.

0 comments

andrewaylett13y ago

But it's not an autorun vulnerability, that wouldn't be newsworthy -- the problem is that simply mounting the filesystem exploits bugs in the filesystem driver.

amckenna13y ago

No - more needs to be done than simply mounting the filesystem.

He explains that: "With the ability to replace arbitrary kernel memory with arbitrary data, one has lots of options to choose from in order to hijack ring-0 code execution flow." and then goes on to mention "I decided to go with HalDispatchTable, being the easiest and most commonly used technique."

Something has to be run locally that exploits the ntfs filesystem driver bug (introduced by the usb stick) and uses that to write arbitrary data to kernel memory, but then has to divert ring-0 code execution flow (he chooses to overwriting the nt!HalDispatchTable+sizeof(void*) function pointer).

Check out the video to verify

j / k navigate · click thread line to collapse