run application action security

[tom95521]

sorry, still learning how to use this cool program.

Is there something I'm missing or can anyone post a pictures2exe .exe file to a web site that deletes files off my hard drive?

I created a sample button (or transistion/end of show) that can delete files.

shouldn't the cmd /c or cmd /k, format, fdisk ... not be allowed, or do we trust the public hosted presentations?

windows xp home edition

beta 4.4 v3

tom

[LumenLux]

I hope Igor or an expert member will answer this quickly.

[tom95521]

I like downloading the sample slideshows from the web. It gives me ideas on how I want to create my own slideshows. At the same time I don't to worry about what possible commands are being run on my computer. I'm sure there is a way to fix this so I can sleep at night (it's 12:27 am local time :-).

The cmd window pops up briefly, but there is probably a way to disguise it by running another window on top or something as devious.

tom

[alrobin]

Tom,

Thanks to you now we are all losing sleep!

I didn't realize that PTE would accept command line instructions other than the number of the image to jump to when calling in another pte file. Was this capability there before Igor added the new "go to slide #" feature?

[Steve S]

Tom,

An excellent question!

I’m sure most folk hadn’t thought of this but should it happen then it would change immediately the current cordial of sites such as Beechbrook. I don’t think anyone has experienced malicious code yet otherwise it would undoubtedly have been flagged up on this forum.

Perhaps the global user group of P2E is too small to be of interest to virus writers and malicious hackers.

[Conflow]

COMMAND LINE FUNCTION

To:-

Al Robin, Steve S, Tom95521

I have followed this 'thread' with more than mild interest. Since downloading the latest "upgrades" to InterNet Explorer 6 (5 days ago) - strange things have been happening with my trusty '98 which is virtually 'bullet-proof'.

Example: 1

Just yesterday I sent 'Al Robins' two tiny PTE Programs for his evaluation - the PC sent an entirely different Program, unknown to me - I only twigged it because I have a 'bad habit' of double checking what I send.

Example: 2

I stand behind a '3-Comm Hardware Firewall' and Norton A/V and 'XoftSpy Utility' and its well known in the Trade that "Win 98's" DONT AUTO-COMMUNICATE like XP and 2000.Well,guess what, this PC did despite all our armament - so I started to do some 'detective work' as to why ?

Results so Far.

Xoft Spy is one of the best Anti-Spyware utilities around,sure it costs,but what price Security?

Well the program detected 'Alexa' and a Registry Key and Registry Value - These bear the trademark of a Microsoft Cookie - but in this case its a Registry key which XoftSpy deletes Except every time you start the PC back it comes. Also it has come to my attention that the latest IE.6.Upgrade for '98's' is in fact an XP Product and sure enough it come with the "Auto-Comms Utility" highly upgraded from what it was.

Now I am trying to find the "Auto-Comms Key" and disable it - I certainly don't want my "PTE Shows" or anything else on my PC being broadcast behind my back -

So if anyone has experience with finding "Hidden Keys" (and it is hidden) please advise us all.

Brian.Conflow.

[Conflow]

Correction - Previous Post

Following on from my previous post concerning the latest "IE.6 Upgrades" for Win '98 and

that in reality its an XP Product ...and strange things are happening...

In fact it was an abberation in my PC.System which caused the incorrect file to be sent out

to Al Robins..

Having downloaded the IE.6 upgrade I forgot to 'run' the IE.Repair Program (a feature of '98)

whereafter this 'defect' disappeared - one would think an 'upgrade' would leave things in a

pristine condition - not so !

This also brings up the problems with 'Ndisuio.Sys' installed on XP and 2000, whereas if you

are having unusual IE activity the chances are that a Trojan or a Hijacker has gained access

to your Home/Search page. invariably they go after the 'Ndisuio.Sys' utility on your PC which

is quite capable of 'Transmitting to the Net' without your knowledge.

This 'utility' can be disabled on XP & 2000 - its worth checking that its not active particularily

after an IE.6 Upgrade.

I would like to add that this has nothing to do with PTE which another reader questioned !

Brian.Conflow.

[tom95521]

I did a little more experimenting and was able to create and delete files on the computer. So theoretically someone could create a script file over multiple slides and run it on another slide! Not good.

I'm hoping the playback engine in the .exe can be updated to give us the option to play or disable external applications spawned by p2e.

tom

[Conflow]

SECURITY PROBLEM (2)

Tom, following up on your 'security fear' concerning PTE - yes it is possible for someone to use a JPeg Image for malicious purposes.

This has nothing to do with 'PTE' or other AV Programs such as 'PhotoGold' or 'Magix PhotoStory' or many more such likes Programs.

It has everything to do with the 'JPeg Image' itself and its not alone in this field, and I think you accidentally discovered this 'anomaly' so some simple explainations may be in order.

No 1.

The JPeg Image is a 'compressed image' of a chosen quality on a scale of 1 to 10 - the higher the number the better the quality and as you know the JPeg is usually derived from a Bitmap Image with the use of...'Save As'... The compression algorithm code is written into the Image for subsequent control of Image on your PC.

