Re: RPC/TCP Record Marking for IDS Evasion

[Dug Song <dugsong () monkey org>]

On Thu, Jan 10, 2002 at 06:34:38PM -0800, diphen () agitation net wrote:

> I'm doing some work on parsing RPC protocols as part of my job, and I'm
> wondering if I've come up with a previously-unknown way of evading IDS
> for RPC-based attacks.

i mentioned (and implemented) this about two years ago. Robert Graham
subsequently fixed this in his NetworkICE product, not sure about others:

        http://archives.neohapsis.com/archives/ids/2000-q1/0007.html
        http://archives.neohapsis.com/archives/ids/2000-q1/0149.html

> what if I split my attack into 5-byte chunks, with 4 bytes of Record
> Marker between them? Theoretically (untested) a proper RPC
> implementation on a system shouldn't have any trouble dealing with
> this...

yes, this works, if done properly. :-)

> The fragmentation and insertion of RMs is only known to the RPC
> implementation on the target machine.

not true. there isn't really any ambiguity to exploit in simple RPC
fragmentation, it's just more processing the monitor needs to do.

-d.

---
http://www.monkey.org/~dugsong/