Vulnerability Development mailing list archives
Re: RPC/TCP Record Marking for IDS Evasion
From: Dug Song <dugsong () monkey org>
Date: Sat, 12 Jan 2002 00:55:54 -0500
On Thu, Jan 10, 2002 at 06:34:38PM -0800, diphen () agitation net wrote:
I'm doing some work on parsing RPC protocols as part of my job, and I'm wondering if I've come up with a previously-unknown way of evading IDS for RPC-based attacks.
i mentioned (and implemented) this about two years ago. Robert Graham subsequently fixed this in his NetworkICE product, not sure about others: http://archives.neohapsis.com/archives/ids/2000-q1/0007.html http://archives.neohapsis.com/archives/ids/2000-q1/0149.html
what if I split my attack into 5-byte chunks, with 4 bytes of Record Marker between them? Theoretically (untested) a proper RPC implementation on a system shouldn't have any trouble dealing with this...
yes, this works, if done properly. :-)
The fragmentation and insertion of RMs is only known to the RPC implementation on the target machine.
not true. there isn't really any ambiguity to exploit in simple RPC fragmentation, it's just more processing the monitor needs to do. -d. --- http://www.monkey.org/~dugsong/
Current thread:
- RPC/TCP Record Marking for IDS Evasion diphen (Jan 11)
- Re: RPC/TCP Record Marking for IDS Evasion Robert Freeman (Jan 11)
- Re: RPC/TCP Record Marking for IDS Evasion Dug Song (Jan 12)
- Re: RPC/TCP Record Marking for IDS Evasion Jeff Nathan (Jan 12)