From: support@securiteam.com
Date: 01/22/02

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 22 Jan 2002 15:14:04 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  ICMP Shell


 <http://peter.eluks.com/code/Unix/C/ICMP-Shell/ISH-src/README> ICMP Shell
is a program written in C for the UNIX environment that allows an
administrator to access their computer remotely via ICMP.

How does it work?
The ISHELL server is run in daemon mode on the remote server. When the
server receives a request from the client it will strip the header and
look at the ID field. If this matches the server then it will pipe the
data to "/bin/sh". It will then read the results from the pipe and send
them back to the client and the client prints the results to stdout.

By default the client and server send packets with an ICMP type of 0
(ICMP_ECHO_REPLY). However, this can be changed on both the client and
server side. ISHELL does not care what type you send out from the client
or server end, the types do not have to match.

ISHELL does not only pipe commands to a server and send back the output.
It also works with interactive programs (i.e. gdb). However, there comes a
minor problem from this. ISHELL cannot display a shell prompt (#). The
reason for that is that there is no way to differentiate between commands
in interaction with a program.

Firewall? No one said anything about a firewall!
By default ISHELL uses ICMP type 0 (ICMP_ECHO_REPLY) to send/receive.
After a little bit of research it seems that ICMP type 0 works best with
this program. Other types do work, however some kernels process
ICMP_ECHO_REQUEST packets automatically (BSD) while others do not (Linux).


The tool can be downloaded from:

The information has been provided by <mailto:peter@eluks.com> Peter


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.