Dailydave mailing list archives
Re: Re: New Snort Bypass - Patch - Bypass of Patch
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Sat, 3 Jun 2006 23:15:51 -0500
Apache 2 ignores any combination of the following bytes before the URI:
0x09 0x0b 0x0c 0x0d 0x20 (man isspace)
If you specify 0x0a before the URI, it causes Apache to truncate the
request, so in most cases this results in the index.html page being
returned. Try your 0x0a example again with a non-index.html URI and it
will still serve up the main page.
IPS/IDS has all sorts of problems with whitespace. For example, take any
PCRE-based matching engine, look for any sigs that use the \s or \S
sequences to match on whitespace, then compare that to what the actual
server software considers as whitespace. In many cases, you can bypass an
"string too long" check by using 0x0c or 0x0b as the filler between
commands and arguments (FTP, SMTP, HTTP, etc).
Lets take a fictional PCRE match that looks for a FTP MKD command with an
argument longer than 1024 bytes:
"MKD\s+\S{1024}"
If the FTP server doesn't use the same character set to parse command
lines, this is trivial to fool, either by padding the argument or by
inserting a fake whitespace byte somewhere before the 1024 limit is
reached. This problem probably affects snort, netscreen, and any other
IPS that depends on PCRE-compatible engines. Fixing it would require
someone to review every single vulnerable piece of server software and
determine what bytes are actually treated as whitespace or rewrite the
rule in a way that doesn't depend on \s.
Brian Caswell and I will be speaking about IPS evasion at the Black Hat
security conference in Las Vegas (August 2-3, 2006). The talk will dig
into the systematic issues with most intrusion detection/prevention
systems.
-HD
On Saturday 03 June 2006 12:41, Sigint Consulting wrote:
Further research on the snort vulnerability reveals that the \x0a character will also evade the snort preprocessor AND apache will return a valid response. (Testing \x0a before a malicious unicode string did not generate a snort alert)
Current thread:
- New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 02)
- Message not available
- Message not available
- Re: New Snort Bypass - Patch - Bypass of Patch Pukhraj Singh (Jun 05)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: New Snort Bypass - Patch - Bypass of Patch Pukhraj Singh (Jun 05)
- Message not available
- <Possible follow-ups>
- Re: New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 03)
- Re: Re: New Snort Bypass - Patch - Bypass of Patch H D Moore (Jun 05)
- Re: New Snort Bypass - Patch - Bypass of Patch Sigint Consulting (Jun 05)