Full Disclosure mailing list archives
Re: Viral infection via Serial Cable
From: James Tucker <jftucker () gmail com>
Date: Tue, 31 Aug 2004 10:35:02 +0100
If you want to check to see if the system has the MS tcp/ip stack running on the port, boot the machine and look in the network connections folder. You will see an "incoming connections" connection listed. If this is present (i doubt it, but anything is possible) then turn on IPSec for the connection and ban all unused ports and protocols. If you don't know what ports the (CAD/CAM) application is using, try netstat. If you don't see any "incoming connections" and are _still_ worried you can try ipconfig /all. Still worried? Connect to the RS232 using hyperterm, see what the response is like. On Mon, 30 Aug 2004 20:17:38 -0500 (CDT), J.A. Terranson <measl () mfn org> wrote:
You are confusing the different layers. There is no difference (to a virus) between a fiber, a cat-5, a serial cable, etc. These are all layer-1 choices.
Um, are we forgetting that the box on the end is Windows 2000, and what do we know about Windows 2000 and IP stacks on RS232 ports? (they don't natively exist by default) :)
Moving up the stack, the answer to your question is a qualified "yes": if the serial port is configured as a data transport which the virus can see, then propagation across it is possible. And, for the record, there are a variety of serial-port based LANs.
Sure, but you can only move up a stack which exists. Given that there should be no applications on the other end of the RS232 apart from the CAD/CAM control program (one would hope, this would be considered 'normal'), the only hackable device should be that program. It's not unlikely that the program in question could be set to perform destructive actions; allot of industrial software of this type is not well written and buffers certainly don't always get checked. This would require a custom hack though, I don't know of any viri which carry protocol definitions for RS232 CAD/CAM programs. On Tue, 31 Aug 2004 15:19:29 +1200, Stuart Fox (DSL AK) <stuartf () datacom co nz> wrote:
If the worm simply expects to see "a network transport" then the
answer would be yes. It's only yes if both ends talk the same language, the CAD/CAM unit should not be running a "network" protocol unless the developers 1) did something really stupid, 2) decided they didn't care about high levels of overhead. There are many people who believe also that mission critical systems which do not rely on the Internet should always be disconnected from it. I would certainly agree in this case; if you are still worried about it.
"...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them." Osama Bin Laden
Define justice and duty in a western manner this sounds OK; but then thats not what he means is it?
"There aught to be limits to freedom!" George Bush
Not to defend the guy, he makes allot of stupid comments and decisions, however he is talking about laws and he is not wrong, there are many people in the world who need certain freedoms removed. How about they learn to remove the freedom of gun ownership. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: write events log to CD?, (continued)
- Re: write events log to CD? Barrie Dempster (Aug 30)
- Re: write events log to CD? Harlan Carvey (Aug 30)
- Viral infection via Serial Cable Jean Gruneberg (Aug 30)
- Re: Viral infection via Serial Cable Über GuidoZ (Aug 30)
- RE: Viral infection via Serial Cable Jean Gruneberg (Aug 30)
- Re: Viral infection via Serial Cable Über GuidoZ (Aug 30)
- Re: Viral infection via Serial Cable Christian (Aug 30)
- Re: Viral infection via Serial Cable Christian (Aug 30)
- Re: Viral infection via Serial Cable James Tucker (Aug 30)
- Re: Viral infection via Serial Cable J.A. Terranson (Aug 30)
- Re: Viral infection via Serial Cable James Tucker (Aug 31)
- Re: Viral infection via Serial Cable Barry Fitzgerald (Aug 31)
- RE: Viral infection via Serial Cable Aditya (Aug 30)
- Re: write events log to CD? Marcel Krause (Aug 30)
- Re: write events log to CD? Oliver J. Morais (Aug 30)
- Re: write events log to CD? Ali Campbell (Aug 30)
- Re: write events log to CD? James Tucker (Aug 30)
- Re: write events log to CD? Alan J. Wylie (Aug 30)