[REVS] Intrusion Agent - The Next Generation of Spy

From: SecuriTeam (support_at_securiteam.com)
Date: 08/18/03

  • Next message: SecuriTeam: "[UNIX] Dropbear SSH Server Format String Vulnerability" 
    To: list@securiteam.com
Date: 18 Aug 2003 12:52:13 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Intrusion Agent - The Next Generation of Spy
    ------------------------------------------------------------------------

    SUMMARY

    The linked document discusses a new method to gain access to an internal
    network, even though they are shielded with firewall systems and proxy.

    The document also discusses in details the design of a so-called Intrusion
    Agent program and the different ways to implement and diffuse it over
    computers networks in the purpose to break into private information
    systems and to steal confidential documents.

    The document is intended to be read by security professionals and
    pentesters who work to secure their information system and who want a full
    overview of the risk's level in a secure network designed with the
    Industrial best practices.

    This document is also intended to be read by program developers interested
    in viruses and worms' concepts and uses.

    Frederic hopes you will find the Intrusion Agent concept interesting and
    eye-opening.

    DETAILS

    Introduction:
    They are many ways to gain access into a information system. The most used
    way is to find and exploit some front door's vulnerabilities and then try
    to gain an authorized access into the internal network.

    Whitehats or Blackhats attackers usually try to break into front office
    systems, like portal web servers, FTPs or transactional gateway servers.

    To perform their attack, they often use the same process: information
    gathering, vulnerability seeking, and, finally, exploitation of a
    vulnerability to obtain a remote shell access using techniques like buffer
    overflow, format string, bogus CGIs or SQL injection.

    Then, the attackers will try to rebound into the internal network. Many
    methods exist to secure networks and applications. Networks are secured by
    packet filters, proxy. Servers and applications are hardened and chrooted.

    Nowadays, there still are vulnerable servers and programs, but the
    exploitation of their threats are more and more difficult for many reasons
    examined above.

    In a penetration test or in a real attack, the final objective is to
    demonstrate that it is possible to corrupt information. By corrupting
    information, Frederic means steal, modify or erase business sensible
    information.

    Frederic hopes that for administrators, confidential information and
    documents do not reside on front office servers. These information are
    stocked in back office database, files servers and, sometimes, directly on
    workstation filesystem.

    This confidential information is shielded behind many firewalls, proxy,
    virtual LAN and all kind of securing network components. Thus, network
    administrators are busy to keep these materials in a high-level security,
    with regular update and Intrusion detection system.

    Here is the problem. Attackers usually do not try to break your firewall
    and proxy systems. Like the famous Chinese strategist, Sun Tzu wrote
    "Attack him where he is unprepared, appear where you are not expected".

    So, the question is: "Is it possible to get the control of a computer
    despite of its protection and even if it is not accessible from the
    outside?".
    This whitepaper will try to give an answer to this question and to prove
    that wherever a user is able to browse the web, even though he browses
    through proxy systems, an attacker can gain access to a computer.

    Furthermore, we will consider a scenario showing how our intrusion agent
    would be dangerous for an organization if used with a distributed
    architecture and with worm-like proliferation.

    ADDITIONAL INFORMATION

    The complete article can be found at:
     <http://www.xmcopartners.com/whitepapers/intrusion-agent.pdf>
    http://www.xmcopartners.com/whitepapers/intrusion-agent.pdf

    The information has been provided by <mailto:fcharpentier@laposte.net>
    Frederic Charpentier.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Dropbear SSH Server Format String Vulnerability"

    Relevant Pages