Snort mailing list archives
RE: Antwort: RE: Snort-Machine = Security Hole?
From: "Crow, Owen" <Owen_Crow () bmc com>
Date: Thu, 12 Jul 2001 13:43:29 -0500
It doesn't open an active connection to the Internet. I guess I'm expanding the term "root exploit" to cover someone's ability to get your system to run his code with root privileges. A worm that got onto your Snort sensor would try to contact it's master, but it would also branch out to any other systems it can find. Yes, I would add LIDS and running Snort chroot'd as additional layers to protect against this. The main problem for this exploit is how to get the standard code for a rootkit onto this isolated computer. How do I tell a computer that can't talk to me to do my bidding? I contend that the only missing ingredient is a Snort exploit. Let's assume this simplified scenario: A Snort sensor in your DMZ, on a hardened *nix box, transmit wire cut on DMZ side, but connected to your intranet. No default route, firewall rule to block any traffic from your Snort sensor. I find a buffer overflow in Snort and am able to use this to execute short commands on Snort boxes. If you've setup Snort to respawn, then I can send the commands one at a time, otherwise I've got to fit them into the overflow. By sending a packet that causes the overflow, I run a new instance of snort listening on common network interfaces (or "any") and tell this snort to log all traffic from my computer to a binary file. I send packets containing my rootkit to the target network which the new instance of Snort dutifully saves to disk for me. I use some method for converting this binary log to the original .tgz file. I send commands to install the root kit. The main limitation here is how much shell-code I can pack into the overflow packets. Now I have a remote attack machine that can execute scripted attacks against your Intranet. If you've been good and implemented more layers to protect your Intranet, then good for you. Once again: 1. This is not Snort specific. Substitute tcpdump or possibly Netranger and you end up with similar issues. 2. It's all highly theoretical (until it gets implemented). Owen -----Original Message----- From: Ramin Alidousti [mailto:ramin () cannon eng us uu net] Sent: Thursday, July 12, 2001 12:51 PM To: Crow, Owen Cc: 'ks () schuricht de'; snort-users () lists sourceforge net Subject: Re: Antwort: RE: [Snort-users] Snort-Machine = Security Hole? Please help me understand this: if you don't have connectivity to the Internet (by means of the lack of default gateway, or blocking the Internet connectivity on the firewall, ...) how can a buffer overflow exploit, gives an attacker an active remote root session? In such a case, a buffer overflow exploit should install and run a locally executed program on the snort box with no interaction with the outside world, right? At any rate, could LIDS be of any help (at least for linux boxes)? Ramin _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Antwort: RE: Snort-Machine = Security Hole? ks (Jul 12)
- Re: Antwort: RE: Snort-Machine = Security Hole? Daniel Voyer (Jul 12)
- <Possible follow-ups>
- RE: Antwort: RE: Snort-Machine = Security Hole? Crow, Owen (Jul 12)
- Re: Antwort: RE: Snort-Machine = Security Hole? Ramin Alidousti (Jul 12)
- RE: Antwort: RE: Snort-Machine = Security Hole? Crow, Owen (Jul 12)
- Re: Antwort: RE: Snort-Machine = Security Hole? Ramin Alidousti (Jul 12)
- RE: Antwort: RE: Snort-Machine = Security Hole? Steve Hutchins (Jul 12)
- RE: Antwort: RE: Snort-Machine = Security Hole? Frank Knobbe (Jul 12)
- Re: Antwort: RE: Snort-Machine = Security Hole? Ramin Alidousti (Jul 12)