Path: utzoo!attcan!uunet!tut.cis.ohio-state.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: MALCOLM@tower-vax.city-poly.ac.uk Newsgroups: comp.virus Subject: RE: NetWare and Virus (PC) Message-ID: <0013.9007301317.AA00380@ubu.cert.sei.cmu.edu> Date: 30 Jul 90 09:39:07 GMT Sender: Virus Discussion List Lines: 39 Approved: krvw@sei.cmu.edu In VIRUS-L digest V3 #132, William Hugh Murray writes: > Well, we seem to have a problem here. > > The posting by Jon David suggests that the virus executes on the > workstation, has no WRITE privilege to the server, but infects > programs on the server. By private email to me, Jon confirms that > that is what he intended to say. He describes to me the test that he > conducted; it sounds convincing. He asserts that Novell > representatives have seen the demonstration. > > On the other hand, the posting to this list by Novell clearly states > that the the workstation must have rights to write and modify the > file. Just a thought: during the test, is a user with supervisor rights active on the network? It would be *theoretically* possible for code to put the LAN adaptor into promiscuous mode (on adaptors which support this) and listen for a supervisor login request going past. Equipped with this information it could then masquerade as supervisor. It *may* also be possible for it to achieve the same end without gleaning the username/password, by recognising a privileged connection and then forging whatever the server uses to identify that connection (though there'd doubtless be problems here with MAC-level addressing). Either of these approaches is unlikely in a compact virus, though. Disclaimer: I know very little about Novell protocols. *Don't* take this as an authoritative statement that they're insecure. Hopefully a genuine guru will tell me why it can't be done this way. Regards, Malcolm - -- Malcolm Ray City of London Poly Computer Service, 100 The Minories, London EC3N 1JY ENGLAND JANET: M.Ray@uk.ac.clp Internet/BitNet/EARN: M.Ray@clp.ac.uk uucp: ...!ukc!clp.ac.uk!M.Ray