Vulnerability Development mailing list archives
RPC/TCP Record Marking for IDS Evasion
From: diphen () agitation net
Date: Thu, 10 Jan 2002 18:34:38 -0800
Hi - I'm doing some work on parsing RPC protocols as part of my job, and I'm wondering if I've come up with a previously-unknown way of evading IDS for RPC-based attacks. Let me elaborate: the RPC RFC (1831) defines a Record Marking (RM) standard for RPC running over stream-based protocols such as TCP. This is necessary because you can have multiple RPC calls and responses in a single TCP stream. So RPC defines a Record as a 4-byte quantity and some amount of data. The high-order bit of the initial 4 bytes is the Last Fragment flag, and the remaining 31 bits supply the length of the Record. There is no limitation placed on the number of Fragments within a Record. So... The obvious question: What's an IDS that doesn't fully process RPC going to do if I split up my, say, buffer overflow, across 2 RPC Fragments? Or, to take it further, what if I split my attack into 5-byte chunks, with 4 bytes of Record Marker between them? Theoretically (untested) a proper RPC implementation on a system shouldn't have any trouble dealing with this, however, it would completely obfuscate the stream from the perspective of anyone trying to do a string match. But you wouldn't necessarily see anything else weird, since I could send normally-sized packets containing the traffic. The fragmentation and insertion of RMs is only known to the RPC implementation on the target machine. Any thoughts? diphen
Current thread:
- RPC/TCP Record Marking for IDS Evasion diphen (Jan 11)
- Re: RPC/TCP Record Marking for IDS Evasion Robert Freeman (Jan 11)
- Re: RPC/TCP Record Marking for IDS Evasion Dug Song (Jan 12)
- Re: RPC/TCP Record Marking for IDS Evasion Jeff Nathan (Jan 12)