On IDS Evasion, Vulnerabilities, and Vendor Hype

["Eric Hacker" <hacker () vudu net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On IDS Evasion, Vulnerabilities, and Vendor Hype

Recently a disturbing event played out in the IDS world. A security
company released an advisory regarding the ability to bypass IDS
signatures. This is disturbing because it conveys the impression that
otherwise, it was not possible to bypass IDS systems. This is not
true. IDS, especially Network IDS, is not mathematics. It is more
like psychology; it is far from perfect.

Historically, when NIDS evasion tactics have been uncovered, they
have been written about in papers and discussed in forums. Everyone
knows that NIDS is an immature and evolving technology and that no
vendor can provide complete security. Well, everyone _should_ know.

A dependency on signatures will only go so far in detecting attacks.
Protocol analysis goes one step further, but still will not provide
perfect detection for all types of attacks in all types of
environments. Anomaly detection has its uses and issues. Depending on
the IDS vendor, there are many ways to sneak some known attacks by
signatures that are supposed to detect those attacks. To release all
such methodologies as advisories at this stage of maturity in the
technology is pointless, unless one is seeking publicity.

IDS vendors sometimes must completely rewrite parts of their engines
to detect evasion methodologies. How long was it before some vendors
got fragmentation reassembly? Vendors simply are not ready to offer
perfect detection, or even pretend to.

Vendor Hype

Eeye cast the first stone with their advisory %u encoding IDS bypass
vulnerability (http://www.securityfocus.com/advisories/3552).
Certainly the issue that Eeye discovered is an important one and
needed to be made public. The practice of marketing an organization’s
name through advisories is what is not necessary.

Cisco (http://www.securityfocus.com/advisories/3546) and ISS
(http://www.securityfocus.com/advisories/3551) followed with
advisories of their own. Cisco played it straight, and merely
announced that their own software was vulnerable. The ISS X-Force
jumped in on the hype, announcing that many vendors could be affected
by this vulnerability and announcing a patch that protects against
it. ISS even compared this new vulnerability to the IIS Unicode
Directory Traversal (IUDT) vulnerability from October of 2000
(http://www.securityfocus.com/bid/1806). The latter is different,
however.

The IUDT vulnerability actually uses UTF-8 encoding rather than the
nonstandard %u Unicode encoding found in the new vulnerability. What
is the difference? Well UTF-8 is a _standard_ method of encoding
Unicode, albeit one that has been applied in non-standard ways by
Microsoft. %u encoding was something completely invented by
Microsoft. One would expect that IDS vendors might not know about a
non-standard encoding method developed by a particular vendor.

UTF-8, being a standard method of encoding published in the open for
the world to use, should be detected or interpreted by IDS
vendors. Unfortunately ISS RealSecure stands out as one of the IDS
vendors that completely misses UTF-8 encoded attacks. The IDS
industry was notified by my article on UTF-8 evasion in January 2001
(http://www.securityfocus.com/cgi-bin/infocus.pl?head=IDS:IDS%20Evasio
n&id=1232) but by then many vendors had already begun working on the
issue. One would think that if ISS was seriously interested in
not being evaded rather than just cashing in on some hype, that there
would be a patch for UTF-8 by now. Unfortunately the X-Force team has
not even acknowledged my emails to them on this issue.

Admittedly, the UTF-8 encoding problem is much harder to solve than
the %u encoding. It is no surprise that some vendors have yet to deal
with it adequately. (How long did it take certain vendors to deal
with fragmentation?). However, releasing advisories on similar
evasion
techniques only serves to cloud the current state of IDS and make the
technology seem more mature than it is. Such illusions do not improve
the state of security on the Internet.

IDS Evasion

Just for the record, using the example from the X-Force advisory:

“The following is a standard HTML GET request without Unicode-escaped
characters:

GET /attack.html HTTP/1.0

The following shows the same request, using a valid, but escaped
Unicode
character in place of the letter k:

GET /attac%u006b.html HTTP/1.0

This request uses a non-standard form of Unicode, referred to as "%u
encoding". This type of encoding can be used to effectively bypass
many IDS signatures for IIS-specific vulnerabilities.”

The following are some, but quite possibly not all, of the variations
on “attack.html” using standard UTF-8 encoding on IIS5:

GET /attac%C1%8B.html HTTP/1.0
GET /attac%C4%B6.html HTTP/1.0
GET /attac%C7%A8.html HTTP/1.0
GET /attac%E2%84%AA.html HTTP/1.0
GET /attac%EF%BC%AB.html HTTP/1.0
GET /attac%C1%AB.html HTTP/1.0
GET /attac%C4%B7.html HTTP/1.0
GET /attac%C7%A9.html HTTP/1.0
GET /attac%EF%BD%8B.html HTTP/1.0

Both upper and lower case letters can be interchanged.

One can use the unescaped raw binary codes as well, where {0x41}
represents the byte for ‘A’:

GET /attac{0xC1}{0x8B}.html HTTP/1.0
GET /attac{0xC4}{0xB6}.html HTTP/1.0
and so on.

There is no simple pattern matching facility that will work for UTF-8
encoding, unlike %u encoding.

Vulnerabilities

Customers who fall prey to vendor hype and believe that they have
bought security.

The system of trust that vendors release advisories to promote full
disclosure and not to further their own interests.

Peace,
Eric Hacker, CISSP, GCIA, MCSE, CCSE
Network Security Consultant
Email: hacker () vudu net
PGP key:
http://keyserver.pgp.com/pks/lookup?op=get&search=hacker () vudu net
PGP Fingerprint: FADB 793E E98A 97BB 04D6  5973 7864 93A1 222B E0C7

"Long gone are the days when one's surname referred to the role
one had in the community."

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBO7yUX1npCOWDRQZ1EQK9MwCg47VENXVJ6txOtxIEUIvZd7YuywMAoK8e
n9LEEAB6tOAtvjRCxhGVYGWS
=5+q5
-----END PGP SIGNATURE-----