Hi - I'm doing some work on parsing RPC protocols as part of my job, and I'm wondering if I've come up with a previously-unknown way of evading IDS for RPC-based attacks. Let me elaborate: the RPC RFC (1831) defines a Record Marking (RM) standard for RPC running over stream-based protocols such as TCP. This is necessary because you can have multiple RPC calls and responses in a single TCP stream. So RPC defines a Record as a 4-byte quantity and some amount of data. The high-order bit of the initial 4 bytes is the Last Fragment flag, and the remaining 31 bits supply the length of the Record. There is no limitation placed on the number of Fragments within a Record. So... The obvious question: What's an IDS that doesn't fully process RPC going to do if I split up my, say, buffer overflow, across 2 RPC Fragments? Or, to take it further, what if I split my attack into 5-byte chunks, with 4 bytes of Record Marker between them? Theoretically (untested) a proper RPC implementation on a system shouldn't have any trouble dealing with this, however, it would completely obfuscate the stream from the perspective of anyone trying to do a string match. But you wouldn't necessarily see anything else weird, since I could send normally-sized packets containing the traffic. The fragmentation and insertion of RMs is only known to the RPC implementation on the target machine. Any thoughts? diphen
This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 18:43:50 PST