Found, a new rootkit

Fri Apr 7 20:41:09 UTC 2006

Mike McCarty wrote:
> Mikkel L. Ellertson wrote:
>> Mike McCarty wrote:
>>
>>> Tim wrote:
>>>
>>>> I don't have a single Linux box here that listens to the modem.  I'd
>>>> have to install a service to do so.  Your MS-DOS box is no more secure
>>>> than any of them, for that point of attack.
>>>>
>>>
>>> I respectfully disagree with you on this point. Your Linux
>>> machine has a device driver for that device, while my MSDOS
>>> machine does not. So you *do* have software listening to
>>> that device, which software potentially has security compromising
>>> defects. I have no software on my MSDOS machine which listens
>>> to the serial port. So if I install a modem on it, it remains
>>> relatively secure.
>>>
>>
>> I fail the see the difference between the Linux driver for a serial
>> port, and the DOS driver for COM ports, at least as far as security
>> goes. Nether driver does anything unless there is a program
> 
> You are right, in regards to the software itself. The difference
> is that MSDOS does not automatically install device drivers
> for COM ports, whereas Linux does.
> 
>> accessing them. The fact that the serial driver is built in with
>> MS-DOS, and may be loadable under Linux does not make much
> 
> There is no built-in serial driver in MSDOS. MSDOS sits on top
> of the BIOS. The drivers themselves simply make BIOS calls.
> Unless some software makes a call to the driver, then the
> COM port just sits.
> 
Are you sure about that? As far as I know, the BIOS does not know
about serial ports. The settings for I/O and IRQ for a COM port are
part of DOS< and not a BIOS setting. You can change them, and swap
COM1 and COM2, I have a DOS utility that does this around here
somewhere. It will also swap around LPT settings.

>> difference. If anything, Linux without the driver loaded would be
>> slightly more secure.
> 
> I don't follow this, but certainly Linux w/o the driver installed
> would be as secure as MSDOS.
> 
> [snip]
> 
>> The thing that you are overlooking is that DOS has drivers for most
>> of the standard hardware ether built in, or accessible through the
>> system BIOS. If anything, accessing hardware through the system BIOS
> 
> If my MS-DOS machine were connected, and someone bombarded the serial
> port, all that would happen is that the bits would fall on the floor,
> and the overrun error bit would get set in the UART. With Linux,
> interrupts would be generated, and the driver would accept the bytes,
> buffer them, and eventually dump the input. (Unless something has
> changed since the last time I looked at the Linux serial drivers.)
> 
>From what I remember, the IRQs are not enabled in ether OS until
something opens the port. Once you open the port, both DOS and
Linux process the IRQ. Both have code to handle buffer overrun.

>> can be more of a security risk. You never really know what is in the
>> BIOS. It is probably safe, as long as you are careful about updates.
> 
> Whatever is in the BIOS, it is still there when Linux is loaded.
> 
It is still there, but Linux does not use the BIOS to access the
hardware. Code that is not executed is not a security risk. DOS uses
the BIOS for things like disk access, video access, etc. Now, when
you get into ACPI, that is another story. Linux may use the ACPI
code, while DOS does not.

> Any time there is physical access, there is only *relative* security.
> 
> Mike

This is very true. But the risk of hooking a modem to a Linux
machine by itself is no greater then hooking one to a DOS machine.
The risk depends on the software you use to access the modem. Using
a FAX sending program on Linux is a lot less risk then running PC
Anywhere on a DOS machine. (Yes, there was a version for DOS.)

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!