Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Interesting idea for a covert channel or I just didn't research enough?
From: mudge <mudge () uidzero org>
Date: Thu, 6 Oct 2005 13:35:39 -0400

Good points and I agree with you. It is still, however, a variant on 'dead-drop' covert channels - which is not a novel class of covert communications.

It should also be pointed out that the usage of most logging systems, as you describe, provide both storage and timing channels by definition.



On Oct 6, 2005, at 10:53 AM, foofus () foofus net wrote:

On Thu, Oct 06, 2005 at 10:22:07AM -0400, mudge wrote:

This type of covert channel has long been used by various governments
and organizations (think of clandestine messages being passed to or
from agents via personal ads).

There's one potentially interesting wrinkle to this scheme, though,
that's not mirrored in the generic "hidden-messages-in-a-public- medium"
scenario: the sender can put things into the log, but not see them,
and the recipient can read things from the log, but writing there
might be of less interest.

I bring this up because the logs generated by the firewall do not
necessarily reside only on the device that received the sender's
packets.  With lots of organizations working on centralizing log
events so that they can correlate findings from different platforms,
the ability to control the content of portions of log messages
(say, for example, the source address reported in a syslog message
indicating a dropped packet) could provide a vector for communicating
to highly trusted systems to which one has no direct network access.

I can't send them a packet, in other words, but maybe I can ask
someone on the edge of the network to send them a packet with some
content of my choosing.

I admit this seems like a somewhat farfetched avenue of attack
(i.e., if I'm able to install an agent with access to this log data,
I probably already have whatever level of access I might be after),
but it seems like an interesting observation nevertheless, and
somebody sooner or later will probably figure out a way to do
something interesting with it.  I look forward, at the very least,
to the inevitable presentation on "video over covert syslog" by Dan
Kaminsky.  :)


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]