Vulnerability Development mailing list archives
Re: Covert Channels
From: Alex Tibbles <alex_tibbles () yahoo co uk>
Date: Thu, 17 Oct 2002 09:50:59 +0100 (BST)
--- kam <kam () aversion net> wrote:
On Wed, Oct 16, 2002 at 03:08:49PM -0700, Jeremy Junginger said sometin like...Has anyone had success in creating a program thatuses IP/TCP/UDP/ICMP
... etc.
Many people have discussed this concept, but nothing has ever taken form. The problem with your idea is that it will never work for the actual exploitation of a system or network. If you plan on using this medium as a communication channel, that's one thing, but you will never get a host machine to respond to options in these fields. The endpoint machine's IP stack is going to junk any data within those fields, as they are not pertinent to that particular machine (especially if it's crap, ie, something not supposed to be in that field.) In order to get a host machine to pull this out of the packet and USE it, you'd have to re-write the IP stack for that machine. If you can replace an IP stack on a machine, there's no good reason to be doing it in the first place, as you've already got root (or some form of escalated privs).
this is a fair point. however, the original post mentioned fooling IDS. IDS should not only detect attempted intrusions, but also successfully compromised systems talking to their new masters. this kind of approach will not make the former any harder (for the IDS) but will make the latter harder. im thinking of eg. DDOS clients. an already compromised system (with a newly modified IP stack (OK this is hard)) can report back to its handler via a covert channel.
In order for this concept to be effective against a single host (in the case of attempting to run a remote exploit against a host), you'd have to have a box in the middle with a modified stack to intercept, decode, and not throw away these extra bits of data. Then again, if you can insert a new BOX on a network, you probably aren't worried about using such a complicated method of compromising a host.
again, good point. this approach could allow a cascade effect - compromise 1 host use the compromised host as the end of a tunnel: covert channel->regular TCP, say. then u've got a covert channel to all hosts on the network.
In a network sense- it's almost even more pointless. A router isn't going to understand whatever hidden commands you've got in any field (IP option, ID, generally unused portions of the TCP header, etc) so they will throw it out. Depending on when you do the actual insertion of your data into the packet, chances are at somepoint (if not on your machine, up the line) someone's CRC is going to be off and you're going to lose the packet. Keep in mind that not everyone runs the same network appliances, and all stacks (unless intentionally otherwise) act differently. Some will recalculate the CRC with your data, some will toss your data and recalculate, and others still will just toss your packet. All in all, a kinda cool concept, but completly pointless.
not really. its got applications, as ive outlined. IDS needs to be capable of looking in such covert channels for evidence of intrusions. alex __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com
Current thread:
- RE: Covert Channels, (continued)
- RE: Covert Channels Ofir Arkin (Oct 18)
- RE: Covert Channels Michal Zalewski (Oct 18)
- Re: Covert Channels David Litchfield (Oct 18)
- Re: Covert Channels Michal Zalewski (Oct 18)
- RE: Covert Channels Ofir Arkin (Oct 19)
- RE: Covert Channels Michal Zalewski (Oct 19)
- Re: Covert Channels Dragos Ruiu (Oct 21)
- Re: Covert Channels Roland Postle (Oct 22)
- RE: Covert Channels Roland Postle (Oct 21)
- Re: Covert Channels Roland Postle (Oct 17)
- RE: Covert Channels Jeff Nathan (Oct 19)
- RE: Covert Channels Dom De Vitto (Oct 19)