http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id=32
forum - Guest Feature: The Internet Auditing Project (p1 of 7)
Thu Aug 19 1999
Cautionary Tales: Stealth Coordinated Attack HOWTO
It's buried kinda deep in the article, under; E) Embedding, and then down
some, on my lynx browser it's at the botom of the 28th page and the top of
the 29th page:
Another clever exploit is to store a piece of your attack bot
bootstrap sequence on the network card itself. Most modern network
cards have 64 bytes (or more) of EEPROM that are used to store the 6
byte hardware MAC address, leaving the majority of the space unused.
More sophisticated server network cards even have more space for
downloadable firmware. The mostly unused network card EEPROM is
typically loaded by OS drivers in its entirety - usually to a fixed
address static buffer. A small segment of code could be programmed
into the card and executed from this buffer by an exploit. The
advantages to storing a portion of the attack code in the NIC is that
it makes tracing the activity of the exploit difficult for someone
trying to reverse engineer the code, and more importantly, a short
program installed here will survive a disk formatting and OS
re-install. This kind of exploit will lead to a lot of head scratching
and questions about "How the hell do they keep getting back in after a
disk wipe?" at the target.
Thanks,
Ron DuFresne
On Tue, 24 Aug 1999, peter pajak wrote:
> not exactly, since all NICs on sun boxes always have the same mac address
> (burnt into the motherboard) all switches are designed to handle that all
> right. besides, all comunications start with the ip address being mapped to
> mac address by arp, so the switch port which has the ip address you want to
> talk to is being used as the communication channel anyway. in regard to the
> second part ask the guy what he means by compromisig the card. to do that
> one would have to have phisical access to the machine and that's another
> issue.
>
> later, peter
>
>
> >From: Art Coble <[EMAIL PROTECTED]>
> >To: Corbett Waddingham <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> >Subject: Re: quad cards on firewalls
> >Date: Mon, 23 Aug 1999 17:04:25 -0700
> >
> >I don't see a problem with it.
> >I've implemented the configuration you are describing.
> >Make sure you configure the qfe card to give each
> >port a unique MAC address. By default each port
> >has the same MAC. This can wreak some havoc on switches.
> >
> > -Art
> >
> >
> >At 04:20 PM 8/23/99 -0700, Corbett Waddingham wrote:
> > >
> > >Hello,
> > >
> > >Recently, the subject of using quad ethernet cards on firewalls was
> >brought up
> > >here at work. One person was convinced that this is a Bad Thing(c),
> >because
> > >someone could compromise the card and get access to the entire network.
> > >Everyone else (myself included) felt that he was just being overly
> >paranoid,
> > >and that just keeping the subnets logically seperated would be fine. But
> >I
> > >thought I would ask the people who be most likely to know.
> > >
> > >The card in this case was a Sun Quad Fast Ethernet, the firewall itself
> >was
> > >an UltraSPARC with Solaris 2.6 and Checkpoint.
> > >
> > >
> > >Corbett Waddingham
> > >E-greetings Network Data Wrangler
> > >415-536-1861
> > >http://www.egreetings.com
> > >-
> > >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> > >"unsubscribe firewalls" in the body of the message.]
> > >
> >
> >===========================================
> >Art Coble
> >International Network Services
> >Senior Network Consultant
> >Email: [EMAIL PROTECTED]
> >Page: 800 INS 1 INS or [EMAIL PROTECTED]
> >"Fix the problem, not the blame"
> >=============================================
> >-
> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> >"unsubscribe firewalls" in the body of the message.]
> >
>
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
