Re: IDS Stealth Mode

["M. Dodge Mumford" <dodge () nfr net>]

r)(o)(m said:

> Has anyone ever exploited the "stealth" interface to traverse networks?

There would be at least three ways to make something like this happen:
Through the kernel on the IDS host, via buffer overflow or format string
vulnerability against the IDS software, and via buffer overflow, format
string vulnerability, or shell metacharacter against some subsequent
reporting program.

L0pht's AntiSniff used to look for (among other things) OS kernels that were
known to incorrectly accept packets with their IP address with the wrong MAC
address. To exploit that, 1. the IDS would have to be using a staggeringly
old version of Linux and 2. You'd have to be on the local subnet already.
IIRC there were other OS's with similar vulnerabilities, but AFAIK they're
all ancient and no modern OS is that stupid.

As IDS's get more sophisticated processing builtin, it stands to reason that
the likelihood of a buffer overflow or other poor programming practice may
slip into production code. If you can find a way to exploit that, you can do
whatever you want to that IDS. Possibilities there include not only acting
as a launching pad, but corrupting the traffic the ID analysts sees.

Tons of IDS's report to unrelated tools: syslog, snmp, report-generation
software, etc.  If you can convince the IDS to send raw malicious payload
that those programs are vulnerable to, you've got a chance.

> Has anyone (else) ever had to defend such a configuration against the 
> argument:
> "where there's a wire, there's a way"
> ?

This is what risk assessment is all about. What's the likelihood someone
will find any of the conditions mentioned above? Compare that with the risk
of running the IDS with its addressable interface on a public network. 

-- 

Dodge
(Note: I work for an IDS manufacturer)

Attachment: _bin
Description: