Stop execution of the file via firewall (riddle)

Janko33 · n00b Joined: 06 Mar 2004 Posts: 17

A script excecutes a file which is located on a mounted drive. Mounted drive is on a computer with windows OS somewhere in a network. You have to stop execution of the file. It has to be done via firewall(iptables). Can it be done? How?

ToeiRei · Veteran Joined: 03 Jan 2005 Posts: 1191 Location: Austria

a firewall can only prevent traffic.
It is impossible to prevent execution of binaries on the firewall without manipulating the protocol.

Rei
_________________
Please stand by - The mailer daemon is busy burning your messages in hell...

Janko33 · n00b Joined: 06 Mar 2004 Posts: 17

so how do i stop any traffic related to the excution of the file? (file is located on a computer which is connected on local LAN)

ToeiRei · Veteran Joined: 03 Jan 2005 Posts: 1191 Location: Austria

there is no traffic related to execution.
you can only block the whole SMB traffic.
An idea would be preventing that with mount options on the client if that is possible

Rei
_________________
Please stand by - The mailer daemon is busy burning your messages in hell...

Janko33 · n00b Joined: 06 Mar 2004 Posts: 17

so i can not block smb traffic related to that file only, filter it or something.

ToeiRei · Veteran Joined: 03 Jan 2005 Posts: 1191 Location: Austria

no.
_________________
Please stand by - The mailer daemon is busy burning your messages in hell...

Janko33 · n00b Joined: 06 Mar 2004 Posts: 17

can i somehow through the network traffic detect when the file is excuting? so i stop the smb traffic right after?

rex123 · Apprentice Joined: 21 Apr 2004 Posts: 272

You could get hold of something that will capture network traffic (eg ethereal). Start capturing, execute the remote file, then analyse the captured traffic. If there's anything identifiable in the traffic that you can work on with a firewall, then you might be able to do what you want. Bear in mind that the firewall knows what protocol is being used, and what IP addresses are being used, but you can't make firewall rules based on the *content* of the data within the SMB protocol (at least, I don't think you can).

This will be an interesting learning experience, but I expect you will finally conclude that ToeiRei is right.

sevo · Tux's lil' helper Joined: 12 Mar 2005 Posts: 79

In theory you can of course filter the protocol used to transfer the file - anything can be filtered, given the right tool. But that would imply much more than "close all SMB traffic if someone attempts to open that file" - for one, you can't safely determine whether the file is being accessed by trivial packet inspection (so you'd need much more than a iptables packet filter), for the other, you can't really want to interrupt everything in response, as that would enable worse attacks than a mere file execution, so you'd have to track state of the SMB session even after determining the file access.

Right now, there is no such thing as the stateful SMB proxy you'd need to deal with the above issues - you would have to write one. Given the reverse engineering issues and general nastyness of SMB/CIFS, that would amount to a nice collaborative project for the master theses of an entire CS class, or a year or more of work for an individual with firm network file system expertise.

That is, the effort (and its impact on performance and network operability) would be way out of proportion to normal server side methods from access control to removing that file.

Sevo

ToeiRei · Veteran Joined: 03 Jan 2005 Posts: 1191 Location: Austria

An idea for preventing access on cmd.exe would be

Janko33 · n00b Joined: 06 Mar 2004 Posts: 17

the last post could help i will try it

ToeiRei · Veteran Joined: 03 Jan 2005 Posts: 1191 Location: Austria

the string should be the binary code of the executable which should be prevented.
but I do not give any warranty that it works.

btw - you will have to patch your kernel and iptables with the latest patch-o-matic from iptables.org

Rei
_________________
Please stand by - The mailer daemon is busy burning your messages in hell...

Janko33 · n00b Joined: 06 Mar 2004 Posts: 17

and i thought it would be easy but i will look for help around string thing

ToeiRei · Veteran Joined: 03 Jan 2005 Posts: 1191 Location: Austria

I've never said it would be easy. Opening the executeable which should be blocked with a text-editor should give you strings.
_________________
Please stand by - The mailer daemon is busy burning your messages in hell...

mekong · Posted: Tue Apr 19, 2005 2:18 pm Post subject:

Hi, you could add "noexec" option when you mount the network drive to disable execution.

"mount device mountpoint -o noexec" or just add noexec in the file /etc/fstab

ScRaTcHi · n00b Joined: 21 Dec 2004 Posts: 62

A note:

Eeach file executed over the network is first copied into clients paging file before execution since Windows version 95.

Another note:

All windows executable files (.EXE) have 'MZ' header (first two bytes in that file). Pure windows 32bit executable files compiled with most modern compilers contain text 'This program cannot be run in DOS mode.' or 'This program must be run under Win32'. That might help You filter those files using appropriate iptables matches.

_________________
ScRaTcHi

-----------------------------------------------------------

Never trust an operating system you don't have sources for.