I really don't agree with the severity rating. Instant admin-access by just plugging in a USB stick is exactly what malware like the ever-loved Stuxnet use(d) as a jump-start to get their other exploits and backdoors going.<p>It's like the various autorun exploits, but better because you don't need an additional privilege escalation vulnerability <i>and</i> you get to execute your attack even if autorun is turned off completely.
As a security vulnerability, it's interesting but, as they stated, low-severity.<p>If you have physical access and a local user, it's much easier to use any Linux boot CD and one of the myriad "password recovery" systems.<p>I used Petter N Hagen's <a href="http://pogostick.net/~pnh/ntpasswd/" rel="nofollow">http://pogostick.net/~pnh/ntpasswd/</a><p>back in my tech support days (several years ago).<p>The current tech support guy swears by Hiren's BootCD<p><a href="http://www.hiren.info/pages/bootcd" rel="nofollow">http://www.hiren.info/pages/bootcd</a>
Coming from a *nix background, it seems odd to me that a kernel null dereference would be exploitable from userland. Or that kernel functions be directly addressable from userland.<p>Is kernel memory mapped into user processes on Windows?
I've had an usb stick of death for years now. Any system you plug it in instantly freezes. No idea how I made it, but it was certainly not the goal! And whatever I do, I can't get it to overwrite whatever data is on there :P