RE: Covert Channels

[Michael Wojcik <Michael.Wojcik () microfocus com>]

> From: kam [mailto:kam () aversion net]
> Sent: Wednesday, October 16, 2002 7:14 PM
>
> On Wed, Oct 16, 2002 at 03:08:49PM -0700, Jeremy Junginger said:
> > Has anyone had success in creating a program that uses IP/TCP/UDP/ICMP
> > header information to transmit encoded messages from one host to
> > another?

> The problem with your idea is that it will never work for the actual
> exploitation of a system or network. If you plan on using this medium as a
> communication channel, that's one thing, but you will never get a host
> machine to respond to options in these fields. 
>
> In order to get a host machine to pull this out of the packet and USE it,
> you'd have to re-write the IP stack for that machine. If you can replace
an
> IP stack on a machine, there's no good reason to be doing it in the first
> place, as you've already got root (or some form of escalated privs). 

The original question concerned covert channels, not penetration.  (I'm not
sure why Jeremy sent it to pen-test.)  Penetration is a completely different
issue.

For covert-channel purposes, replacing the IP stacks on both end nodes may
be a reasonable requirement.

That said, I agree that it's tough to guarantee getting header fields
through unmodified by routers, NAT, firewalls, and so forth.  Most normal
applications will tolerate all sorts of manipulation - rewriting addresses
and ports, changing IP IDs, defragmenting IP packets or even coalescing TCP
segments, and so forth - so it's entirely possible that current or future
intermediate nodes will be doing so.

For example, TCP segment size looks like a possible viable covert channel
(though one that would produce pretty suspicious-looking traffic if you
weren't very careful).  Disable Nagle and send data in chunks such that the
size stays under the PMTU and indicates something - trivially, send 1-256
bytes each time, where data size - 1 is the byte value you're transmitting
"covertly".  Hack the stack on the receiving end to report the TCP segment
size.  Sounds viable (if naive), but a stateful, content-inspecting firewall
might preprocess TCP traffic looking for virus signatures or the like, for
example, and in doing so reblock the segments.  I don't know that any do so
today, but I don't know that this technique would have much long-term
viability.

TCP flags and the like are even less likely to survive untouched for long.

In any case, covert channels aren't really scarce.  Remember that
covert-IP-over-DNS implementation from a few years back?

Michael Wojcik
Principal Software Systems Developer, Micro Focus