[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
From: "PASTOR ADRIAN" <M123303@xxxxxxxxxxxxxx>
Date: Thu, 6 Oct 2005 10:06:24 +0100

Sometime ago I thought of the following idea for a covert channel. Although the 
idea of covert channels is *not* new at all, I couldn't find anything in Google 
related to the following method of implementing a covert channel.
 
The scenario is the following. The victim is a host with a host-level firewall 
which is blocking *all* incoming traffic. Somehow the attacker still needs to 
communicate with a backdoor planted in this host. Use a reverse shell and job 
done, you might say.

Actually, there is another way which I thought would be more creative (IMHO). 
 
It works like this: the backdoor enables logging in the host-level firewall for 
all dropped packets, say Windows XP SP2 Firewall. Then the backdoor receives 
commands from the attacker by interpreting the properties of the dropped 
packets which were logged by the firewall. In other words, the backdoor is 
constantly reading the logs and parsing commands which were sent by the 
attacker embedded in packets which are being dropped (but logged) by the 
firewall.

attacker sends packets -> packets are dropped by firewall -> packets properties 
are captured in logs  -> backdoor reads logs and finds encoded commands -> 
commands are executed 

Now, for the way the backdoor would reply back to the victim is really up to 
you. One method that comes to my mind is by posting the responses to a PHP 
script which is located in some free-hosting webpage. The attacker would then 
access this webpage.
 
Please, if you know anything related to backdoors intercepting commands from 
log files send me some links. Ideas, comments and flames are more than welcome 
:-) .

Regards,
pagvac (Adrian Pastor)
Earth, SOLAR SYSTEM
www.adrianpv.com
www.ikwt.com (In Knowledge We Trust)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough?
  - From: phased
- Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
  - From: Bernhard Mueller
- [Full-disclosure] Re: Interesting idea for a covert channel or I just didn't research enough?
  - From: Mario 'BitKoenig' Holbe
- Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
  - From: Michael Holstein
- Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
  - From: mudge
- Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
  - From: Jurjen Oskam
- Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
  - From: Michael Holstein

Prev by Date: Re: [Full-disclosure] no-NX paper announcement
Next by Date: [Full-disclosure] Secunia Research: Webroot Desktop Firewall Two Vulnerabilities
Previous by thread: Re: [Full-disclosure] sourcefire acquired by checkpoint
Next by thread: Re: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough?
Index(es):
- Date
- Thread