Dailydave mailing list archives
Re: Re: New Snort Bypass - Patch - Bypass of Patch
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Sat, 3 Jun 2006 23:15:51 -0500
Apache 2 ignores any combination of the following bytes before the URI: 0x09 0x0b 0x0c 0x0d 0x20 (man isspace) If you specify 0x0a before the URI, it causes Apache to truncate the request, so in most cases this results in the index.html page being returned. Try your 0x0a example again with a non-index.html URI and it will still serve up the main page. IPS/IDS has all sorts of problems with whitespace. For example, take any PCRE-based matching engine, look for any sigs that use the \s or \S sequences to match on whitespace, then compare that to what the actual server software considers as whitespace. In many cases, you can bypass an "string too long" check by using 0x0c or 0x0b as the filler between commands and arguments (FTP, SMTP, HTTP, etc). Lets take a fictional PCRE match that looks for a FTP MKD command with an argument longer than 1024 bytes: "MKD\s+\S{1024}" If the FTP server doesn't use the same character set to parse command lines, this is trivial to fool, either by padding the argument or by inserting a fake whitespace byte somewhere before the 1024 limit is reached. This problem probably affects snort, netscreen, and any other IPS that depends on PCRE-compatible engines. Fixing it would require someone to review every single vulnerable piece of server software and determine what bytes are actually treated as whitespace or rewrite the rule in a way that doesn't depend on \s. Brian Caswell and I will be speaking about IPS evasion at the Black Hat security conference in Las Vegas (August 2-3, 2006). The talk will dig into the systematic issues with most intrusion detection/prevention systems. -HD On Saturday 03 June 2006 12:41, Sigint Consulting wrote:
Further research on the snort vulnerability reveals that the \x0a character will also evade the snort preprocessor AND apache will return a valid response. (Testing \x0a before a malicious unicode string did not generate a snort alert)
Current thread:
- New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 02)
- Message not available
- Message not available
- Re: New Snort Bypass - Patch - Bypass of Patch Pukhraj Singh (Jun 05)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: New Snort Bypass - Patch - Bypass of Patch Pukhraj Singh (Jun 05)
- Message not available
- <Possible follow-ups>
- Re: New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 03)
- Re: Re: New Snort Bypass - Patch - Bypass of Patch H D Moore (Jun 05)
- Re: New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 05)