WHMurray@DOCKMASTER.NCSC.MIL (07/27/90)
Well, we seem to have a problem here. The posting by Jon David suggests that the virus executes on the workstation, has no WRITE privilege to the server, but infects programs on the server. By private email to me, Jon confirms that that is what he intended to say. He describes to me the test that he conducted; it sounds convincing. He asserts that Novell representatives have seen the demonstration. On the other hand, the posting to this list by Novell clearly states that the the workstation must have rights to write and modify the file. It seems to me that someone is in error. If David is correct, then, not only do we have a small virus problem, but we have a very large NetWare security problem. It would be interesting to know whether the virus simply writes to the server, or whether it contains some overt mechanism to disable, subvert, or otherwise bypass NetWare security. William Hugh Murray, Executive Consultant, Information System Security 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 203 966 4769, WHMurray at DOCKMASTER.NCSC.MIL
MALCOLM@tower-vax.city-poly.ac.uk (07/30/90)
In VIRUS-L digest V3 #132, William Hugh Murray writes: > Well, we seem to have a problem here. > > The posting by Jon David suggests that the virus executes on the > workstation, has no WRITE privilege to the server, but infects > programs on the server. By private email to me, Jon confirms that > that is what he intended to say. He describes to me the test that he > conducted; it sounds convincing. He asserts that Novell > representatives have seen the demonstration. > > On the other hand, the posting to this list by Novell clearly states > that the the workstation must have rights to write and modify the > file. Just a thought: during the test, is a user with supervisor rights active on the network? It would be *theoretically* possible for code to put the LAN adaptor into promiscuous mode (on adaptors which support this) and listen for a supervisor login request going past. Equipped with this information it could then masquerade as supervisor. It *may* also be possible for it to achieve the same end without gleaning the username/password, by recognising a privileged connection and then forging whatever the server uses to identify that connection (though there'd doubtless be problems here with MAC-level addressing). Either of these approaches is unlikely in a compact virus, though. Disclaimer: I know very little about Novell protocols. *Don't* take this as an authoritative statement that they're insecure. Hopefully a genuine guru will tell me why it can't be done this way. Regards, Malcolm - -- Malcolm Ray City of London Poly Computer Service, 100 The Minories, London EC3N 1JY ENGLAND JANET: M.Ray@uk.ac.clp Internet/BitNet/EARN: M.Ray@clp.ac.uk uucp: ...!ukc!clp.ac.uk!M.Ray