Well, this is something I have been concerned about for a while, but I have actually seen it in use. About three weeks ago a site that I deal with was taken down hard. Both routers, and the bastion host were compomised. Due to internal monitoring and automatic watchdogs, the penetration from the firewall zone to the internal net was stopped in about 45 seconds. However, in going back to look at the logs that the Site Security Officer (the SSO has since been dismissed for neglect of duty) should have been looking at, we discovered that there were signs of a breakin from over 2 and 1/2 months back. Now comes the cute part. About a month and a half or so ago, one of the internal sysadmins got a bounce from sendmail with a reply-to field of "| /bin/sh". In the message body was a uuencoded file, that was executed after uudecoding. They didn't think much of it at the time, they brought it to the site security officer's attention, and forgot about it. In light of the attack, we started going over all of the trail of bits for the past 2.5 months and came across this incident. The uuencoded file was a statically linked sun binary. Upon running strings on it, I recognized some strings from the socks package. They set up a duplicate isolated net, and ran the program. Sure enough, it was a tunnel that went out though a socks firewall, connected to a remote machine and would exec a shell once it's remote connection was accepted. Sadly, this sort of attack seems to be able to be used on just about any firewall system out there that allows connection level access. I think a twist on the same mechanism would work across most application level gatways (telnet would be a trivial example). Heck with expect or perl, I could set up a nice little program that took everything I typed to a telnet clinet, and submitted it to a shell for execution. The one thing that would detect this would be traffic analysis since the data flow patterns would be reversed (i.e. lots of data from the source, but small amounts of data from the destination). Fortunately this attempt failed because the newest V8 sendmail was installed on the mailhost, which failed to exec /bin/sh. Also as an added barrier, Sparc binaries don't run well on mips chips 8-). I have to admit that actually seeing one of my senarios in action sent chills up my spine. I was just wondering if anybody else has seen this sort of attack before. -- John John Rouillard Special Projects Volunteer University of Massachusetts at Boston rouilj@cs.umb.edu (preferred) Boston, MA, (617) 287-6480 =============================================================================== My employers don't acknowledge my existence much less my opinions.