>
>http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id=32
>
>
> forum - Guest Feature: The Internet Auditing Project (p1 of 7)
>
> Thu Aug 19 1999
> Cautionary Tales: Stealth Coordinated Attack HOWTO
>
>
>It's buried kinda deep in the article, under; E) Embedding, and then down
>some, on my lynx browser it's at the botom of the 28th page and the top of
>the 29th page:
>
>
> Another clever exploit is to store a piece of your attack bot
> bootstrap sequence on the network card itself. Most modern network
> cards have 64 bytes (or more) of EEPROM that are used to store the 6
> byte hardware MAC address, leaving the majority of the space unused.
> More sophisticated server network cards even have more space for
> downloadable firmware. The mostly unused network card EEPROM is
> typically loaded by OS drivers in its entirety - usually to a fixed
> address static buffer. A small segment of code could be programmed
> into the card and executed from this buffer by an exploit. The
> advantages to storing a portion of the attack code in the NIC is that
> it makes tracing the activity of the exploit difficult for someone
> trying to reverse engineer the code, and more importantly, a short
> program installed here will survive a disk formatting and OS
> re-install. This kind of exploit will lead to a lot of head scratching
> and questions about "How the hell do they keep getting back in after a
> disk wipe?" at the target.
>
Yeah, but how do you program the eeprom on the card without having root
access on the machine first? A: not very easily (frankly, I doubt it's
possible). Theoretically, one could use this as a back door to get in
AFTER one has already hacked the machine, but using this as an apriori
vulnerability is a bit of a jump, IMHO.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
