-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 9 Jan 2001, Mahn, Chris wrote:

> I would be interested in hearing more on this subject. I don't quite know
> how you would craft a packet and send it to a server that does not have an
> IP address. What's more, when the NIDS sniffs the packets, what would
> cause the NIDS to execute the code?

You wouldn't actually need to send the attack directly to the server.
Since the NIDS software is, by definition, listening in promiscuous mode
to all traffic on that network segment, all you need to do is put your
attack on the segment. The addressing of the packet(s) involved are
irrelevant, since the NIDS software sees (and processes) all.

What triggers the code execution is best left up to your imagination.
Presumably there would be a buffer overflow, printf bug, or some other
vulnerability that we've seen many times before in other types of
software. I don't know of any examples in existing NIDS products, but I
haven't been looking either.

> Could you give me links to the November protocal decode bugs from Ethereal
> and tcpdump that you mentioned? Thanks...

The FreeBSD folks posted an advisory to BUGTRAQ on October 30, and updated
it on November 6 regarding their implementation of tcpdump (unsure if
other implementations were also at risk). The problem there was with the
decoding of AFS ACL packets:
  http://www.securityfocus.com/archive/1/143504

A similar bug was found in Ethereal and posted to BUGTRAQ on November 18:
  http://www.securityfocus.com/archive/1/145761

- - Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: Made with pgp4pine 1.75-6

iEYEARECAAYFAjpbkyoACgkQc9EFi4qQZExYtQCggROoTuSUWj4e+3urCb/owE85
79YAn2YCYFyuiG/kisdWdlGKpHLjw335
=Mmur
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]