From owner-freebsd-security  Sat Apr  7 14:25:58 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gw.nectar.com (gw.nectar.com [208.42.49.153])
	by hub.freebsd.org (Postfix) with ESMTP id 6B8A737B422
	for <freebsd-security@FreeBSD.ORG>; Sat,  7 Apr 2001 14:25:53 -0700 (PDT)
	(envelope-from nectar@nectar.com)
Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102])
	by gw.nectar.com (Postfix) with ESMTP
	id C4F7618D24; Sat,  7 Apr 2001 16:25:52 -0500 (CDT)
Received: (from nectar@localhost)
	by hamlet.nectar.com (8.11.3/8.9.3) id f37LPqT87350;
	Sat, 7 Apr 2001 16:25:52 -0500 (CDT)
	(envelope-from nectar@spawn.nectar.com)
Date: Sat, 7 Apr 2001 16:25:52 -0500
From: "Jacques A. Vidrine" <n@nectar.com>
To: Crist Clark <crist.clark@globalstar.com>
Cc: lee@kechara.net, freebsd-security@FreeBSD.ORG
Subject: Re: Theory Question
Message-ID: <20010407162552.D87286@hamlet.nectar.com>
Mail-Followup-To: "Jacques A. Vidrine" <n@nectar.com>,
	Crist Clark <crist.clark@globalstar.com>, lee@kechara.net,
	freebsd-security@FreeBSD.ORG
References: <200104071610.RAA18117@mailgate.kechara.net> <3ACF83FA.55761A7B@globalstar.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3ACF83FA.55761A7B@globalstar.com>; from crist.clark@globalstar.com on Sat, Apr 07, 2001 at 02:17:46PM -0700
X-Url: http://www.nectar.com/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, Apr 07, 2001 at 02:17:46PM -0700, Crist Clark wrote:
> A possible scenario: Your IDS is listening to the unprotected link to 
> the Internet and chugging away, crunching the data passing by looking
> for attack signatures. Hiding somewhere in the bowels of this large
> and complex IDS program[0] is a buffer overflow vulnerability. EvulHax0r
> sends a crafted series of packets past the box which trip the buffer
> overflow and execute arbitrary code of his choosing on the box. Game 
> over. His code could attach an IP stack to the external interface 
> (just run ifconfig), it could open a tunnel through the backside of
> the IDS and back out of the front[1] of your network, or if EvulHax0r 
> is really 33l33t, he could set up a covert channel on the external 
> interface that does not use the kernel stack.

This is why you physically cut the TX wires to the network.  That buffer
overflow can    still  be successful, and  the    machine  can  still be
comprimised, but  it cannot be used  to make further attacks.  The types
of comprimises are also limited, since the attacker must work blindly.

Of course, the problem is then how do  you get useful information out of
your IDS?

Cheers,
-- 
Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message