|
ru.internet.security
- RU.INTERNET.SECURITY ---------------------------------------------------------
From : Marõnais 2:5020/2173.2 18 Nov 2005 17:10:13
To : All
Subject : Desktop Firewalls and Intrusion Detection
--------------------------------------------------------------------------------
textsection 5 of 12 of file WUESTE.TXT
textbegin.section
The figure below shows the used attack tree from where the different sce-
narios were derived.
ÚATTACKÒÄÂ>ÚLocalÄÒÄÂ>ÚAttack trusted applicationÒÄÂÄ>ÚMisuse trustedÄÄÄÄÄÄ·
³ º°³ ³ º°³ ³ º°³ ³application º°
ÔÍÍÍÍÍͼ°³ ÔÍÍÍÍÍͼ°³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
°°°°°°°°³ °°°°°°°°³ °°°°°°°°°°°°°°°°°°°°°°°°°°°°³ °°°°°°°°°°°°°°°°°°°°°°
³ ³ ÃÄ>ÚMemory injectionÄÄÄÄ·
³ ³ ³ ³ º°
³ ³ ³Ú>ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
³ ³ ³³ °°°°°°°°°°°°°°°°°°°°°°
³ ³ ÃÄ>ÚModifying rule setÄÄ·
³ ³ ³³ ³ º°
³ ³ ³Ã>ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
³ ³ ³³ °°°°°°°°°°°°°°°°°°°°°°
³ À>ÚAttack desktop firewallÄÄÄÒijÅ>ÚPush the YES buttonÄ·
³ ³ º°³³ ³ º°
³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
³ °°°°°°°°°°°°°°°°°°°°°°°°°°°°³³ °°°°°°°°°°°°°°°°°°°°°°
³ ÀÄ>ÚTunnelingÄÄÄÄÄÄÄÄÄÄÄ·
³ ³ ³ º°
³ ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
³ ³ °°°°°°°°°°°°°°°°°°°°°°
À>ÚRemoteÒÄÂ>ÚAttack desktop firewallÄÄÄÒÄÂÄ>ÚSpoofed trafficÄÄÄÄÄ·
³ º°³ ³ º°³³ ³ º°
ÔÍÍÍÍÍͼ°³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
°°°°°°°°³ °°°°°°°°°°°°°°°°°°°°°°°°°°°°³³ °°°°°°°°°°°°°°°°°°°°°°
³ ³Ã>ÚSniffingÄÄÄÄÄÄÄÄÄÄÄÄ·
³ ³³ ³ º°
³ ³³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
³ ³³ °°°°°°°°°°°°°°°°°°°°°°
³ ³Ã>ÚAvoiding visibilityÄ·
³ ³³ ³ º°
³ ³³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
³ ³³ °°°°°°°°°°°°°°°°°°°°°°
³ ³Ã>ÚResources exhaustion·
³ ³³ ³ º°
³ ³³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
³ ³³ °°°°°°°°°°°°°°°°°°°°°°
³ ³Ã>ÚProcess killingÄÄÄÄÄ·
³ ³³ ³ º°
³ ³³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
³ ³³ °°°°°°°°°°°°°°°°°°°°°°
³ ³Ã>ÚMutex blockingÄÄÄÄÄÄ·
³ ³³ ³ º°
³ ³³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
³ ³³ °°°°°°°°°°°°°°°°°°°°°°
³ ÃÄ>ÚFloodÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ·
³ ³³ ³ º°
³ ³Ã>ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
³ ³³ °°°°°°°°°°°°°°°°°°°°°°
³ ³À>ÚModifying log fileÄÄ·
³ ³ ³ º°
³ ³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
³ ³ °°°°°°°°°°°°°°°°°°°°°°
³ ÀÄ>ÚAlarm floodingÄÄÄÄÄÄ·
³ ³ º°
³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
³ °°°°°°°°°°°°°°°°°°°°°°
À>ÚInformation gatheringÄÄÄÄÄÒÄÄÄ>ÚPort scanÄÄÄÄÄÄÄÄÄÄÄ·
³ º° ³ º°
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ° ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
°°°°°°°°°°°°°°°°°°°°°°°°°°°° °°°°°°°°°°°°°°°°°°°°°°
ÚMisuse trustedÄÄÄÄÄÄÒÄÂ>ÚSteal application rightsÒÄÂ>ÚPass certain filter·
³application º°³ ³ º°³ ³ º°
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
°°°°°°°°°°°°°°°°°°°°°°³ °°°°°°°°°°°°°°°°°°°°°°°°°°³ °°°°°°°°°°°°°°°°°°°°°
ÚMemory injectionÄÄÄÄÒÄÙ ³
³ º° ³
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ° ³
°°°°°°°°°°°°°°°°°°°°°° ³
ÚModifying rule setÄÄÒÄÂ>ÚAdd custom ruleÄÄÄÄÄÄÄÄÄÒÄ´
³ º°³ ³ º°³
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³
°°°°°°°°°°°°°°°°°°°°°°³ °°°°°°°°°°°°°°°°°°°°°°°°°°³
ÚPush the YES buttonÄÒÄÙ ³
³ º° ³