No 2

Unknown to most 'AV User' one can write code and script into the Image for other control purposes - This can be experienced in Web Sites where one simply "clicks on"a Photo to make an enlargement - there are many other functions one can perform through the Image.

No 3

Unknown to the General Public but used by an 'elite few' one can "Encrypt" a JPeg with a full blown Word Document whereby the 'Encryptionation' is unknown to the Writer and the Reader where after the Reader must be in receipt of the 'Encryptionation Program' before the document can be extracted. It doesn't stop there because the Encrypt Program can generate millions of random ciphers known only to itself -

but each one that it uses is numerically tagged fcr a particular Document extraction.

All this is totally invisible to any Web User and for that matter any PTE User or JPeg User -

To combat this your "Anti-Virus" Program must be set up for "Script Blocking" a la 'Norton' etc, etc;

So you now know how absolutely vital it is for one to keep their AV.Definitions up to date.

Hope this simple explainations 'allays' your fears - thankfully the "A/V People" are well on top of this.

Briian.Conflow.

[Barry Beckham]

This is all far too complicated and boring, I will risk it

Barry B

[mbskels]

Hi Brian,

I interpreted the original post to mean that there was a potential for the "run external exe" facility in P2E to be abused my someone with malicious intent ie they could include an instruction to run a damaging exe in a P2E slideshow.

I am not clear why his fears should be allayed by your explanation about the potential misuse of jpegs.

Could you clarify whether you believe his fears are or are not valid?

Thanks

Malcolm

Malcolm

[tom95521]

I have requested wnsoft tech support to comment on potential security problems back to this forum.

I really like the program, and want to recommend it to others without reservations. I find this program to be a very good method to display photos taken with my digital camera. I also enjoy looking at slideshows that other people have created.

If nothing else, it might be nice to request an enhancement to the software so that we can run slideshows with a safe mode option of some type, that disables the launching of external apps. I think if they add the pan&zoom effect that everyone wants, this software will grab a much larger % of the slideshow market.

thanks,

tom

[bjc]

May I comment on the risk factor that ‘tom95521’ has so kindly pointed out ~ it would appear that many of you are not taking this issue seriously.

Although I am not a programmer, and therefore cannot even START to imagine what could be achieved by someone with malicious intent, I can clearly see that the ‘Run External Application’ option is capable of running ‘any’ application at the whim of the author.

I already use this option in PTE myself, for my lecture presentations, to ‘run’ JPG’s (so Photoshop automatically opens up on my PC and the image appears on the screen) or ‘txt’ files (Word opens) or I can open ACDSee, or Corel Draw, or any other program or ‘file type’ that I fancy.

It is entirely possible therefore that someone COULD decide to ‘run’ a harmful application via a PTE slideshow (goodness knows what, or how) but it is certainly not outside the realms of possibility. Despite the fact that this would be unlikely to effect more that a limited number of members (BEECHBROOK slideshow viewers for example) before the word got out that a malicious slideshow existed, and NOT to download the slideshow. But damage COULD be done.

However, I cannot see how this ‘risk’ can be avoided, without removing the ‘Run External Application’ option altogether (something I would hate to see go) ~ maybe the development team would like to pass comment on how they view this issue.

Whilst it is unlikely to bring the world to its knees, I would like to thank ‘tom95521’ for bringing to our attention the potential for misuse of the PTE ‘Run External Application’ option ~ it’s well worth bearing in mind that this risk factor DOES exist.

bjc

[Conflow]

GETTING THIS INTO PERSPECTIVE

Hey Guys,

Take things a little more 'lightly' and stop blowing this 'Security Issue' out of proportion-

YOUR COMPUTER BY ITSELF IS QUITE CAPABLE OF OPENING ALL EXTERNAL APPLICATIONS WITHOUT

ANY PTE PROGRAM - HOW MANY TIMES HAVE YOU DOWNLOADED A "PDF or EXE FILE" AND OPENED IT?

................................................................AND..............................................................

Are you absolutely certain that your Computer is not infected with a "Trojan Virus" which is quite happily

Transmitting itself from your Computer to many others without your knowledge ?

NONE OF US ARE 'IMMUNE' TO MALICIOUS SCRIPT - SO MAKE SURE YOUR ANTI-VIRUS IS UP TO DATE.

NOW LETS GET BACK TO ENJOYING PTE.....

Brian.Conflow.

[Ken Cox]

you said it Brian

back to some lighter things

ken

[mbskels]

Hi,

I fail to see which post in this thread is guilty of getting the issue out of proportion. The original post and subsequent comment from the originator seem pretty balanced to me.

Removal of the run external exe facility is obviously not possible but given the wide use of this facility in P2E slideshows the issue is certainly worth knowing about in my view.

[alrobin]

I have requested wnsoft tech support to comment on potential security problems back to this forum.

At one time it was not possible to run external apps with command-lne parameters attached. When did this become possible? Was it with the latest beta only? Tom, did you actually test it by running a command line instruction and have it wipe out something? I know you meant well, but you have got a lot of people upset over this.

