From: support@securiteam.com
Date: 01/22/02

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 22 Jan 2002 15:14:04 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  ICMP Shell


 <http://peter.eluks.com/code/Unix/C/ICMP-Shell/ISH-src/README> ICMP Shell
is a program written in C for the UNIX environment that allows an
administrator to access their computer remotely via ICMP.

How does it work?
The ISHELL server is run in daemon mode on the remote server. When the
server receives a request from the client it will strip the header and
look at the ID field. If this matches the server then it will pipe the
data to "/bin/sh". It will then read the results from the pipe and send
them back to the client and the client prints the results to stdout.

By default the client and server send packets with an ICMP type of 0
(ICMP_ECHO_REPLY). However, this can be changed on both the client and
server side. ISHELL does not care what type you send out from the client
or server end, the types do not have to match.

ISHELL does not only pipe commands to a server and send back the output.
It also works with interactive programs (i.e. gdb). However, there comes a
minor problem from this. ISHELL cannot display a shell prompt (#). The
reason for that is that there is no way to differentiate between commands
in interaction with a program.

Firewall? No one said anything about a firewall!
By default ISHELL uses ICMP type 0 (ICMP_ECHO_REPLY) to send/receive.
After a little bit of research it seems that ICMP type 0 works best with
this program. Other types do work, however some kernels process
ICMP_ECHO_REQUEST packets automatically (BSD) while others do not (Linux).


The tool can be downloaded from:

The information has been provided by <mailto:peter@eluks.com> Peter


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
  • Re: More Get-IPlayer Questions
    ... to use with mutt mail client. ... antinat - 0.90-4 - Antinat is a flexible SOCKS server and client ... protocol for Sybase or MS SQL Server. ... ifstat - 1.1-1 - InterFace STATistics Monitoring ...
  • This is going straight to the pool room
    ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
  • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
    ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
  • Re: What doesnt lend itself to OO?
    ... > rather than client code. ... no way to do that without also touching the object with clock semantics ... will not encapsulate both clock semantics and network semantics. ... The server can do whatever it wants ...