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ° ³
°°°°°°°°°°°°°°°°°°°°°° ³
ÚTunnelingÄÄÄÄÄÄÄÄÄÄÄÒÄ¿ ³
³ º°³ ³
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³ ³
°°°°°°°°°°°°°°°°°°°°°°³ ³
ÚSpoofed trafficÄÄÄÄÄÒÄÄ>ÚTrusted source's rightsÄÒÄÙ
³ º°³ ³ º°
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
°°°°°°°°°°°°°°°°°°°°°°³ °°°°°°°°°°°°°°°°°°°°°°°°°°
ÚSniffingÄÄÄÄÄÄÄÄÄÄÄÄÒÄ´
³ º°³
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³
°°°°°°°°°°°°°°°°°°°°°°³
ÚAvoiding visibilityÄÒÄÁ>ÚBypass filter engineÄÄÄÄÒÄÂ>ÚBypass filteringÄÄÄ·
³ º° ³ º°³ ³ º°
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ° ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
°°°°°°°°°°°°°°°°°°°°°° °°°°°°°°°°°°°°°°°°°°°°°°°°³ °°°°°°°°°°°°°°°°°°°°°
ÚResources exhaustionÒÄ¿ ³
³ º°³ ³
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³ ³
°°°°°°°°°°°°°°°°°°°°°°³ ³
ÚProcess killingÄÄÄÄÄÒÄÅ>ÚDisable desktop firewallÒÄÙ
³ º°³ ³ º°
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³ ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
°°°°°°°°°°°°°°°°°°°°°°³ °°°°°°°°°°°°°°°°°°°°°°°°°°
ÚMutex blockingÄÄÄÄÄÄÒÄ´
³ º°³
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³
°°°°°°°°°°°°°°°°°°°°°°³
ÚFloodÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÒÄÙ ÚInformation lossÄÄÄÄÄÄÄÄÒÄÄ>ÚInformation leakÄÄÄ·
³ º° ³ º° ³ º°
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼÄÂ>ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ° ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
°°°°°°°°°°°°°°°°°°°°°°³ °°°°°°°°°°°°°°°°°°°°°°°°°° °°°°°°°°°°°°°°°°°°°°°
ÚModifying log fileÄÄÒÄ´
³ º°³
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³
°°°°°°°°°°°°°°°°°°°°°°³
ÚAlarm floodingÄÄÄÄÄÄÒÄ´
³ º°³
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°³
°°°°°°°°°°°°°°°°°°°°°°³
ÚPort scanÄÄÄÄÄÄÄÄÄÄÄÒÄÙ
³ º°
ÔÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ°
°°°°°°°°°°°°°°°°°°°°°°
We describe now the different groups of attacks which will be used to
test the desktop firewalls. This should explain the ideas of the attacks and
also the impact that they could have.
4.1.1 Process killing
Description: Locally try to stop the running desktop firewall process.
Required access: Local.
Idea: Stop the desktop firewall process.
Impact: Disabling the desktop firewall.
Leads to: Bypass the incoming and outgoing filter.
Variations: Send termination message as the administrator or as a normal
user.
4.1.2 Memory injection 1
Description: Inject a process into the memory space of the desktop fire-
wall.
Required access: Local.
Idea: Pretend to be a part of the firewall process.
Impact: Use access rights of the firewall.
Leads to: Bypass the incoming and outgoing filter.
Variations: Have a DLL loaded into this memory space, then allocate the
memory for a function called by the firewall's working memo-
ry.
4.1.3 Information gathering
Description: Do a port scan to gather information about the protected sys-
tem.
Required access: Remote.
Idea: Gain as much information as possible about the system for
further attacks.
Impact: Information leak.
Leads to: Possible specific succeeding attack.
Variations: Use special stealth scan techniques, like XMAS scan.
4.1.4 Memory injection 2
Description: Inject a process into the memory space of a trusted applica-
tion.
