Re: Covert Channels

[Alex Tibbles <alex_tibbles () yahoo co uk>]

 --- kam <kam () aversion net> wrote: 

> On Wed, Oct 16, 2002 at 03:08:49PM -0700, Jeremy
> Junginger said sometin like...
> > Has anyone had success in creating a program that
> uses IP/TCP/UDP/ICMP
... etc.

> Many people have discussed this concept, but nothing
> has ever taken form. 
>
> The problem with your idea is that it will never
> work for the actual
> exploitation of a system or network. If you plan on
> using this medium as a
> communication channel, that's one thing, but you
> will never get a host
> machine to respond to options in these fields. 
>
> The endpoint machine's IP stack is going to junk any
> data within those
> fields, as they are not pertinent to that particular
> machine (especially if
> it's crap, ie, something not supposed to be in that
> field.)
>
> In order to get a host machine to pull this out of
> the packet and USE it,
> you'd have to re-write the IP stack for that
> machine. If you can replace an
> IP stack on a machine, there's no good reason to be
> doing it in the first
> place, as you've already got root (or some form of
> escalated privs). 
this is a fair point. however, the original post
mentioned fooling IDS. IDS should not only detect
attempted intrusions, but also successfully
compromised systems talking to their new masters. this
kind of approach will not make the former any harder
(for the IDS) but will make the latter harder.
im thinking of eg. DDOS clients. an already
compromised system (with a newly modified IP stack (OK
this is hard)) can report back to its handler via a
covert channel.


> In order for this concept to be effective against a
> single host (in the case
> of attempting to run a remote exploit against a
> host), you'd have to have a
> box in the middle with a modified stack to
> intercept, decode, and not throw
> away these extra bits of data. Then again, if you
> can insert a new BOX on a
> network, you probably aren't worried about using
> such a complicated method
> of compromising a host. 
again, good point. this approach could allow a cascade
effect - compromise 1 host use the compromised host as
the end of a tunnel: covert channel->regular TCP, say.
then u've got a covert channel to all hosts on the
network.

> In a network sense- it's almost even more pointless.
> A router isn't going to
> understand whatever hidden commands you've got in
> any field (IP option, ID,
> generally unused portions of the TCP header, etc) so
> they will throw it out.
> Depending on when you do the actual insertion of
> your data into the packet,
> chances are at somepoint (if not on your machine, up
> the line) someone's CRC
> is going to be off and you're going to lose the
> packet. Keep in mind that
> not everyone runs the same network appliances, and
> all stacks (unless
> intentionally otherwise) act differently. Some will
> recalculate the CRC with
> your data, some will toss your data and recalculate,
> and others still will
> just toss your packet.
>
> All in all, a kinda cool concept, but completly
> pointless.
not really. its got applications, as ive outlined. IDS
needs to be capable of looking in such covert channels
for evidence of intrusions.

alex

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com