Re: Covert Channels

[Dave McCormick <mccormic () thunder xecu net>]

Vince Gallo also showed how he created covert channels using valid mapi
email in his Bunratty Attack presentation.  A copy of the presentation is
available in PDF at
http://chi-publishing.com/isb/backissues/ISB_2001/ISB0605/ISB0605VG.pdf

It demonstrates how one can use a valid application (in this case mapi
email) to covertly communicate with and even remotely control a system on
a otherwise protected network.  All traffic appears to be valid email.

Pretty slick.


Dave McCormick

dave () fred net
mccormic () xecu net

24 hours in a day, 24 beers in a case. Coincidence?

On Wed, 16 Oct 2002, Erik Parker wrote:

> > Many people have discussed this concept, but nothing has ever taken form.
> >
> > In order to get a host machine to pull this out of the packet and USE it,
> > you'd have to re-write the IP stack for that machine. If you can replace an
> > IP stack on a machine, there's no good reason to be doing it in the first
> > place, as you've already got root (or some form of escalated privs).
>
> Well.. That's not really accurate.. A few people have written programs that
> let you send data in "Secret".. In Tcp headers, as well as ICMP headers.. and
> the router does not toss them out, as long as their put in variable sections.
> (and upd headers.. and just about everything else a router will let you send)
>
> In fact, there is a ICMP chat program on freshmeat, that lets you and someone
> else chat to each other via icmp packets.  And there certainly is a point to
> it.. It's easier to bypass a crappy IDS system if you hide your data.
>
> There have been people who were owned, and get shell code sent to
> them via little bits of shell code tacked on to the end of email spam
> messages, and a service on the remote side intercepting those mails and executing the code
> via direction from arp traffic.
>
> The overhead is a lot greater, especially if you throw encryption into it..
> and the methods are slow, but they work.. Also, in the case of ICMP traffic..
> nobody really looks at it too closely for the most part, so it's pretty easy
> to stick things in there. A backdoor on a system could easily sit and watch
> icmp all day looking for their command packets to come in.
>
> I'm not sure why you'd need to replace the IP stack on the machine.. you're
> not modifying the internet protocol.. just some of the data it carries.
>
> Lots of ways to hide your traffic.. And technically, you could do it without
> actually needing a sniffer running, if you already own the system.. Just
> intercept the calls with your own functions..
>
> So, I'd have to say 'completely pointless' is a improper term to use here..
> Because it is in fact, a method that has been used against some of the most
> well known 'white hats' out there.. to bypass their IDS systems, and live
> silently on their systems.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/