Full Disclosure mailing list archives
Re: VML Exploit vs. AV/IPS/IDS signatures
From: nirvana <karmic_nirvana () yahoo com>
Date: Tue, 26 Sep 2006 15:37:58 -0700 (PDT)
Aviv,
There are gateway solutions out there which implement sort-of lexical parsers (e.g. www.esafe.com, www.webwasher.com, www.finjan.com).
Isn't it wonderful that we got these wonderful technical solutions? But without even arguing the technical capabilities of the above-mentioned products, I believe there's a limit as to how far we can push the envelope, i.e. I can't afford to buy "specialized" security tools/devices for "speclialized" attacks unless my company relies heavily on web/content services.
Also, there is no way to "gather the maximum number of exploit variants as you can". Because, by using server side scripting to randomize the exploit's content, it's unfeasible to collect all possible variants.
Agreed. I forgot to mention that I have worked for some network-style IPS companies. These mails stem out from my experience and frustration in tackling the kind of vulnerabilities we are discussing here. We, as a vendor, would hedge our bet on the fact that crackers won't use randomied exploit generators (how many WMF mass-exploitation scenarios used gzip+chunked evasion?). Let me confess, as an engineer I always felt as being one-step behind the hackers, but sometimes you have to forget the existential angst and just deliver. > I really would like to know the source of information which tells you that
AV solutions provide almost 99% of protection against in-the-wild exploits... "Few sources" doesn't necessarily mean few possible variants.
I wasn't talking about AV solutions. My focus was on one part of the solution, IDS/IPS. In our company, we established a information-sharing network with other security companies. So the real-time exploit-facing signatures were then subjected to live traffic, honeypots and countless variants; They seemed to work out pretty well. Thanks, Pukhraj Aviv Raff <avivra () gmail com> wrote: Hi, There are gateway solutions out there which implement sort-of lexical parsers (e.g. www.esafe.com, www.webwasher.com, www.finjan.com). Also, there is no way to "gather the maximum number of exploit variants as you can". Because, by using server side scripting to randomize the exploit's content, it's unfeasible to collect all possible variants. I really would like to know the source of information which tells you that AV solutions provide almost 99% of protection against in-the-wild exploits... "Few sources" doesn't necessarily mean few possible variants. -- Aviv. -----Original Message----- From: Pukhraj Singh [mailto:pukhraj.singh () gmail com] Sent: Tuesday, September 26, 2006 10:40 PM To: avivra; EArsal () techdata de Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com Subject: Re: VML Exploit vs. AV/IPS/IDS signatures Avivra, I acknowledge the research you and Ertunga (http://www.immunitysec.com/pipermail/dailydave/2006-September/003557.html) have put up. Protection against client-side scripting vulnerabilities is the Achilles' Heel for all network-style IDS/IPS vendors. These languages offer too much flexibility over the syntax and semantics, thus becoming the pain-point for the underlying architecture for network-style IDS/IPS which are better accustomed to analyze structured data (like protocols and even file-formats). There's is simply too much you can mutate here and you can't expect vendors to develop on-the-fly javascript parsers! Thus the protection they develop is simply a business objective, as they can loose a lot mileage here if they don't cover vulnerabilities like this one. They had the same stance for file-format vulnerabilities till they were forced to add decoding routines for them by the sheer number of new file-based vulnerabilities which were coming out. AV and local-style protection is the best defense mechanism here (but even they failed in this case!). However, the other way out is to gather the maximum number of exploit variants as you can (from mutual cooperation between security companies) and provide real-time exploit-facing protection against them. This is what they generally do and it provides almost 99% protection (might surprise many) because most out-in-the-wild exploits are derived from few sources only. Thanks, Pukhraj On 9/26/06, avivra wrote:
The code for exploiting the unpatched VML vulnerability is in-the-wild for a week or so. This was enough time for Anti Virus, IPS/IDS and other reactive security products' vendors to create a signature for the in-the-wild exploit. So, I put my hand on one of the in-the-wild and tested it using Virus Total. The results were not so good. Only 10 of 27 Anti-Viruses detected the exploit on the malicious web page. Are those signatures generic enough? I've decided to check it out. I've used 5 simple methods, trying to evade being detected by the
signature:
1) I've replaced the location where EIP should jump when the exploit is activated, with a different valid address. 2) I've replaced the VML element from "rect" with one of the other VML
elements.
3) I've replaced the payload with a different valid shell code. 4) I've replaced the namespace key with a random key. 5) A combination of all of the above. Please note that when I changed the code using any of the methods, the exploit still worked. More info:
http://aviv.raffon.net/2006/09/25/VMLExploitVsAVIPSIDSSignatures.aspx
-- Aviv.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ --------------------------------- Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- VML Exploit vs. AV/IPS/IDS signatures avivra (Sep 26)
- Re: VML Exploit vs. AV/IPS/IDS signatures H D Moore (Sep 26)
- Re: VML Exploit vs. AV/IPS/IDS signatures Dude VanWinkle (Sep 26)
- Re: VML Exploit vs. AV/IPS/IDS signatures Alexander Sotirov (Sep 26)
- Re: VML Exploit vs. AV/IPS/IDS signatures Pukhraj Singh (Sep 26)
- Re: VML Exploit vs. AV/IPS/IDS signatures Aviv Raff (Sep 26)
- Re: VML Exploit vs. AV/IPS/IDS signatures nirvana (Sep 26)
- Re: VML Exploit vs. AV/IPS/IDS signatures avivra (Sep 27)
- Re: VML Exploit vs. AV/IPS/IDS signatures Pukhraj Singh (Sep 28)
- Re: VML Exploit vs. AV/IPS/IDS signatures avivra (Sep 28)
- Message not available
- Re: VML Exploit vs. AV/IPS/IDS signatures SanjayR (Sep 29)
- Re: VML Exploit vs. AV/IPS/IDS signatures nirvana (Sep 28)
- Re: VML Exploit vs. AV/IPS/IDS signatures Aviv Raff (Sep 26)
- Re: VML Exploit vs. AV/IPS/IDS signatures H D Moore (Sep 26)