Re: WMF and the Windows Vulnerability Drought :>

[Frank Knobbe <frank () knobbe us>]

On Mon, 2006-01-02 at 16:20 -0500, Dave Aitel wrote:
> If it's going to annoy you a lot when people pad the exploit to
> match an MTU header, then it's going to REALLY annoy you when we set
> our MTU size to be 40 bytes, and use tiny HTTP Chunks for a Gziped
> file over SSL after doing several prior null requests . 

That's certainly true for most (all?) IDSes. Run the attack over SSL or
use gzip (or compress or deflate), and the IDS is blind. (or IPS... and
if it gunzips HTTP traffic first, throw a 0-bomb at it :)

I'd like to think we did a good job getting a sig together that alerts
on the vulnerability (not just the exploit) and survives a variety of
evasive tactics. gzip of course left us in the dust. But it seems like
we had a higher detection rate than desktop based AV :) 

An IDS is not a silver bullet, I think you know that. But that doesn't
mean it's worthless either. We used it and continue to use it for
identify web sites service malicious WMF files. We won't find them all,
but we can make a dent.

Yeah, bugs in code need to be fixed on a code level, not with network
based stuff. What else is new?

Except the year maybe. Happy New Year.
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part