From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 17 Apr 2005 17:13:31 +0200
Subject: [REVS] Placing Backdoors Through Firewalls
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050417173451.1DAE257CA@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Placing Backdoors Through Firewalls
------------------------------------------------------------------------
SUMMARY
This article describes possible back-doors through different firewall
architectures. However, the material can also be applied to other
environments to describe how hackers cover their access to a system.
DETAILS
Hackers often want to retain access to systems they have penetrated even
in the face of obstacles such as new firewalls and patched
vulnerabilities. To accomplish this the attackers must install a back-door
which a) does it's job and b) is not easily detectable. The kind of
back-door needed depends on the firewall architecture used.
Firewall Architectures:
There are two basic firewall architectures and each has an enhanced
version:
Packet Filters:
This is a host or router which checks each packet against an allow/deny
rule-table before routing it through the correct interface. There are very
simple ones which can only filter from the origin host, destination host
and destination port, as well as good ones which can also decide based on
incoming interface, source port, day/time and some TCP or IP flags. This
could be a simple router, f.e. any Cisco, or a Linux machine with
firewalling activated (ipfwadm).
Stateful Filters:
This is the enhanced version of a packet filter. It still does the same
checking against a rule table and only routes if permitted, but it also
keeps track of the state information such as TCP sequence numbers. Some
pay attention to application protocols which allows tricks such as only
opening ports to the interior network for ftp-data channels which were
specified in a permitted ftp session. These filters can (more or less) get
UDP packets (f.e. for DNS and RPC) securely through the firewall. (Thats
because UDP is a stateless protocol. And it's more difficult for RPC
services.)
This could be a great OpenBSD machine with the ip-filter software, a Cisco
Pix, Watchguard, or the (in)famous Checkpoint FW-1.
Proxies / Circuit Level Gateways:
A proxy as a firewall host is simply any server which has no routing
activated and instead has proxy software installed. Examples of proxy
servers which may be used are squid for WWW, a Sendmail relay
configuration and/or just a socked.
Application Gateways:
This is the enhanced version of a proxy. Like a proxy, for every
application which should get through the firewall a software must be
installed and running to proxy it. However, the application gateway is
smart and checks every request and answer, f.e. that an outgoing FTP only
may download data but not upload any, and that the data has got no virus,
no buffer overflows are generated in answers etc. One can argue that squid
is an application gateway, because it does many sanity checks and let you
filter stuff but it was not programmed for the installation in a secure
environment and still has/had security bugs.
A good example for a freeware kit for this kind is the TIS firewall
toolkit (fwtk).
Most firewalls that vendors sell on the market are hybrid firewalls, which
means they've got more than just one type implemented; for example the IBM
Firewall is a simple packet filter with socks and a few proxies. I won't
discuss which firewall product is the best, because this is not a
how-to-by-a-firewall paper, but I will say this: application gateways are
by far the most secure firewalls, although money, speed, special
protocols, open network policies, stupidity, marketing hype and bad
management might rule them out.
ADDITIONAL INFORMATION
The information has been provided by <mailto:sanandres@gmail.com.> Sumy .
The original article can be found at:
<http://www.exploitx.com/forum/azbb.php?1113350365>;
http://www.exploitx.com/forum/azbb.php?1113350365
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
