Uninformed: Informative Information for the Uninformed

Vol 1» 2005.May


Securing a network involves protecting it from being compromised both from the outside and from the inside. To protect both of these conditions, network administrators may make use of outbound filters to help control and limit the type of content that is allowed to leave the network in conjunction with inbound filters that control and limit the type of content that is allowed to enter the network. While filtering data in both directions is important, it is not always enough to stop machines inside the network from being compromised. Outbound filters in particular, whether employed at the network, application, or intermediate level are all easily bypassed by virtue of the fact that they allow users of the machine to communicate with hosts on the internet in some form or another.

In order for an attacker to bypass outbound filters, the attacker must find a way to look like acceptable user traffic. One way of approaching this is to implement a payload that enables the execution of both signed and unsigned ActiveX controls in Internet Explorer's Internet zone. Once enabled, the payload could then launch a hidden Internet Explorer using a URL that contains an embedded ActiveX control. From there, the ActiveX control could construct an HTTP tunnel between the target machine and the attacker, thus creating a channel through which data can be passed in a fashion that will bypass most network's outbound filters. The reason this bypasses most outbound filters is because it uses a trusted protocol, such as HTTP, and is executed in the context of a typically trusted process, such as Internet Explorer, in an attempt to make the traffic appear legitimate.

The benefits of such a payload vary based on a person's alignment. However, it goes without saying that it could be potentially useful to both sides of the fence. Whether used for penetration testing or for worm propagation, the ability to bypass outbound filters makes for an interesting connection medium beyond those typically used by post-exploitation payloads, such as those that establish reverse connections or listen on a port. Preventing payloads such as these from being possible might involve enhancing the ability of outbound filters to differentiate user traffic from non-user traffic.

There's no question that the field of exploitation and post-exploitation research is filled with vast amounts of ingenuity. The very act of making something do what no one else considered, or in ways no one considered, is one of the many examples of creativity. However, with ingenuity comes a certain sense of responsibility. While the topics expanded upon in this document could be used for malicious purposes, the author hopes that instead the reader will use this knowledge to discover or expand on things that have yet to be discussed, thus making it possible to continue the cycle of education and enlightenment.