Required access: Local.
Idea: Pretend to be a part of the trusted application.
Impact: Filter of the trusted application will be applied to the
traffic.
Leads to: Bypass the incoming and outgoing filter.
Variations: Have a DLL loaded into this memory space, then allocate the
memory for a function called in the application's working me-
mory.
4.1.5 "More info" button
Description: Try to catch the information that is sent out when a user
clicks on the "more info" button and is redirected to the
vendor's page.
Required access: Remote.
Idea: Some desktop firewalls send the version number and IP addres-
ses to the website for getting an additional information.
Impact: Information leak.
Leads to: Possible specific succeeding attack.
4.1.6 Incoming flood
Description: Send a huge amount of a traffic to the desktop firewall.
Required access: Remote.
Idea: Use all resources to temporary or permanently disable the
desktop firewall.
Impact: Disabling the desktop firewall.
Leads to: Bypass the incoming and outgoing filter.
Variations: Use different protocols like TCP, UDP, ICMP or IGMP for
flooding. Use specially crafted packets like SYN or FYN pac-
kets. Vary the load of the traffic. Use spoofed random source
addresses. Use the same target and source address for the
packets.
4.1.7 Outgoing flood
Description: Send a huge amount of a traffic from the machine the desktop
firewall is running on.
Required access: Local.
Idea: Use all resources to temporary or permanently disable the
desktop firewall.
Impact: Disabling the desktop firewall.
Leads to: Bypass the incoming and outgoing filter.
Variations: Use different protocols like TCP, UDP, ICMP or IGMP for
flooding. Use specially crafted packets like SYN or FYN pac-
kets. Vary the load of the traffic. Use random target IP add-
resses and random spoofed source IP addresses. Use the same
target and source address for the packets.
4.1.8 Spoofed packets
Description: Send special packets with 127.0.0.1 as the source IP address.
Required access: Remote.
Idea: Pretend a traffic to come from a trusted loopback device.
Impact: Filter of the trusted source will be applied to the traffic.
Leads to: Bypass the incoming filter.
Variations: Use different protocols like TCP, UDP, ICMP or IGMP. Use spe-
cially crafted packets like SYN or FYN packets.
4.1.9 Replacing a binary
Description: Replace a trusted application with a malicious tool which has
the same name and path.
Required access: Local.
Idea: Impersonate the trusted application.
Impact: Filter of the trusted application will be applied to the
traffic.
Leads to: Bypass the incoming and outgoing filter.
Variations: Replace the hash value of the trusted application which is
stored by the desktop firewall for detection of misuse.
4.1.10 Sniffing
Description: Use a packet sniffer to receive a traffic before it gets dis-
carded by the desktop firewall.
Required access: Local.
Idea: Receive a traffic before it gets blocked later.
Impact: No incoming filter will be applied to the traffic.
Leads to: Bypass the incoming filter.
Variations: Use a different kind of network sniffer.
4.1.11 Mutex blocking
Description: Block the mutex of the desktop firewall.
Required access: Local.
Idea: Prevent the desktop firewall from loading.
Impact: Disabling the desktop firewall.
Leads to: Bypass the incoming and outgoing filter.
4.1.12 Tunneling
Description: Use allowed protocols for communication by hiding a real
traffic in new packets.
Required access: Local.
Idea: Repack the traffic in a different protocol, and use the cor-
responding ports to send and receive the traffic.
Impact: Filter of the trusted application will be applied to the
traffic.
Leads to: Bypass the incoming and outgoing filter.
Variations: Use different protocols, for example, HTTP, SMTP or ICMP to
hide packets.
4.1.13 Different IP stack
Description: Use a different IP stack to send and receive the packets.
Required access: Local.
Idea: The desktop firewall does not see the traffic.
Impact: No filtering will be applied to the traffic.
Leads to: Bypass the incoming and outgoing filter.
Variations: Install a new network driver. Install a layered service pro-
vider to send the traffic.
textend.section
* Origin: 2:5020/1317.8, /2024.2, /2173.2, /2613.5, /5413.3 (2:5020/2173.2)
Âåðíóòüñÿ ê ñïèñêó òåì, ñîðòèðîâàííûõ ïî: âîçðàñòàíèå äàòû óìåíüøåíèå äàòû òåìà àâòîð
| Òåìà: |
Àâòîð: |
Äàòà: |
|
Desktop Firewalls and Intrusion Detection |
Marõnais |
18 Nov 2005 17:10:13 |
|
|
