Monday, 12 November 2007

ICMP Safe? Not since Loki.

In the past ICMP was thought to be no more than an annoyance. It could be used for DoS and Network Intelligence, but little more. Or so people thought...

Then came Loki.
Loki was initially presented in August 1996 using a publication in Phrack. It was the first widely available implementation of a covert shell. The inspiration was to exploit the data field in ICMP type 0 [Echo Reply] and ICMP type 8 [Echo Request] packets in order to implement a synchronous command shell as a proof in concept of an embedded covert channel.

Loki acts as one would generally expect from a client/server application. An attacker could compromise a host and install a Loki server which will respond to traffic sent by Loki client.

Loki is not in wide use any more, and if it is in use, it is likely that payloads are being encrypted. The reason for this statement is that Loki traffic is not being widely detected by IDS/IPS devices. Even if it is encrypted there are ways that you can distinguish these types of covert shells.

First, there should be a disparity between the number of Echo reply and Echo Request packets detected. Depending on traffic flow there may be more of one of the other of these packets. Additionally, ICMP Echo request and Echo reply payload sizes should be the same. With a covert shell they generally are different. The reason for this is that you are just "echoing" back the packet payload that was received in the case of valid traffic. Loki and other covert ICMP channels will show wide variation in the size of the payloads just as other command shell traffic demonstrates this variability.

It should also be remembered that a clever attacker could still insert NOP's (No Operation) into the packet to pad it such that all traffic remains the same size.

Loki has been credited as the foundation of the fundamental component of TFN ("Tribal Flood Network"). TFN is a distributed denial of service (DDoS) assault tool. TFN utilised encrypted ICMP type 0 packets as its control channel. With a "butt-plug" module for Back Orifice 2000 (BO2K) that offers remote-control embedded within an ICMP based conduit, one can see that the concept of using ICMP covert channels has developed into a standard and common idea within the blackhat community.

There are new ICMP based covert shells, but Loki was the start.

The question remains, why let ICMP through the firewall unchecked?

No comments: