lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: jftucker at gmail.com (James Tucker)
Subject: Viral infection via Serial Cable

If you want to check to see if the system has the MS tcp/ip stack
running on the port, boot the machine and look in the network
connections folder. You will see an "incoming connections" connection
listed. If this is present (i doubt it, but anything is possible) then
turn on IPSec for the connection and ban all unused ports and
protocols. If you don't know what ports the (CAD/CAM) application is
using, try netstat. If you don't see any "incoming connections" and
are _still_ worried you can try ipconfig /all. Still worried? Connect
to the RS232 using hyperterm, see what the response is like.

On Mon, 30 Aug 2004 20:17:38 -0500 (CDT), J.A. Terranson <measl@....org> wrote:
> You are confusing the different layers.  There is no difference (to a
> virus) between a fiber, a cat-5, a serial cable, etc.  These are all
> layer-1 choices.

Um, are we forgetting that the box on the end is Windows 2000, and
what do we know about Windows 2000 and IP stacks on RS232 ports? (they
don't natively exist by default)
:)

> Moving up the stack, the answer to your question is a qualified "yes": if
> the serial port is configured as a data transport which the virus can see,
> then propagation across it is possible.  And, for the record, there are a
> variety of serial-port based LANs.

Sure, but you can only move up a stack which exists.

Given that there should be no applications on the other end of the
RS232 apart from the CAD/CAM control program (one would hope, this
would be considered 'normal'), the only hackable device should be that
program. It's not unlikely that the program in question could be set
to perform destructive actions; allot of industrial software of this
type is not well written and buffers certainly don't always get
checked. This would require a custom hack though, I don't know of any
viri which carry protocol definitions for RS232 CAD/CAM programs.

On Tue, 31 Aug 2004 15:19:29 +1200, Stuart Fox (DSL AK)
<stuartf@...acom.co.nz> wrote:
>If the worm simply expects to see "a network transport" then the
answer would be yes.

It's only yes if both ends talk the same language, the CAD/CAM unit
should not be running a "network" protocol unless the developers 1)
did something really stupid, 2) decided they didn't care about high
levels of overhead.



There are many people who believe also that mission critical systems
which do not rely on the Internet should always be disconnected from
it. I would certainly agree in this case; if you are still worried
about it.
 

>   "...justice is a duty towards those whom you love and those whom you do
>   not.  And people's rights will not be harmed if the opponent speaks out
>   about them."      Osama Bin Laden
Define justice and duty in a western manner this sounds OK; but then
thats not what he means is it?

>   "There aught to be limits to freedom!"    George Bush
Not to defend the guy, he makes allot of stupid comments and
decisions, however he is talking about laws and he is not wrong, there
are many people in the world who need certain freedoms removed. How
about they learn to remove the freedom of gun ownership.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