Re: cdrom security

From: Kasper Dupont (kasperd@daimi.au.dk)
Date: 12/18/02


From: Kasper Dupont <kasperd@daimi.au.dk>
Date: Wed, 18 Dec 2002 01:40:24 +0100

Nils Petter Vaskinn wrote:
>
> Timo Voipio wrote:
>
> > not_valid wrote:
> >
> >> Wondered what kind of scripts could be run before passing the
> >> command to the kernel on the HD.
> >
> > The same kind as from boot floppies.
> >
> >> Not a linux issue ... but a possible security hole. Never seen
> >> any article about this. And most anti-viruses check only floppies
> >> (they would be incapable of checking alien SOs on the CD anyway,
> >> wouldn't they ?)
> >
> > A security hole, yes. But one that requires the culprit to have
> physical
> > access to the computer (which is to all practical purposes as good
> as
> > having the root passwd, or even better).
> >
>
> It would be possible but not very easy for a virus/worm to make
> infected bootable cds.
> A virus/worm scans a system for iso images and modifies them so that
> once yopu burn it you get an infected bootable cd? Or perhaps
> modifies you cd burner software?

I'm surprised we haven't seen many vira do that. If it is targeting
Windows it can also find a litle help in that autoload feature.

>
> Now to do anything more advanced than damage I expect the code has to
> be quite big (an os in itself since it can't use any os features) but
> it won't have any limitatios to what it can do.

It can use BIOS features. The BIOS does contain a usable HD driver,
so it "just" has to implement a filesystem, then it can look for
files to change. If you want to do a lot more stuff you are in luck,
there is usually a large amount of space on the CD.

If you want to avoid the hard work to do filesystem support in a
virus, you can do other stuff like staying in the background and
poping up again when the OS is ready to help you. That however is
easiest done if the OS happens to be DOS. It is far from trivial
to write code that stays resident while Linux boots. It might be
easier to just infect the image before booting it.

-- 
Kasper Dupont -- der bruger for meget tid på usenet.
For sending spam use mailto:aaarep@daimi.au.dk
Hvem er fjenden i Aalborg?