RE: Antwort: RE: Snort-Machine = Security Hole?

["Crow, Owen" <Owen_Crow () bmc com>]

It doesn't open an active connection to the Internet.  I guess I'm expanding
the term "root exploit" to cover someone's ability to get your system to run
his code with root privileges.  A worm that got onto your Snort sensor would
try to contact it's master, but it would also branch out to any other
systems it can find.

Yes, I would add LIDS and running Snort chroot'd as additional layers to
protect against this.

The main problem for this exploit is how to get the standard code for a
rootkit onto this isolated computer.  How do I tell a computer that can't
talk to me to do my bidding?  I contend that the only missing ingredient is
a Snort exploit.  

Let's assume this simplified scenario:
A Snort sensor in your DMZ, on a hardened *nix box, transmit wire cut on DMZ
side, but connected to your intranet.  No default route, firewall rule to
block any traffic from your Snort sensor.

I find a buffer overflow in Snort and am able to use this to execute short
commands on Snort boxes.  If you've setup Snort to respawn, then I can send
the commands one at a time, otherwise I've got to fit them into the
overflow.  By sending a packet that causes the overflow, I run a new
instance of snort listening on common network interfaces (or "any") and tell
this snort to log all traffic from my computer to a binary file.  I send
packets containing my rootkit to the target network which the new instance
of Snort dutifully saves to disk for me.  I use some method for converting
this binary log to the original .tgz file.  I send commands to install the
root kit.  The main limitation here is how much shell-code I can pack into
the overflow packets.

Now I have a remote attack machine that can execute scripted attacks against
your Intranet.  If you've been good and implemented more layers to protect
your Intranet, then good for you.

Once again:
1. This is not Snort specific.  Substitute tcpdump or possibly Netranger and
you end up with similar issues.  
2. It's all highly theoretical (until it gets implemented).

Owen

-----Original Message-----
From: Ramin Alidousti [mailto:ramin () cannon eng us uu net]
Sent: Thursday, July 12, 2001 12:51 PM
To: Crow, Owen
Cc: 'ks () schuricht de'; snort-users () lists sourceforge net
Subject: Re: Antwort: RE: [Snort-users] Snort-Machine = Security Hole?


Please help me understand this: if you don't have connectivity
to the Internet (by means of the lack of default gateway, or
blocking the Internet connectivity on the firewall, ...) how
can a buffer overflow exploit, gives an attacker an active
remote root session? In such a case, a buffer overflow exploit
should install and run a locally executed program on the
snort box with no interaction with the outside world, right?
At any rate, could LIDS be of any help (at least for linux boxes)?

Ramin

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users