RPC/TCP Record Marking for IDS Evasion

From: diphen@agitation.net
Date: 01/11/02


From: diphen@agitation.net
Date: Thu, 10 Jan 2002 18:34:38 -0800
To: vuln-dev@securityfocus.com

Hi -

I'm doing some work on parsing RPC protocols as part of my job, and I'm
wondering if I've come up with a previously-unknown way of evading IDS
for RPC-based attacks.

Let me elaborate: the RPC RFC (1831) defines a Record Marking (RM)
standard for RPC running over stream-based protocols such as TCP. This
is necessary because you can have multiple RPC calls and responses in a
single TCP stream. So RPC defines a Record as a 4-byte quantity and some
amount of data. The high-order bit of the initial 4 bytes is the Last
Fragment flag, and the remaining 31 bits supply the length of the
Record. There is no limitation placed on the number of Fragments within
a Record.

So... The obvious question: What's an IDS that doesn't fully process RPC
going to do if I split up my, say, buffer overflow, across 2 RPC
Fragments? Or, to take it further, what if I split my attack into 5-byte
chunks, with 4 bytes of Record Marker between them? Theoretically
(untested) a proper RPC implementation on a system shouldn't have any
trouble dealing with this, however, it would completely obfuscate the
stream from the perspective of anyone trying to do a string match. But
you wouldn't necessarily see anything else weird, since I could send
normally-sized packets containing the traffic. The fragmentation and
insertion of RMs is only known to the RPC implementation on the target
machine.

Any thoughts?

diphen