Even if it is a valid concern, I feel that it is unfair to raise it at this time in the forum, which is read by many users, most of whom do not have the background to assess the seriousness of the claims. I am sure that Igor will respond when the current "Gordian Knot" is sorted out. This is what betas are for - to sort out all these problems, and I am sure Igor will do just that in due course. This type of potential problem, until it actually occurs, should be handled off-line.

There are a number of ways to tackle this, and there is absolutely no reason for people to get upset about it. The solution should be explored fully first before notifying the general user group.

The chances of a malicious attack is very, very slight. First of all, viruses and the like are created by a certain breed of people. They would have to be not only of malicious intent and capability in the first place, but they would also have to know about PTE and also be knowlegable enough to know about the "external application" capability (if this is indeed possible), and then they would have to upload a show for the PTE "public" to access. In other words they would have to be a pretty dedicated PTE user to start with. Very small odds, in my estimation.

I have personally downloaded every show from Beechbrook, and can certify personally that all of these shows are safe, so let's not get too excited about this "tempest in a teapot" until it is a real problem. My 2-cents, anyway.

[Igor]

We understand the importance of the problem.

1) Please always check up any .EXE files with antivirus before running.

2) Concerning "Run application" action in slide-show.

The solution for now seems in creation of potentialy dangerous Windows' commands list, that to be prohibited to execute. For now dangerous files and command are the following:

at

attrib

call

cmd

command

copy

del

deltree

erase

for

format

fdisk

move

net

net1

ren

rename

replace

rmdir

rd

recover

regedit

rundll

qstart

start

sys

type

xcopy

regsrv

regedt32

regsvr32

commands with '>' character are also prohibited.

We'll appretiate any suggestions from you concerning this list.

Please don't worry, these commands are not necessary for slide-shows and they *always* should be prohibited in "Run app." action.

[boxig]

What ! ?

are you all drunk ?

World War III is not coming !!!!

The chance to win a lotary is bigger than to get some malicious file from PTE show.

Hey, remember "members pictires site" ? I suggest we add members pingerprints to the pictures (will be easy for the F.B.I.) and by the way, I heard in China two Virus authors were executed

Wait a minute.... I hear some noice coming out from my PC... ..I wonder if the show I just downloadeddddd....ddd. .. Help !... Help !!!...

Help..

Hel..

He..

[tom95521]

hi,

What I created is a sample presentation with a couple of buttons "remove file" and "save file". The first button "remove file" deletes a file and the second button "save file" creates a file my hard drive. I'm using really basic actions cmd /c "del c:\dir\filename" and cmd.exe /c "echo hello > c:\dir\filename"

Yes you do see a flash when the command window opens for a few milliseconds. I spent maybe 2 minutes creating this presentation, and spent no time trying to make a destructive presentation. I'm not going to delete/modify actual files to verify that it can do damage. It's not a virus, more like a trojan. In a trojan presentation (if possible), the button name might be "print" and when clicked it would delete files from your hard drive or some much more sophisticated. I am not aware of any AV software that would detect such a trojan presentation.

I admit I'm new and clueless as to how members and support staff communicate on this forum. I'm not upset, and hope no one else is either. I apologize to anyone that was offended by my questions or raising undue alarm.

I was hoping somebody from wnsoft support would jump into this thread, but apparently they are all working on the latest beta (which is great by the way).

tom95521 (my postal zip code in N. California).

[Ian]

Igor's suggestion of not allowing the named list of command files above seems emminently sensible and a good solution to the potential problem.

The fact that no "malicious" user has created such an action button in the past doesn't mean that no-one will try in the future, so thanks to Tom95521 for thinking ahead!

Ian

[boxig]

Hi Tom

You did just right. Of course anything can be done but I believe all PTE users are honest people. We also have to remember that real malicious files can enter our PC in so many different ways that it is almost imposible to be 100% protected. As one who is very careless and got infected too many times, I always backup my stuff and load to my "Data Traveler" pen all important changes I make every day.

And there is another point: We know who stands behind any PTE show uploaded, and I don't believe any outsider will dare to do anything thinking he will not be found. Today there are very strict laws all over the world and no one will risk himself just to make some damage to few dozens members who will download his infected show.

Granot

[LumenLux]

It looks like the last several posts were probably all being written nearly simultaneously. So I am not quite sure the conclusion to draw.

Tom's heads-up question and example of his concern bring up an important issue. Sure, no one should cover their head and run for the bomb shelter. But Admin Igor may well be able to improve what appears to be a vulnerability.

Igor, are you saying your list of dangerous commands are currently prohibited in PTE's run external application feature? If so, did Tom95521's example escape the prohibition/protection?/I]

When you can further clarify, that will be appreciated - as is all your dedicated work on this fine program. Thank you.

[Steve S]

OOPS! Posted in error.

[Igor]

No, these potentially dangerous commands are not prohibited yet.

We'll block them in the next betas of v4.40

Such cases didn't happen yet, but we must block potentially dangerous usage. Thank you, Tom, for this information!