Full Disclosure mailing list archives

Interesting idea for a covert channel or I just didn't research enough?

From: "PASTOR ADRIAN" <M123303 () Richmond ac uk>
Date: Thu, 6 Oct 2005 10:06:24 +0100

Sometime ago I thought of the following idea for a covert channel. Although the idea of covert channels is *not* new at
all, I couldn't find anything in Google related to the following method of implementing a covert channel.

The scenario is the following. The victim is a host with a host-level firewall which is blocking *all* incoming
traffic. Somehow the attacker still needs to communicate with a backdoor planted in this host. Use a reverse shell and
job done, you might say.

Actually, there is another way which I thought would be more creative (IMHO).

It works like this: the backdoor enables logging in the host-level firewall for all dropped packets, say Windows XP SP2
Firewall. Then the backdoor receives commands from the attacker by interpreting the properties of the dropped packets
which were logged by the firewall. In other words, the backdoor is constantly reading the logs and parsing commands
which were sent by the attacker embedded in packets which are being dropped (but logged) by the firewall.

attacker sends packets -> packets are dropped by firewall -> packets properties are captured in logs -> backdoor reads
logs and finds encoded commands -> commands are executed

Now, for the way the backdoor would reply back to the victim is really up to you. One method that comes to my mind is
by posting the responses to a PHP script which is located in some free-hosting webpage. The attacker would then access
this webpage.

Please, if you know anything related to backdoors intercepting commands from log files send me some links. Ideas,
comments and flames are more than welcome :-) .

Regards,
pagvac (Adrian Pastor)
Earth, SOLAR SYSTEM
www.adrianpv.com
www.ikwt.com (In Knowledge We Trust)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Interesting idea for a covert channel or I just didn't research enough? PASTOR ADRIAN (Oct 06)
- Re: Interesting idea for a covert channel or I justdidn't research enough? phased (Oct 06)
- Re: Interesting idea for a covert channel or I just didn't research enough? Bernhard Mueller (Oct 06)
- Re: Interesting idea for a covert channel or I just didn't research enough? Mario 'BitKoenig' Holbe (Oct 06)
- Re: Interesting idea for a covert channel or I just didn't research enough? Michael Holstein (Oct 06)
  - Re: Interesting idea for a covert channel or I just didn't research enough? Kevin Wilcox (Oct 06)
- Re: Interesting idea for a covert channel or I just didn't research enough? mudge (Oct 06)
  - Re: Interesting idea for a covert channel or I just didn't research enough? foofus (Oct 06)
    - Re: Interesting idea for a covert channel or I just didn't research enough? mudge (Oct 06)
    - RE: Interesting idea for a covert channel or I justdidn't research enough? Paul Melson (Oct 06)
- Re: Interesting idea for a covert channel or I just didn't research enough? Jurjen Oskam (Oct 06)

(Thread continues...)