Firewall Wizards mailing list archives
Re: Bypassing firewall
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Thu, 03 Feb 2000 10:36:43 -0500
Darren writes:
Hmmm. Not sure. Let me explain. If I somehow get an internal box with an agent installed which makes connections outbound on port 80 and only does so in response to a magic email message that I send, then it is highly likely a proxy will dump it if it's not HTTP. Then again, if the end is effectly an in.rshd, compiled with SSL, and *connects* to my rsh process that listens on port 443 (again in response to a magic email), then no magic proxy can determine if it's HTTP or anything else.
Why have anything incoming at all? Why not have it open an outgoing connection every so often to a randomized list of URLs, and, if it gets back a .jpeg (or something that looks like one) strip off the .jpeg header, write it as a .exe file, and run it? Instant downloadable code that will punch past any firewall I know of (except my "ultimate firewall...") It could send data out as email, or in URLs over http. SSL would just cause suspicion. I remember a funny I heard about at a USENIX ages ago where someone had an application that (this was a desperate kludge!) used to manipulate /etc/utmp to encode data so it would go out on the LAN in rwho packets, thereby allowing them to do remote status checks on certain applications. It was the winner in one of the "worst abuses of UNIX" contests someone held (I came in 3rd with my hack of using wc on /dev/mem to get hardware RAM sizes for ULTRIX...)
> No, it's worse. The 'solution' is to disable any protocol > that issues connections which are not immediately tied to > an authentication that isn't performed by a computer. Is that sufficient ? Users are pretty dumb, after all.
Well, the ultimate solution would be to disable all the users... mjr.
Current thread:
- Re: Bypassing firewall Eric Hedberg (Feb 01)
- <Possible follow-ups>
- RE: Bypassing firewall Eckhardt, H.J.R. - DTOMLD (Feb 01)
- RE: Bypassing firewall Marcus J. Ranum (Feb 01)
- Re: Bypassing firewall Darren Reed (Feb 02)
- Re: Bypassing firewall Marcus J. Ranum (Feb 03)
- Re: Bypassing firewall Darren Reed (Feb 03)
- Re: Bypassing firewall Marcus J. Ranum (Feb 03)
- Re: Bypassing firewall Darren Reed (Feb 02)
- Re: Bypassing firewall Kaptain (Feb 04)
- Re: Bypassing firewall Martin P. Peikert (Feb 04)