Re: We have met the enemy, and the enemy is ... you.

[TINNES Julien RD-MAPS-ISS <julien.tinnes () francetelecom com>]

> Sounds like a neat system; I guess anything that makes exploits harder
> is good. I wonder if anyone's done any work into whether it's possible
> to write generic exploits to bypass most of the popular HIPS in a single
> exploit - not that the attacker necessarily needs to. It'd be good to
> know which combinations of NIPS/HIPS are most troublesome for exploit
> writers, and why.

It is definitely possible to write generic exploits that will bypass a
lot of HIPS, at least the behavioral analysis part. This is especially
true for HIPS installed in big companies (where there are big
constraints that the HIPS does'nt  break anything and has not much
impact on performances).

Most of the time, once you've got arbitrary code execution (a lot of
HIPS will let you do that) you can VirtualAlloc, copy your shellcode
then VirtualProtect without write permission and run your shellcode from
there. Yoann Guillot has found out that this technique works quite well,
probably because the HIPS needs to allow dynamic code generation.

So your only problem is to call VirtualAlloc/Protect without beeing
detected, which is quite easy by proxying return from those functions
through existing code to defeat stack backtracking. Take a look at
SLIPFEST [1], you may be surprised at how many HIPS are fooled by the
"call reg.ret" shellcode.

The "access control" part is sometimes much better, but requires a tuned
policy file.

[1] http://slipfest.cr0.org


-- 
Julien TINNES - & france telecom - R&D Division/MAPS/NSS
Research Engineer - Internet/Intranet Security
GPG: C050 EF1A 2919 FD87 57C4 DEDD E778 A9F0 14B9 C7D6