Possibly yet another MS mail worm

Vivien M. vivienm at dyndns.org
Mon Mar 1 17:39:06 UTC 2004


> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On 
> Behalf Of Curtis Maurand
> Sent: March 1, 2004 10:38 AM
> To: Todd Vierling
> Cc: nanog at merit.edu
> Subject: Re: Possibly yet another MS mail worm
> 
> 
> My point is that the COM/DCOM/OLE/ActiveX is what allows for 
> a script in 
> an email message that gets executed to have access to the rest of the 
> system, rather than executing within a protected sandbox.  Of course 
> scripts within email messages shouldn't execute at all.  Once they do 
> execute, they have access to the OLE objects on the machine.  Its a 
> security hole big enough to drive a tank through. 

And I hate to point out the obvious, but that's not what we're discussing
here. If you receive a .zip attachment, save it to disk, open it up in
WinZip or the integrated ZIP utility (which I might add is a feature GUI
OSes made outside Redmond also share), extract the .exe in it, and open it
up, ActiveX/OLE/DCOM/etc has NOTHING to do with the fact that the thing is
destructive and that you were allowed to run it.

Sure, having an executable flag like on *NIX would make it a little harder,
but you know what? If I send you a shell script on *NIX called run-me.sh in
a tarball that does a rm -rf / if you're root, and tells you to be root if
you're not, then your session will look like this:
1. Save blah.tar.gz to disk.
2. tar zxf blah.tar.gz
3. chmod 755 run-me.sh
4. ./run-me.sh
5. "Error. This script must be run as root."
6. su -
7. ./run-me.sh
8. Wave byebye to your filesystems.

The problem then isn't technological: an alternative OS, with an
equally-determined (and idiotic) user as the Windows user, provides ZERO
protection against this type of attack. And if you think that step 3 or 5
provided any protection against a determined user, you're wrong.

Vivien
-- 
Vivien M.
vivienm at dyndns.org
Assistant System Administrator
Dynamic Network Services, Inc.
http://www.dyndns.org/ 




More information about the NANOG mailing list